--- snort-2.8.5.2.orig/config.sub +++ snort-2.8.5.2/config.sub @@ -1,9 +1,10 @@ #! /bin/sh # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002 Free Software Foundation, Inc. +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# Free Software Foundation, Inc. -timestamp='2002-01-02' +timestamp='2009-04-17' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -21,14 +22,15 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, -# Boston, MA 02111-1307, USA. - +# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA +# 02110-1301, USA. +# # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. + # Please send patches to . Submit a context # diff and a properly formatted ChangeLog entry. # @@ -70,8 +72,8 @@ version="\ GNU config.sub ($timestamp) -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 -Free Software Foundation, Inc. +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, +2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -83,11 +85,11 @@ while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) - echo "$timestamp" ; exit 0 ;; + echo "$timestamp" ; exit ;; --version | -v ) - echo "$version" ; exit 0 ;; + echo "$version" ; exit ;; --help | --h* | -h ) - echo "$usage"; exit 0 ;; + echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. @@ -99,7 +101,7 @@ *local*) # First pass through any local machine types. echo $1 - exit 0;; + exit ;; * ) break ;; @@ -118,7 +120,10 @@ # Here we must recognize all the valid KERNEL-OS combinations. maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in - nto-qnx* | linux-gnu* | storm-chaos* | os2-emx* | windows32-*) + nto-qnx* | linux-gnu* | linux-dietlibc | linux-newlib* | linux-uclibc* | \ + uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | \ + kopensolaris*-gnu* | \ + storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; @@ -144,7 +149,7 @@ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis) + -apple | -axis | -knuth | -cray) os= basic_machine=$1 ;; @@ -169,6 +174,10 @@ -hiux*) os=-hiuxwe2 ;; + -sco6) + os=-sco5v6 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; -sco5) os=-sco3.2v5 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` @@ -185,6 +194,10 @@ # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; + -sco5v6*) + # Don't forget version if it is 3.2v4 or newer. + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; -sco*) os=-sco3.2v2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` @@ -228,32 +241,57 @@ | a29k \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ - | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \ + | am33_2.0 \ + | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \ + | bfin \ | c4x | clipper \ - | d10v | d30v | dsp16xx \ - | fr30 \ + | d10v | d30v | dlx | dsp16xx \ + | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | i370 | i860 | i960 | ia64 \ - | m32r | m68000 | m68k | m88k | mcore \ - | mips16 | mips64 | mips64el | mips64orion | mips64orionel \ - | mips64vr4100 | mips64vr4100el | mips64vr4300 \ - | mips64vr4300el | mips64vr5000 | mips64vr5000el \ - | mipsbe | mipseb | mipsel | mipsle | mipstx39 | mipstx39el \ - | mipsisa32 \ + | ip2k | iq2000 \ + | lm32 \ + | m32c | m32r | m32rle | m68000 | m68k | m88k \ + | maxq | mb | microblaze | mcore | mep | metag \ + | mips | mipsbe | mipseb | mipsel | mipsle \ + | mips16 \ + | mips64 | mips64el \ + | mips64octeon | mips64octeonel \ + | mips64orion | mips64orionel \ + | mips64r5900 | mips64r5900el \ + | mips64vr | mips64vrel \ + | mips64vr4100 | mips64vr4100el \ + | mips64vr4300 | mips64vr4300el \ + | mips64vr5000 | mips64vr5000el \ + | mips64vr5900 | mips64vr5900el \ + | mipsisa32 | mipsisa32el \ + | mipsisa32r2 | mipsisa32r2el \ + | mipsisa64 | mipsisa64el \ + | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64sb1 | mipsisa64sb1el \ + | mipsisa64sr71k | mipsisa64sr71kel \ + | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ + | moxie \ + | mt \ + | msp430 \ + | nios | nios2 \ | ns16k | ns32k \ - | openrisc \ + | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ | pyramid \ - | sh | sh[34] | sh[34]eb | shbe | shle \ - | sparc | sparc64 | sparclet | sparclite | sparcv9 | sparcv9b \ - | strongarm \ - | tahoe | thumb | tic80 | tron \ + | score \ + | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ + | sh64 | sh64le \ + | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ + | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ + | spu | strongarm \ + | tahoe | thumb | tic4x | tic80 | tron \ | v850 | v850e \ | we32k \ - | x86 | xscale | xstormy16 | xtensa \ - | z8k) + | x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \ + | z8k | z80) basic_machine=$basic_machine-unknown ;; m6811 | m68hc11 | m6812 | m68hc12) @@ -263,6 +301,9 @@ ;; m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) ;; + ms1) + basic_machine=mt-unknown + ;; # We use `pc' rather than `unknown' # because (1) that's what they normally are, and @@ -281,40 +322,68 @@ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ - | arm-* | armbe-* | armle-* | armv*-* \ - | avr-* \ - | bs2000-* \ - | c[123]* | c30-* | [cjt]90-* | c54x-* \ - | clipper-* | cray2-* | cydra-* \ - | d10v-* | d30v-* \ + | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ + | avr-* | avr32-* \ + | bfin-* | bs2000-* \ + | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \ + | clipper-* | craynv-* | cydra-* \ + | d10v-* | d30v-* | dlx-* \ | elxsi-* \ - | f30[01]-* | f700-* | fr30-* | fx80-* \ + | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | i*86-* | i860-* | i960-* | ia64-* \ - | m32r-* \ - | m68000-* | m680[01234]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | mcore-* \ - | mips-* | mips16-* | mips64-* | mips64el-* | mips64orion-* \ - | mips64orionel-* | mips64vr4100-* | mips64vr4100el-* \ - | mips64vr4300-* | mips64vr4300el-* | mipsbe-* | mipseb-* \ - | mipsle-* | mipsel-* | mipstx39-* | mipstx39el-* \ + | ip2k-* | iq2000-* \ + | lm32-* \ + | m32c-* | m32r-* | m32rle-* \ + | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ + | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ + | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ + | mips16-* \ + | mips64-* | mips64el-* \ + | mips64octeon-* | mips64octeonel-* \ + | mips64orion-* | mips64orionel-* \ + | mips64r5900-* | mips64r5900el-* \ + | mips64vr-* | mips64vrel-* \ + | mips64vr4100-* | mips64vr4100el-* \ + | mips64vr4300-* | mips64vr4300el-* \ + | mips64vr5000-* | mips64vr5000el-* \ + | mips64vr5900-* | mips64vr5900el-* \ + | mipsisa32-* | mipsisa32el-* \ + | mipsisa32r2-* | mipsisa32r2el-* \ + | mipsisa64-* | mipsisa64el-* \ + | mipsisa64r2-* | mipsisa64r2el-* \ + | mipsisa64sb1-* | mipsisa64sb1el-* \ + | mipsisa64sr71k-* | mipsisa64sr71kel-* \ + | mipstx39-* | mipstx39el-* \ + | mmix-* \ + | mt-* \ + | msp430-* \ + | nios-* | nios2-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ | pyramid-* \ | romp-* | rs6000-* \ - | sh-* | sh[34]-* | sh[34]eb-* | shbe-* | shle-* \ - | sparc-* | sparc64-* | sparc86x-* | sparclite-* \ - | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* \ - | t3e-* | tahoe-* | thumb-* | tic30-* | tic54x-* | tic80-* | tron-* \ + | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ + | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ + | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ + | sparclite-* \ + | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \ + | tahoe-* | thumb-* \ + | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* | tile-* \ + | tron-* \ | v850-* | v850e-* | vax-* \ | we32k-* \ - | x86-* | x86_64-* | xmp-* | xps100-* | xscale-* | xstormy16-* \ - | xtensa-* \ + | x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \ + | xstormy16-* | xtensa*-* \ | ymp-* \ - | z8k-*) + | z8k-* | z80-*) + ;; + # Recognize the basic CPU types without company name, with glob match. + xtensa*) + basic_machine=$basic_machine-unknown ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. @@ -332,6 +401,9 @@ basic_machine=a29k-amd os=-udi ;; + abacus) + basic_machine=abacus-unknown + ;; adobe68k) basic_machine=m68010-adobe os=-scout @@ -346,6 +418,12 @@ basic_machine=a29k-none os=-bsd ;; + amd64) + basic_machine=x86_64-pc + ;; + amd64-*) + basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; amdahl) basic_machine=580-amdahl os=-sysv @@ -369,6 +447,10 @@ basic_machine=m68k-apollo os=-bsd ;; + aros) + basic_machine=i386-pc + os=-aros + ;; aux) basic_machine=m68k-apple os=-aux @@ -377,6 +459,22 @@ basic_machine=ns32k-sequent os=-dynix ;; + blackfin) + basic_machine=bfin-unknown + os=-linux + ;; + blackfin-*) + basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` + os=-linux + ;; + c90) + basic_machine=c90-cray + os=-unicos + ;; + cegcc) + basic_machine=arm-unknown + os=-cegcc + ;; convex-c1) basic_machine=c1-convex os=-bsd @@ -397,24 +495,31 @@ basic_machine=c38-convex os=-bsd ;; - cray | ymp) - basic_machine=ymp-cray + cray | j90) + basic_machine=j90-cray os=-unicos ;; - cray2) - basic_machine=cray2-cray - os=-unicos + craynv) + basic_machine=craynv-cray + os=-unicosmp ;; - [cjt]90) - basic_machine=${basic_machine}-cray - os=-unicos + cr16) + basic_machine=cr16-unknown + os=-elf ;; crds | unos) basic_machine=m68k-crds ;; + crisv32 | crisv32-* | etraxfs*) + basic_machine=crisv32-axis + ;; cris | cris-* | etrax*) basic_machine=cris-axis ;; + crx) + basic_machine=crx-unknown + os=-elf + ;; da30 | da30-*) basic_machine=m68k-da30 ;; @@ -437,6 +542,14 @@ basic_machine=m88k-motorola os=-sysv3 ;; + dicos) + basic_machine=i686-pc + os=-dicos + ;; + djgpp) + basic_machine=i586-pc + os=-msdosdjgpp + ;; dpx20 | dpx20-*) basic_machine=rs6000-bull os=-bosx @@ -587,6 +700,14 @@ basic_machine=m68k-isi os=-sysv ;; + m68knommu) + basic_machine=m68k-unknown + os=-linux + ;; + m68knommu-*) + basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` + os=-linux + ;; m88k-omron*) basic_machine=m88k-omron ;; @@ -602,6 +723,10 @@ basic_machine=i386-pc os=-mingw32 ;; + mingw32ce) + basic_machine=arm-unknown + os=-mingw32ce + ;; miniframe) basic_machine=m68000-convergent ;; @@ -609,24 +734,12 @@ basic_machine=m68k-atari os=-mint ;; - mipsel*-linux*) - basic_machine=mipsel-unknown - os=-linux-gnu - ;; - mips*-linux*) - basic_machine=mips-unknown - os=-linux-gnu - ;; mips3*-*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` ;; mips3*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown ;; - mmix*) - basic_machine=mmix-knuth - os=-mmixware - ;; monitor) basic_machine=m68k-rom68k os=-coff @@ -639,6 +752,9 @@ basic_machine=i386-pc os=-msdos ;; + ms1-*) + basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` + ;; mvs) basic_machine=i370-ibm os=-mvs @@ -714,6 +830,13 @@ basic_machine=hppa1.1-oki os=-proelf ;; + openrisc | openrisc-*) + basic_machine=or32-unknown + ;; + os400) + basic_machine=powerpc-ibm + os=-os400 + ;; OSE68000 | ose68000) basic_machine=m68000-ericsson os=-ose @@ -730,55 +853,75 @@ basic_machine=i860-intel os=-osf ;; + parisc) + basic_machine=hppa-unknown + os=-linux + ;; + parisc-*) + basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` + os=-linux + ;; pbd) basic_machine=sparc-tti ;; pbb) basic_machine=m68k-tti ;; - pc532 | pc532-*) + pc532 | pc532-*) basic_machine=ns32k-pc532 ;; + pc98) + basic_machine=i386-pc + ;; + pc98-*) + basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; pentium | p5 | k5 | k6 | nexgen | viac3) basic_machine=i586-pc ;; - pentiumpro | p6 | 6x86 | athlon) + pentiumpro | p6 | 6x86 | athlon | athlon_*) basic_machine=i686-pc ;; - pentiumii | pentium2) + pentiumii | pentium2 | pentiumiii | pentium3) basic_machine=i686-pc ;; + pentium4) + basic_machine=i786-pc + ;; pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumpro-* | p6-* | 6x86-* | athlon-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; - pentiumii-* | pentium2-*) + pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; + pentium4-*) + basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; pn) basic_machine=pn-gould ;; power) basic_machine=power-ibm ;; ppc) basic_machine=powerpc-unknown - ;; + ;; ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown - ;; + ;; ppcle-* | powerpclittle-*) basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64) basic_machine=powerpc64-unknown - ;; + ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown - ;; + ;; ppc64le-* | powerpc64little-*) basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` ;; @@ -789,6 +932,10 @@ basic_machine=i586-unknown os=-pw32 ;; + rdos) + basic_machine=i386-pc + os=-rdos + ;; rom68k) basic_machine=m68k-rom68k os=-coff @@ -809,6 +956,20 @@ basic_machine=a29k-amd os=-udi ;; + sb1) + basic_machine=mipsisa64sb1-unknown + ;; + sb1el) + basic_machine=mipsisa64sb1el-unknown + ;; + sde) + basic_machine=mipsisa32-sde + os=-elf + ;; + sei) + basic_machine=mips-sei + os=-seiux + ;; sequent) basic_machine=i386-sequent ;; @@ -816,6 +977,12 @@ basic_machine=sh-hitachi os=-hms ;; + sh5el) + basic_machine=sh5le-unknown + ;; + sh64) + basic_machine=sh64-unknown + ;; sparclite-wrs | simso-wrs) basic_machine=sparclite-wrs os=-vxworks @@ -883,13 +1050,29 @@ os=-dynix ;; t3e) - basic_machine=t3e-cray + basic_machine=alphaev5-cray + os=-unicos + ;; + t90) + basic_machine=t90-cray os=-unicos ;; tic54x | c54x*) basic_machine=tic54x-unknown os=-coff ;; + tic55x | c55x*) + basic_machine=tic55x-unknown + os=-coff + ;; + tic6x | c6x*) + basic_machine=tic6x-unknown + os=-coff + ;; + tile*) + basic_machine=tile-unknown + os=-linux-gnu + ;; tx39) basic_machine=mipstx39-unknown ;; @@ -903,6 +1086,10 @@ tower | tower-32) basic_machine=m68k-ncr ;; + tpf) + basic_machine=s390x-ibm + os=-tpf + ;; udi29k) basic_machine=a29k-amd os=-udi @@ -924,8 +1111,8 @@ os=-vms ;; vpp*|vx|vx-*) - basic_machine=f301-fujitsu - ;; + basic_machine=f301-fujitsu + ;; vxworks960) basic_machine=i960-wrs os=-vxworks @@ -946,21 +1133,25 @@ basic_machine=hppa1.1-winbond os=-proelf ;; - windows32) - basic_machine=i386-pc - os=-windows32-msvcrt - ;; - xmp) - basic_machine=xmp-cray - os=-unicos + xbox) + basic_machine=i686-pc + os=-mingw32 ;; - xps | xps100) + xps | xps100) basic_machine=xps100-honeywell ;; + ymp) + basic_machine=ymp-cray + os=-unicos + ;; z8k-*-coff) basic_machine=z8k-unknown os=-sim ;; + z80-*-coff) + basic_machine=z80-unknown + os=-sim + ;; none) basic_machine=none-none os=-none @@ -977,16 +1168,12 @@ op60c) basic_machine=hppa1.1-oki ;; - mips) - if [ x$os = x-linux-gnu ]; then - basic_machine=mips-unknown - else - basic_machine=mips-mips - fi - ;; romp) basic_machine=romp-ibm ;; + mmix) + basic_machine=mmix-knuth + ;; rs6000) basic_machine=rs6000-ibm ;; @@ -1003,13 +1190,13 @@ we32k) basic_machine=we32k-att ;; - sh3 | sh4 | sh3eb | sh4eb) + sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; - sparc | sparcv9 | sparcv9b) + sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) basic_machine=sparc-sun ;; - cydra) + cydra) basic_machine=cydra-cydrome ;; orion) @@ -1024,10 +1211,6 @@ pmac | pmac-mpw) basic_machine=powerpc-apple ;; - c4x*) - basic_machine=c4x-none - os=-coff - ;; *-unknown) # Make sure to match an already-canonicalized machine name. ;; @@ -1079,21 +1262,28 @@ -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \ + | -kopensolaris* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ - | -aos* \ + | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ - | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \ - | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ + | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ + | -openbsd* | -solidbsd* \ + | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ + | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ - | -chorusos* | -chorusrdb* \ + | -chorusos* | -chorusrdb* | -cegcc* \ | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \ - | -interix* | -uwin* | -rhapsody* | -darwin* | -opened* \ + | -mingw32* | -linux-gnu* | -linux-newlib* | -linux-uclibc* \ + | -uxpv* | -beos* | -mpeix* | -udk* \ + | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ - | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* | -morphos*) + | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ + | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ + | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ + | -skyos* | -haiku* | -rdos* | -toppers* | -drops*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1105,16 +1295,21 @@ ;; esac ;; + -nto-qnx*) + ;; -nto*) - os=-nto-qnx + os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ - | -windows* | -osx | -abug | -netware* | -os9* | -beos* \ + | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) ;; -mac*) os=`echo $os | sed -e 's|mac|macos|'` ;; + -linux-dietlibc) + os=-linux-dietlibc + ;; -linux*) os=`echo $os | sed -e 's|linux|linux-gnu|'` ;; @@ -1127,6 +1322,9 @@ -opened*) os=-openedition ;; + -os400*) + os=-os400 + ;; -wince*) os=-wince ;; @@ -1148,14 +1346,20 @@ -atheos*) os=-atheos ;; + -syllable*) + os=-syllable + ;; -386bsd) os=-bsd ;; -ctix* | -uts*) os=-sysv ;; + -nova*) + os=-rtmk-nova + ;; -ns2 ) - os=-nextstep2 + os=-nextstep2 ;; -nsk*) os=-nsk @@ -1167,6 +1371,9 @@ -sinix*) os=-sysv4 ;; + -tpf*) + os=-tpf + ;; -triton*) os=-sysv3 ;; @@ -1194,8 +1401,20 @@ -xenix) os=-xenix ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) - os=-mint + -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + os=-mint + ;; + -aros*) + os=-aros + ;; + -kaos*) + os=-kaos + ;; + -zvmoe) + os=-zvmoe + ;; + -dicos*) + os=-dicos ;; -none) ;; @@ -1219,6 +1438,12 @@ # system, and we'll never get to this point. case $basic_machine in + score-*) + os=-elf + ;; + spu-*) + os=-elf + ;; *-acorn) os=-riscix1.2 ;; @@ -1228,11 +1453,14 @@ arm*-semi) os=-aout ;; + c4x-* | tic4x-*) + os=-coff + ;; # This must come before the *-dec entry. pdp10-*) os=-tops20 ;; - pdp11-*) + pdp11-*) os=-none ;; *-dec | vax-*) @@ -1253,12 +1481,18 @@ m68*-cisco) os=-aout ;; + mep-*) + os=-elf + ;; mips*-cisco) os=-elf ;; mips*-*) os=-elf ;; + or32-*) + os=-coff + ;; *-tti) # must be before sparc entry or we get the wrong os. os=-sysv3 ;; @@ -1268,9 +1502,15 @@ *-be) os=-beos ;; + *-haiku) + os=-haiku + ;; *-ibm) os=-aix ;; + *-knuth) + os=-mmixware + ;; *-wec) os=-proelf ;; @@ -1322,19 +1562,19 @@ *-next) os=-nextstep3 ;; - *-gould) + *-gould) os=-sysv ;; - *-highlevel) + *-highlevel) os=-bsd ;; *-encore) os=-bsd ;; - *-sgi) + *-sgi) os=-irix ;; - *-siemens) + *-siemens) os=-sysv4 ;; *-masscomp) @@ -1403,10 +1643,16 @@ -mvs* | -opened*) vendor=ibm ;; + -os400*) + vendor=ibm + ;; -ptx*) vendor=sequent ;; - -vxsim* | -vxworks*) + -tpf*) + vendor=ibm + ;; + -vxsim* | -vxworks* | -windiss*) vendor=wrs ;; -aux*) @@ -1430,7 +1676,7 @@ esac echo $basic_machine$os -exit 0 +exit # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) --- snort-2.8.5.2.orig/snort.8 +++ snort-2.8.5.2/snort.8 @@ -280,7 +280,7 @@ .IP "-P snap-length" Set the packet snaplen to .I snap-length -. By default, this is set to 1514. +\&. By default, this is set to 1514. .IP "-q" Quiet operation. Don't display banner and initialization information. .IP "-Q" --- snort-2.8.5.2.orig/config.guess +++ snort-2.8.5.2/config.guess @@ -1,9 +1,10 @@ #! /bin/sh # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002 Free Software Foundation, Inc. +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# Free Software Foundation, Inc. -timestamp='2002-01-23' +timestamp='2009-04-27' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -17,13 +18,15 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA +# 02110-1301, USA. # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. + # Originally written by Per Bothner . # Please send patches to . Submit a context # diff and a properly formatted ChangeLog entry. @@ -53,8 +56,8 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 -Free Software Foundation, Inc. +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, +2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -66,11 +69,11 @@ while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) - echo "$timestamp" ; exit 0 ;; + echo "$timestamp" ; exit ;; --version | -v ) - echo "$version" ; exit 0 ;; + echo "$version" ; exit ;; --help | --h* | -h ) - echo "$usage"; exit 0 ;; + echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. @@ -88,30 +91,42 @@ exit 1 fi +trap 'exit 1' 1 2 15 -dummy=dummy-$$ -trap 'rm -f $dummy.c $dummy.o $dummy.rel $dummy; exit 1' 1 2 15 +# CC_FOR_BUILD -- compiler used by this script. Note that the use of a +# compiler to aid in system detection is discouraged as it requires +# temporary files to be created and, as you can see below, it is a +# headache to deal with in a portable fashion. -# CC_FOR_BUILD -- compiler used by this script. # Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still # use `HOST_CC' if defined, but it is deprecated. -set_cc_for_build='case $CC_FOR_BUILD,$HOST_CC,$CC in - ,,) echo "int dummy(){}" > $dummy.c ; - for c in cc gcc c89 ; do - ($c $dummy.c -c -o $dummy.o) >/dev/null 2>&1 ; - if test $? = 0 ; then +# Portable tmp directory creation inspired by the Autoconf team. + +set_cc_for_build=' +trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; +trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; +: ${TMPDIR=/tmp} ; + { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; +dummy=$tmp/dummy ; +tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; +case $CC_FOR_BUILD,$HOST_CC,$CC in + ,,) echo "int x;" > $dummy.c ; + for c in cc gcc c89 c99 ; do + if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then CC_FOR_BUILD="$c"; break ; fi ; done ; - rm -f $dummy.c $dummy.o $dummy.rel ; if test x"$CC_FOR_BUILD" = x ; then CC_FOR_BUILD=no_compiler_found ; fi ;; ,,*) CC_FOR_BUILD=$CC ;; ,*,*) CC_FOR_BUILD=$HOST_CC ;; -esac' +esac ; set_cc_for_build= ;' # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) @@ -138,12 +153,15 @@ # # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". - UNAME_MACHINE_ARCH=`(uname -p) 2>/dev/null` || \ - UNAME_MACHINE_ARCH=unknown + sysctl="sysctl -n hw.machine_arch" + UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ + /usr/sbin/$sysctl 2>/dev/null || echo unknown)` case "${UNAME_MACHINE_ARCH}" in + armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; + sh5el) machine=sh5le-unknown ;; *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched @@ -166,141 +184,128 @@ ;; esac # The OS release - release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + # Debian GNU/NetBSD machines have a different userland, and + # thus, need a distinct triplet. However, they do not need + # kernel version information, so it can be replaced with a + # suitable tag, in the style of linux-gnu. + case "${UNAME_VERSION}" in + Debian*) + release='-gnu' + ;; + *) + release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + ;; + esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" - exit 0 ;; - amiga:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - arc:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - hp300:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mac68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - macppc:OpenBSD:*:*) - echo powerpc-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme88k:OpenBSD:*:*) - echo m88k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvmeppc:OpenBSD:*:*) - echo powerpc-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - pmax:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - sgi:OpenBSD:*:*) - echo mipseb-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - sun3:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - wgrisc:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; + exit ;; *:OpenBSD:*:*) - echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; + UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} + exit ;; + *:ekkoBSD:*:*) + echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} + exit ;; + *:SolidBSD:*:*) + echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} + exit ;; + macppc:MirBSD:*:*) + echo powerpc-unknown-mirbsd${UNAME_RELEASE} + exit ;; + *:MirBSD:*:*) + echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} + exit ;; alpha:OSF1:*:*) - if test $UNAME_RELEASE = "V4.0"; then + case $UNAME_RELEASE in + *4.0) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` - fi + ;; + *5.*) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + ;; + esac + # According to Compaq, /usr/sbin/psrinfo has been available on + # OSF/1 and Tru64 systems produced since 1995. I hope that + # covers most systems running today. This code pipes the CPU + # types through head -n 1, so we only detect the type of CPU 0. + ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` + case "$ALPHA_CPU_TYPE" in + "EV4 (21064)") + UNAME_MACHINE="alpha" ;; + "EV4.5 (21064)") + UNAME_MACHINE="alpha" ;; + "LCA4 (21066/21068)") + UNAME_MACHINE="alpha" ;; + "EV5 (21164)") + UNAME_MACHINE="alphaev5" ;; + "EV5.6 (21164A)") + UNAME_MACHINE="alphaev56" ;; + "EV5.6 (21164PC)") + UNAME_MACHINE="alphapca56" ;; + "EV5.7 (21164PC)") + UNAME_MACHINE="alphapca57" ;; + "EV6 (21264)") + UNAME_MACHINE="alphaev6" ;; + "EV6.7 (21264A)") + UNAME_MACHINE="alphaev67" ;; + "EV6.8CB (21264C)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8AL (21264B)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8CX (21264D)") + UNAME_MACHINE="alphaev68" ;; + "EV6.9A (21264/EV69A)") + UNAME_MACHINE="alphaev69" ;; + "EV7 (21364)") + UNAME_MACHINE="alphaev7" ;; + "EV7.9 (21364A)") + UNAME_MACHINE="alphaev79" ;; + esac + # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - cat <$dummy.s - .data -\$Lformat: - .byte 37,100,45,37,120,10,0 # "%d-%x\n" - - .text - .globl main - .align 4 - .ent main -main: - .frame \$30,16,\$26,0 - ldgp \$29,0(\$27) - .prologue 1 - .long 0x47e03d80 # implver \$0 - lda \$2,-1 - .long 0x47e20c21 # amask \$2,\$1 - lda \$16,\$Lformat - mov \$0,\$17 - not \$1,\$18 - jsr \$26,printf - ldgp \$29,0(\$26) - mov 0,\$16 - jsr \$26,exit - .end main -EOF - eval $set_cc_for_build - $CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null - if test "$?" = 0 ; then - case `./$dummy` in - 0-0) - UNAME_MACHINE="alpha" - ;; - 1-0) - UNAME_MACHINE="alphaev5" - ;; - 1-1) - UNAME_MACHINE="alphaev56" - ;; - 1-101) - UNAME_MACHINE="alphapca56" - ;; - 2-303) - UNAME_MACHINE="alphaev6" - ;; - 2-307) - UNAME_MACHINE="alphaev67" - ;; - 2-1307) - UNAME_MACHINE="alphaev68" - ;; - esac - fi - rm -f $dummy.s $dummy - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - exit 0 ;; + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + exit ;; Alpha\ *:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # Should we change UNAME_MACHINE based on the output of uname instead # of the specific Alpha model? echo alpha-pc-interix - exit 0 ;; + exit ;; 21064:Windows_NT:50:3) echo alpha-dec-winnt3.5 - exit 0 ;; + exit ;; Amiga*:UNIX_System_V:4.0:*) echo m68k-unknown-sysv4 - exit 0;; + exit ;; *:[Aa]miga[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-amigaos - exit 0 ;; + exit ;; *:[Mm]orph[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-morphos - exit 0 ;; + exit ;; *:OS/390:*:*) echo i370-ibm-openedition - exit 0 ;; + exit ;; + *:z/VM:*:*) + echo s390-ibm-zvmoe + exit ;; + *:OS400:*:*) + echo powerpc-ibm-os400 + exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} - exit 0;; + exit ;; + arm:riscos:*:*|arm:RISCOS:*:*) + echo arm-unknown-riscos + exit ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) echo hppa1.1-hitachi-hiuxmpp - exit 0;; + exit ;; Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. if test "`(/bin/universe) 2>/dev/null`" = att ; then @@ -308,25 +313,48 @@ else echo pyramid-pyramid-bsd fi - exit 0 ;; + exit ;; NILE*:*:*:dcosx) echo pyramid-pyramid-svr4 - exit 0 ;; + exit ;; + DRS?6000:unix:4.0:6*) + echo sparc-icl-nx6 + exit ;; + DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) + case `/usr/bin/uname -p` in + sparc) echo sparc-icl-nx7; exit ;; + esac ;; + s390x:SunOS:*:*) + echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; sun4H:SunOS:5.*:*) echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; + exit ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - i86pc:SunOS:5.*:*) - echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; + exit ;; + i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) + eval $set_cc_for_build + SUN_ARCH="i386" + # If there is a compiler, see if it is configured for 64-bit objects. + # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. + # This test works for both compilers. + if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + SUN_ARCH="x86_64" + fi + fi + echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; + exit ;; sun4*:SunOS:*:*) case "`/usr/bin/arch -k`" in Series*|S4*) @@ -335,12 +363,12 @@ esac # Japanese Language versions have a version number like `4.1.3-JL'. echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` - exit 0 ;; + exit ;; sun3*:SunOS:*:*) echo m68k-sun-sunos${UNAME_RELEASE} - exit 0 ;; + exit ;; sun*:*:4.2BSD:*) - UNAME_RELEASE=`(head -1 /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` + UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) @@ -350,10 +378,10 @@ echo sparc-sun-sunos${UNAME_RELEASE} ;; esac - exit 0 ;; + exit ;; aushp:SunOS:*:*) echo sparc-auspex-sunos${UNAME_RELEASE} - exit 0 ;; + exit ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not # "atarist" or "atariste" at least should have a processor @@ -364,37 +392,40 @@ # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} - exit 0 ;; + exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} - exit 0 ;; + exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} - exit 0 ;; + exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) echo m68k-milan-mint${UNAME_RELEASE} - exit 0 ;; + exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) echo m68k-hades-mint${UNAME_RELEASE} - exit 0 ;; + exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) echo m68k-unknown-mint${UNAME_RELEASE} - exit 0 ;; + exit ;; + m68k:machten:*:*) + echo m68k-apple-machten${UNAME_RELEASE} + exit ;; powerpc:machten:*:*) echo powerpc-apple-machten${UNAME_RELEASE} - exit 0 ;; + exit ;; RISC*:Mach:*:*) echo mips-dec-mach_bsd4.3 - exit 0 ;; + exit ;; RISC*:ULTRIX:*:*) echo mips-dec-ultrix${UNAME_RELEASE} - exit 0 ;; + exit ;; VAX*:ULTRIX*:*:*) echo vax-dec-ultrix${UNAME_RELEASE} - exit 0 ;; + exit ;; 2020:CLIX:*:* | 2430:CLIX:*:*) echo clipper-intergraph-clix${UNAME_RELEASE} - exit 0 ;; + exit ;; mips:*:*:UMIPS | mips:*:*:RISCos) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c @@ -418,27 +449,33 @@ exit (-1); } EOF - $CC_FOR_BUILD $dummy.c -o $dummy \ - && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ - && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy + $CC_FOR_BUILD -o $dummy $dummy.c && + dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && + SYSTEM_NAME=`$dummy $dummyarg` && + { echo "$SYSTEM_NAME"; exit; } echo mips-mips-riscos${UNAME_RELEASE} - exit 0 ;; + exit ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax - exit 0 ;; + exit ;; + Motorola:*:4.3:PL8-*) + echo powerpc-harris-powermax + exit ;; + Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) + echo powerpc-harris-powermax + exit ;; Night_Hawk:Power_UNIX:*:*) echo powerpc-harris-powerunix - exit 0 ;; + exit ;; m88k:CX/UX:7*:*) echo m88k-harris-cxux7 - exit 0 ;; + exit ;; m88k:*:4*:R4*) echo m88k-motorola-sysv4 - exit 0 ;; + exit ;; m88k:*:3*:R3*) echo m88k-motorola-sysv3 - exit 0 ;; + exit ;; AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` @@ -454,29 +491,29 @@ else echo i586-dg-dgux${UNAME_RELEASE} fi - exit 0 ;; + exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) echo m88k-dolphin-sysv3 - exit 0 ;; + exit ;; M88*:*:R3*:*) # Delta 88k system running SVR3 echo m88k-motorola-sysv3 - exit 0 ;; + exit ;; XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) echo m88k-tektronix-sysv3 - exit 0 ;; + exit ;; Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) echo m68k-tektronix-bsd - exit 0 ;; + exit ;; *:IRIX*:*:*) echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` - exit 0 ;; + exit ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. - echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id - exit 0 ;; # Note that: echo "'`uname -s`'" gives 'AIX ' + echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id + exit ;; # Note that: echo "'`uname -s`'" gives 'AIX ' i*86:AIX:*:*) echo i386-ibm-aix - exit 0 ;; + exit ;; ia64:AIX:*:*) if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` @@ -484,7 +521,7 @@ IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} - exit 0 ;; + exit ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then eval $set_cc_for_build @@ -499,17 +536,20 @@ exit(0); } EOF - $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy - echo rs6000-ibm-aix3.2.5 + if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` + then + echo "$SYSTEM_NAME" + else + echo rs6000-ibm-aix3.2.5 + fi elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then echo rs6000-ibm-aix3.2.4 else echo rs6000-ibm-aix3.2 fi - exit 0 ;; - *:AIX:*:[45]) - IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | head -1 | awk '{ print $1 }'` + exit ;; + *:AIX:*:[456]) + IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else @@ -521,28 +561,28 @@ IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${IBM_ARCH}-ibm-aix${IBM_REV} - exit 0 ;; + exit ;; *:AIX:*:*) echo rs6000-ibm-aix - exit 0 ;; + exit ;; ibmrt:4.4BSD:*|romp-ibm:BSD:*) echo romp-ibm-bsd4.4 - exit 0 ;; + exit ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to - exit 0 ;; # report: romp-ibm BSD 4.3 + exit ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) echo rs6000-bull-bosx - exit 0 ;; + exit ;; DPX/2?00:B.O.S.:*:*) echo m68k-bull-sysv3 - exit 0 ;; + exit ;; 9000/[34]??:4.3bsd:1.*:*) echo m68k-hp-bsd - exit 0 ;; + exit ;; hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) echo m68k-hp-bsd4.4 - exit 0 ;; + exit ;; 9000/[34678]??:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` case "${UNAME_MACHINE}" in @@ -598,17 +638,37 @@ exit (0); } EOF - (CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null) && HP_ARCH=`./$dummy` - if test -z "$HP_ARCH"; then HP_ARCH=hppa; fi - rm -f $dummy.c $dummy + (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac + if [ ${HP_ARCH} = "hppa2.0w" ] + then + eval $set_cc_for_build + + # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating + # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler + # generating 64-bit code. GNU and HP use different nomenclature: + # + # $ CC_FOR_BUILD=cc ./config.guess + # => hppa2.0w-hp-hpux11.23 + # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess + # => hppa64-hp-hpux11.23 + + if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | + grep __LP64__ >/dev/null + then + HP_ARCH="hppa2.0w" + else + HP_ARCH="hppa64" + fi + fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} - exit 0 ;; + exit ;; ia64:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` echo ia64-hp-hpux${HPUX_REV} - exit 0 ;; + exit ;; 3050*:HI-UX:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c @@ -636,166 +696,247 @@ exit (0); } EOF - $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy + $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && + { echo "$SYSTEM_NAME"; exit; } echo unknown-hitachi-hiuxwe2 - exit 0 ;; + exit ;; 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) echo hppa1.1-hp-bsd - exit 0 ;; + exit ;; 9000/8??:4.3bsd:*:*) echo hppa1.0-hp-bsd - exit 0 ;; + exit ;; *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) echo hppa1.0-hp-mpeix - exit 0 ;; + exit ;; hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) echo hppa1.1-hp-osf - exit 0 ;; + exit ;; hp8??:OSF1:*:*) echo hppa1.0-hp-osf - exit 0 ;; + exit ;; i*86:OSF1:*:*) if [ -x /usr/sbin/sysversion ] ; then echo ${UNAME_MACHINE}-unknown-osf1mk else echo ${UNAME_MACHINE}-unknown-osf1 fi - exit 0 ;; + exit ;; parisc*:Lites*:*:*) echo hppa1.1-hp-lites - exit 0 ;; + exit ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd - exit 0 ;; + exit ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi - exit 0 ;; + exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) echo c34-convex-bsd - exit 0 ;; + exit ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) echo c38-convex-bsd - exit 0 ;; + exit ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd - exit 0 ;; - CRAY*X-MP:*:*:*) - echo xmp-cray-unicos - exit 0 ;; + exit ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; + exit ;; CRAY*[A-Z]90:*:*:*) echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ -e 's/\.[^.]*$/.X/' - exit 0 ;; + exit ;; CRAY*TS:*:*:*) echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; - CRAY*T3D:*:*:*) - echo alpha-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; + exit ;; CRAY*T3E:*:*:*) echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; + exit ;; CRAY*SV1:*:*:*) echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; - CRAY-2:*:*:*) - echo cray2-cray-unicos - exit 0 ;; + exit ;; + *:UNICOS/mp:*:*) + echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" - exit 0 ;; + exit ;; + 5000:UNIX_System_V:4.*:*) + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} - exit 0 ;; + exit ;; sparc*:BSD/OS:*:*) echo sparc-unknown-bsdi${UNAME_RELEASE} - exit 0 ;; + exit ;; *:BSD/OS:*:*) echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} - exit 0 ;; + exit ;; *:FreeBSD:*:*) - echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` - exit 0 ;; + case ${UNAME_MACHINE} in + pc98) + echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + amd64) + echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + *) + echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + esac + exit ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin - exit 0 ;; - i*:MINGW*:*) + exit ;; + *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 - exit 0 ;; + exit ;; + i*:windows32*:*) + # uname -m includes "-pc" on this system. + echo ${UNAME_MACHINE}-mingw32 + exit ;; i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 - exit 0 ;; - x86:Interix*:3*) - echo i386-pc-interix3 - exit 0 ;; + exit ;; + *:Interix*:[3456]*) + case ${UNAME_MACHINE} in + x86) + echo i586-pc-interix${UNAME_RELEASE} + exit ;; + EM64T | authenticamd | genuineintel) + echo x86_64-unknown-interix${UNAME_RELEASE} + exit ;; + IA64) + echo ia64-unknown-interix${UNAME_RELEASE} + exit ;; + esac ;; + [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) + echo i${UNAME_MACHINE}-pc-mks + exit ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we # UNAME_MACHINE based on the output of uname instead of i386? - echo i386-pc-interix - exit 0 ;; + echo i586-pc-interix + exit ;; i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin - exit 0 ;; + exit ;; + amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) + echo x86_64-unknown-cygwin + exit ;; p*:CYGWIN*:*) echo powerpcle-unknown-cygwin - exit 0 ;; + exit ;; prep*:SunOS:5.*:*) echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; + exit ;; *:GNU:*:*) + # the GNU system echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` - exit 0 ;; + exit ;; + *:GNU/*:*:*) + # other systems with GNU libc and userland + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu + exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix - exit 0 ;; + exit ;; arm*:Linux:*:*) + eval $set_cc_for_build + if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_EABI__ + then + echo ${UNAME_MACHINE}-unknown-linux-gnu + else + echo ${UNAME_MACHINE}-unknown-linux-gnueabi + fi + exit ;; + avr32*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; + exit ;; + cris:Linux:*:*) + echo cris-axis-linux-gnu + exit ;; + crisv32:Linux:*:*) + echo crisv32-axis-linux-gnu + exit ;; + frv:Linux:*:*) + echo frv-unknown-linux-gnu + exit ;; ia64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux - exit 0 ;; + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; + m32r*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; m68*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; + exit ;; mips:Linux:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #undef CPU #undef mips #undef mipsel - #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=mipsel + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + CPU=mipsel #else - #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) CPU=mips #else CPU= #endif - #endif + #endif +EOF + eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' + /^CPU/{ + s: ::g + p + }'`" + test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } + ;; + mips64:Linux:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #undef CPU + #undef mips64 + #undef mips64el + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + CPU=mips64el + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + CPU=mips64 + #else + CPU= + #endif + #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` - rm -f $dummy.c - test x"${CPU}" != x && echo "${CPU}-pc-linux-gnu" && exit 0 + eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' + /^CPU/{ + s: ::g + p + }'`" + test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } ;; + or32:Linux:*:*) + echo or32-unknown-linux-gnu + exit ;; ppc:Linux:*:*) echo powerpc-unknown-linux-gnu - exit 0 ;; + exit ;; ppc64:Linux:*:*) echo powerpc64-unknown-linux-gnu - exit 0 ;; + exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; @@ -809,7 +950,10 @@ objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} - exit 0 ;; + exit ;; + padre:Linux:*:*) + echo sparc-unknown-linux-gnu + exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in @@ -817,29 +961,37 @@ PA8*) echo hppa2.0-unknown-linux-gnu ;; *) echo hppa-unknown-linux-gnu ;; esac - exit 0 ;; + exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) echo hppa64-unknown-linux-gnu - exit 0 ;; + exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux - exit 0 ;; + exit ;; + sh64*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; sh*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; + exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu - exit 0 ;; + exit ;; + vax:Linux:*:*) + echo ${UNAME_MACHINE}-dec-linux-gnu + exit ;; x86_64:Linux:*:*) echo x86_64-unknown-linux-gnu - exit 0 ;; + exit ;; + xtensa*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit ;; i*86:Linux:*:*) # The BFD linker knows what the default object file format is, so # first see if it will tell us. cd to the root directory to prevent # problems with other programs or directories called `ld' in the path. - # Export LANG=C to prevent ld from outputting information in other - # languages. - ld_supported_targets=`LANG=C; export LANG; cd /; ld --help 2>&1 \ + # Set LC_ALL=C to ensure ld outputs messages in English. + ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \ | sed -ne '/supported targets:/!d s/[ ][ ]*/ /g s/.*supported targets: *// @@ -851,15 +1003,12 @@ ;; a.out-i386-linux) echo "${UNAME_MACHINE}-pc-linux-gnuaout" - exit 0 ;; - coff-i386) - echo "${UNAME_MACHINE}-pc-linux-gnucoff" - exit 0 ;; + exit ;; "") # Either a pre-BFD a.out linker (linux-gnuoldld) or # one that does not give us useful --help. echo "${UNAME_MACHINE}-pc-linux-gnuoldld" - exit 0 ;; + exit ;; esac # Determine whether the default compiler is a.out or elf eval $set_cc_for_build @@ -876,24 +1025,33 @@ LIBC=gnulibc1 # endif #else - #ifdef __INTEL_COMPILER + #if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) LIBC=gnu #else LIBC=gnuaout #endif #endif + #ifdef __dietlibc__ + LIBC=dietlibc + #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=` - rm -f $dummy.c - test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0 - test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0 + eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' + /^LIBC/{ + s: ::g + p + }'`" + test x"${LIBC}" != x && { + echo "${UNAME_MACHINE}-pc-linux-${LIBC}" + exit + } + test x"${TENTATIVE}" != x && { echo "${TENTATIVE}"; exit; } ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. # earlier versions are messed up and put the nodename in both # sysname and nodename. echo i386-sequent-sysv4 - exit 0 ;; + exit ;; i*86:UNIX_SV:4.2MP:2.*) # Unixware is an offshoot of SVR4, but it has its own version # number series starting with 2... @@ -901,7 +1059,27 @@ # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} - exit 0 ;; + exit ;; + i*86:OS/2:*:*) + # If we were able to find `uname', then EMX Unix compatibility + # is probably installed. + echo ${UNAME_MACHINE}-pc-os2-emx + exit ;; + i*86:XTS-300:*:STOP) + echo ${UNAME_MACHINE}-unknown-stop + exit ;; + i*86:atheos:*:*) + echo ${UNAME_MACHINE}-unknown-atheos + exit ;; + i*86:syllable:*:*) + echo ${UNAME_MACHINE}-pc-syllable + exit ;; + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) + echo i386-unknown-lynxos${UNAME_RELEASE} + exit ;; + i*86:*DOS:*:*) + echo ${UNAME_MACHINE}-pc-msdosdjgpp + exit ;; i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then @@ -909,99 +1087,113 @@ else echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} fi - exit 0 ;; - i*86:*:5:[78]*) + exit ;; + i*86:*:5:[678]*) + # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in *486*) UNAME_MACHINE=i486 ;; *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} - exit 0 ;; + exit ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then - UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')` - (/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486 - (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \ + UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` + (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 + (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ && UNAME_MACHINE=i586 - (/bin/uname -X|egrep '^Machine.*Pent ?II' >/dev/null) \ + (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ && UNAME_MACHINE=i686 - (/bin/uname -X|egrep '^Machine.*Pentium Pro' >/dev/null) \ + (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 echo ${UNAME_MACHINE}-pc-sco$UNAME_REL else echo ${UNAME_MACHINE}-pc-sysv32 fi - exit 0 ;; - i*86:*DOS:*:*) - echo ${UNAME_MACHINE}-pc-msdosdjgpp - exit 0 ;; + exit ;; pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about - # the processor, so we play safe by assuming i386. - echo i386-pc-msdosdjgpp - exit 0 ;; + # the processor, so we play safe by assuming i586. + # Note: whatever this is, it MUST be the same as what config.sub + # prints for the "djgpp" host, or else GDB configury will decide that + # this is a cross-build. + echo i586-pc-msdosdjgpp + exit ;; Intel:Mach:3*:*) echo i386-pc-mach3 - exit 0 ;; + exit ;; paragon:*:*:*) echo i860-intel-osf1 - exit 0 ;; + exit ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 fi - exit 0 ;; + exit ;; mini*:CTIX:SYS*5:*) # "miniframe" echo m68010-convergent-sysv - exit 0 ;; - M68*:*:R3V[567]*:*) - test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;; - 3[34]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0) + exit ;; + mc68k:UNIX:SYSTEM5:3.51m) + echo m68k-convergent-sysv + exit ;; + M680?0:D-NIX:5.3:*) + echo m68k-diab-dnix + exit ;; + M68*:*:R3V[5678]*:*) + test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; + 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) OS_REL='' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && echo i486-ncr-sysv4.3${OS_REL} && exit 0 + && { echo i486-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ - && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;; + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && echo i486-ncr-sysv4 && exit 0 ;; + && { echo i486-ncr-sysv4; exit; } ;; + NCR*:*:4.2:* | MPRAS*:*:4.2:*) + OS_REL='.3' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } + /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) echo m68k-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; + exit ;; mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 - exit 0 ;; - i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) - echo i386-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; + exit ;; TSUNAMI:LynxOS:2.*:*) echo sparc-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; + exit ;; rs6000:LynxOS:2.*:*) echo rs6000-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; + exit ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*) echo powerpc-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; + exit ;; SM[BE]S:UNIX_SV:*:*) echo mips-dde-sysv${UNAME_RELEASE} - exit 0 ;; + exit ;; RM*:ReliantUNIX-*:*:*) echo mips-sni-sysv4 - exit 0 ;; + exit ;; RM*:SINIX-*:*:*) echo mips-sni-sysv4 - exit 0 ;; + exit ;; *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` @@ -1009,82 +1201,110 @@ else echo ns32k-sni-sysv fi - exit 0 ;; + exit ;; PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort # says echo i586-unisys-sysv4 - exit 0 ;; + exit ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm echo hppa1.1-stratus-sysv4 - exit 0 ;; + exit ;; *:*:*:FTX*) # From seanf@swdc.stratus.com. echo i860-stratus-sysv4 - exit 0 ;; + exit ;; + i*86:VOS:*:*) + # From Paul.Green@stratus.com. + echo ${UNAME_MACHINE}-stratus-vos + exit ;; *:VOS:*:*) # From Paul.Green@stratus.com. echo hppa1.1-stratus-vos - exit 0 ;; + exit ;; mc68*:A/UX:*:*) echo m68k-apple-aux${UNAME_RELEASE} - exit 0 ;; + exit ;; news*:NEWS-OS:6*:*) echo mips-sony-newsos6 - exit 0 ;; + exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then echo mips-nec-sysv${UNAME_RELEASE} else echo mips-unknown-sysv${UNAME_RELEASE} fi - exit 0 ;; + exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. echo powerpc-be-beos - exit 0 ;; + exit ;; BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. echo powerpc-apple-beos - exit 0 ;; + exit ;; BePC:BeOS:*:*) # BeOS running on Intel PC compatible. echo i586-pc-beos - exit 0 ;; + exit ;; + BePC:Haiku:*:*) # Haiku running on Intel PC compatible. + echo i586-pc-haiku + exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} - exit 0 ;; + exit ;; SX-5:SUPER-UX:*:*) echo sx5-nec-superux${UNAME_RELEASE} - exit 0 ;; + exit ;; + SX-6:SUPER-UX:*:*) + echo sx6-nec-superux${UNAME_RELEASE} + exit ;; + SX-7:SUPER-UX:*:*) + echo sx7-nec-superux${UNAME_RELEASE} + exit ;; + SX-8:SUPER-UX:*:*) + echo sx8-nec-superux${UNAME_RELEASE} + exit ;; + SX-8R:SUPER-UX:*:*) + echo sx8r-nec-superux${UNAME_RELEASE} + exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} - exit 0 ;; + exit ;; *:Rhapsody:*:*) echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} - exit 0 ;; + exit ;; *:Darwin:*:*) - echo `uname -p`-apple-darwin${UNAME_RELEASE} - exit 0 ;; + UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown + case $UNAME_PROCESSOR in + unknown) UNAME_PROCESSOR=powerpc ;; + esac + echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} + exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) - if test "${UNAME_MACHINE}" = "x86pc"; then + UNAME_PROCESSOR=`uname -p` + if test "$UNAME_PROCESSOR" = "x86"; then + UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi - echo `uname -p`-${UNAME_MACHINE}-nto-qnx - exit 0 ;; + echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} + exit ;; *:QNX:*:4*) echo i386-pc-qnx - exit 0 ;; - NSR-[GKLNPTVW]:NONSTOP_KERNEL:*:*) + exit ;; + NSE-?:NONSTOP_KERNEL:*:*) + echo nse-tandem-nsk${UNAME_RELEASE} + exit ;; + NSR-?:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} - exit 0 ;; + exit ;; *:NonStop-UX:*:*) echo mips-compaq-nonstopux - exit 0 ;; + exit ;; BS2000:POSIX*:*:*) echo bs2000-siemens-sysv - exit 0 ;; + exit ;; DS/*:UNIX_System_V:*:*) echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} - exit 0 ;; + exit ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 @@ -1095,36 +1315,50 @@ UNAME_MACHINE="$cputype" fi echo ${UNAME_MACHINE}-unknown-plan9 - exit 0 ;; - i*86:OS/2:*:*) - # If we were able to find `uname', then EMX Unix compatibility - # is probably installed. - echo ${UNAME_MACHINE}-pc-os2-emx - exit 0 ;; + exit ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 - exit 0 ;; + exit ;; *:TENEX:*:*) echo pdp10-unknown-tenex - exit 0 ;; + exit ;; KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) echo pdp10-dec-tops20 - exit 0 ;; + exit ;; XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) echo pdp10-xkl-tops20 - exit 0 ;; + exit ;; *:TOPS-20:*:*) echo pdp10-unknown-tops20 - exit 0 ;; + exit ;; *:ITS:*:*) echo pdp10-unknown-its - exit 0 ;; - i*86:XTS-300:*:STOP) - echo ${UNAME_MACHINE}-unknown-stop - exit 0 ;; - i*86:atheos:*:*) - echo ${UNAME_MACHINE}-unknown-atheos - exit 0 ;; + exit ;; + SEI:*:*:SEIUX) + echo mips-sei-seiux${UNAME_RELEASE} + exit ;; + *:DragonFly:*:*) + echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + exit ;; + *:*VMS:*:*) + UNAME_MACHINE=`(uname -p) 2>/dev/null` + case "${UNAME_MACHINE}" in + A*) echo alpha-dec-vms ; exit ;; + I*) echo ia64-dec-vms ; exit ;; + V*) echo vax-dec-vms ; exit ;; + esac ;; + *:XENIX:*:SysV) + echo i386-pc-xenix + exit ;; + i*86:skyos:*:*) + echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' + exit ;; + i*86:rdos:*:*) + echo ${UNAME_MACHINE}-pc-rdos + exit ;; + i*86:AROS:*:*) + echo ${UNAME_MACHINE}-pc-aros + exit ;; esac #echo '(No uname command or uname output not recognized.)' 1>&2 @@ -1156,7 +1390,7 @@ #endif #if defined (__arm) && defined (__acorn) && defined (__unix) - printf ("arm-acorn-riscix"); exit (0); + printf ("arm-acorn-riscix\n"); exit (0); #endif #if defined (hp300) && !defined (hpux) @@ -1245,12 +1479,12 @@ } EOF -$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm -f $dummy.c $dummy && exit 0 -rm -f $dummy.c $dummy +$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` && + { echo "$SYSTEM_NAME"; exit; } # Apollos put the system type in the environment. -test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; } +test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; } # Convex versions that predate uname can use getsysinfo(1) @@ -1259,22 +1493,22 @@ case `getsysinfo -f cpu_type` in c1*) echo c1-convex-bsd - exit 0 ;; + exit ;; c2*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi - exit 0 ;; + exit ;; c34*) echo c34-convex-bsd - exit 0 ;; + exit ;; c38*) echo c38-convex-bsd - exit 0 ;; + exit ;; c4*) echo c4-convex-bsd - exit 0 ;; + exit ;; esac fi @@ -1285,7 +1519,9 @@ the operating system you are using. It is advised that you download the most up to date version of the config scripts from - ftp://ftp.gnu.org/pub/gnu/config/ + http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD +and + http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD If the version you run ($0) is already up to date, please send the following data and any information you think might be --- snort-2.8.5.2.orig/rules/oracle.rules +++ snort-2.8.5.2/rules/oracle.rules @@ -0,0 +1,375 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: oracle.rules,v 1.17.2.3.2.4 2005/05/31 17:13:03 mwatchinski Exp $ +#---------- +# ORACLE RULES +#---------- +# +# These signatures detect unusual and potentially malicious oracle traffic. +# These signatures are based from signatures written by Hank Leininger +# for Enterasys's Dragon IDS that he released +# publicly. +# +# These signatures are not enabled by default as they may generate false +# positive alarms on networks that do oracle development. If you use an +# Oracle based web application, you should set the destination port to +# 80 to catch attackers attempting to exploit your web application. +# + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; classtype:protocol-command-decode; sid:1674; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE misparsed login response"; flow:from_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:1675; rev:4;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select union attempt"; flow:to_server,established; content:"select "; nocase; content:" union "; nocase; classtype:protocol-command-decode; sid:1676; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt"; flow:to_server,established; content:" where "; nocase; content:" like '%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt backslash escaped"; flow:to_server,established; content:" where "; nocase; content:" like |22|%|22|"; nocase; classtype:protocol-command-decode; sid:1678; rev:7;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE describe attempt"; flow:to_server,established; content:"describe "; nocase; classtype:protocol-command-decode; sid:1679; rev:6;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_constraints access"; flow:to_server,established; content:"all_constraints"; nocase; classtype:protocol-command-decode; sid:1680; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_views access"; flow:to_server,established; content:"all_views"; nocase; classtype:protocol-command-decode; sid:1681; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_source access"; flow:to_server,established; content:"all_source"; nocase; classtype:protocol-command-decode; sid:1682; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tables access"; flow:to_server,established; content:"all_tables"; nocase; classtype:protocol-command-decode; sid:1683; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_columns access"; flow:to_server,established; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; sid:1684; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_privs"; nocase; classtype:protocol-command-decode; sid:1685; rev:6;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tablespace access"; flow:to_server,established; content:"dba_tablespace"; nocase; classtype:protocol-command-decode; sid:1686; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tables access"; flow:to_server,established; content:"dba_tables"; nocase; classtype:protocol-command-decode; sid:1687; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user_tablespace access"; flow:to_server,established; content:"user_tablespace"; nocase; classtype:protocol-command-decode; sid:1688; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.all_users access"; flow:to_server,established; content:"sys.all_users"; nocase; classtype:protocol-command-decode; sid:1689; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant attempt"; flow:to_server,established; content:"grant "; nocase; content:" to "; nocase; classtype:protocol-command-decode; sid:1690; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ALTER USER attempt"; flow:to_server,established; content:"alter user"; nocase; content:" identified by "; nocase; classtype:protocol-command-decode; sid:1691; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop table attempt"; flow:to_server,established; content:"drop table"; nocase; classtype:protocol-command-decode; sid:1692; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create table attempt"; flow:to_server,established; content:"create table"; nocase; classtype:protocol-command-decode; sid:1693; rev:6;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter table attempt"; flow:to_server,established; content:"alter table"; nocase; classtype:protocol-command-decode; sid:1694; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE truncate table attempt"; flow:to_server,established; content:"truncate table"; nocase; classtype:protocol-command-decode; sid:1695; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create database attempt"; flow:to_server,established; content:"create database"; nocase; classtype:protocol-command-decode; sid:1696; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter database attempt"; flow:to_server,established; content:"alter database"; nocase; classtype:protocol-command-decode; sid:1697; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2576; rev:6;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2599; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22 ]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2600; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2601; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2602; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2603; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2604; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2605; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2606; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2607; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2608; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2609; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2610; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE LINK metadata buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"DATABASE"; nocase; content:"LINK"; nocase; pcre:"/USING\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:bugtraq,7453; reference:cve,2003-0222; reference:url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html; classtype:attempted-user; sid:2611; rev:3;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2612; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2613; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2614; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2615; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2616; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2617; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2618; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2619; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2620; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2621; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2622; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2623; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2624; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2625; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2626; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2627; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2628; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2629; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2630; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2631; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2632; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2633; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2634; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2635; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2636; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2637; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2638; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2639; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2640; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2641; rev:3;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2642; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2643; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2644; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2645; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2646; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2647; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2648; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2649; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2650; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt"; flow:to_server,established; content:"NUMTO"; nocase; content:"INTERVAL"; distance:2; nocase; pcre:"/NUMTO(DS|YM)INTERVAL\s*\(\s*\d+\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt; reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt; classtype:attempted-user; sid:2651; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2652; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2653; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2699; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2676; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2690; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2686; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2683; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2694; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2674; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2677; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2696; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2689; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2682; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2691; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2678; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2681; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2695; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2688; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2692; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2697; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2675; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2680; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2679; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2687; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2685; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2693; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2684; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2698; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2700; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2915; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2754; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2864; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2907; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2710; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2845; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2719; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2727; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2808; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2910; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2745; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2736; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2723; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2853; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2796; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2814; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2733; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2882; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2765; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2820; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2774; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2763; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2833; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2712; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2876; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2847; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2865; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2782; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2827; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2758; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2792; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2893; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2801; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2886; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2715; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2791; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2815; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2751; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2919; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2911; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2769; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2806; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2860; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2857; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2837; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2787; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2824; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2739; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2909; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2730; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2867; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2871; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2777; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2800; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2825; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2897; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2846; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2855; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2890; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2728; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2807; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2838; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2883; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2753; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2841; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2775; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2863; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2848; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2764; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2797; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2744; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2762; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2711; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2735; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2854; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2888; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2908; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2813; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2724; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2734; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2750; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2818; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2912; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2877; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2828; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2783; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2879; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2757; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2887; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2903; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2786; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2768; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2742; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2872; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2778; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2805; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2839; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2916; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2793; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2894; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2858; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2720; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2898; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2812; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2830; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2725; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2721; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2831; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2718; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2843; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2889; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2767; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2776; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2901; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2785; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2870; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2859; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2849; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2795; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2798; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2874; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2856; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2752; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2761; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2780; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2842; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2900; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2866; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2905; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2817; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2891; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2917; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2804; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2731; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2738; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2770; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2851; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2835; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2869; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2834; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2821; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2714; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2741; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2772; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2794; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2708; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2789; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2850; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2779; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2873; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2878; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2748; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2862; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2884; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2717; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2756; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2904; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2826; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2709; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2913; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2895; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2784; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2746; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2749; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2743; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2799; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2868; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2811; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2899; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2722; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2829; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2902; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2844; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2726; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2832; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2918; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2803; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2875; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2810; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2781; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2760; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2881; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2713; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2880; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2740; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2788; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2773; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2790; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2819; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2771; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2759; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2840; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2892; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2737; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2822; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2914; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2906; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2732; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2852; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2836; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2816; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2802; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2823; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2896; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2809; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2766; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2747; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2755; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2729; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2861; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2885; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2716; rev:1;) --- snort-2.8.5.2.orig/rules/community-ftp.rules +++ snort-2.8.5.2/rules/community-ftp.rules @@ -0,0 +1,4 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-ftp.rules,v 1.6 2005/03/08 14:41:42 bmc Exp $ --- snort-2.8.5.2.orig/rules/dns.rules +++ snort-2.8.5.2/rules/dns.rules @@ -0,0 +1,54 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: dns.rules,v 1.38.2.3.2.3 2005/05/31 17:13:02 mwatchinski Exp $ +#---------- +# DNS RULES +#---------- + +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:13;) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:6;) + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:7;) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:9;) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:7;) + + + +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:253; rev:4;) +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:254; rev:4;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:6;) + + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:303; rev:11;) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; classtype:attempted-admin; sid:262; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; classtype:attempted-admin; sid:264; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; classtype:attempted-admin; sid:265; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; classtype:attempted-admin; sid:266; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; classtype:attempted-admin; sid:267; rev:5;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2922; rev:1;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query"; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2921; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:2;) --- snort-2.8.5.2.orig/rules/rservices.rules +++ snort-2.8.5.2/rules/rservices.rules @@ -0,0 +1,35 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: rservices.rules,v 1.22.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ +#---------------- +# RSERVICES RULES +#---------------- + +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:601; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:602; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:603; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:604; rev:5;) +alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:611; rev:7;) +alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:605; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:606; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:607; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:608; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:609; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:610; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2113; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2114; rev:3;) --- snort-2.8.5.2.orig/rules/community-game.rules +++ snort-2.8.5.2/rules/community-game.rules @@ -0,0 +1,10 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-game.rules,v 1.8 2005/11/10 14:15:43 akirk Exp $ + +alert udp $EXTERNAL_NET any -> $HOME_NET 2305 (msg:"COMMUNITY GAME Halocon Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12281; sid:100000102; rev:1;) +alert udp $EXTERNAL_NET any -> $HOME_NET 7649 (msg:"COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12262; sid:100000103; rev:1;) +alert udp $EXTERNAL_NET any -> $HOME_NET 27777 (msg:"COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12192; sid:100000104; rev:1;) +alert udp $EXTERNAL_NET any -> $HOME_NET 29000 (msg:"COMMUNITY GAME FlatFrag game dos exploit"; fragbits:D; id:1; content:"|61 61 61|"; dsize:99; reference:bugtraq,15287; reference:cve,2005-3492; classtype:attempted-dos; sid:100000181; rev:1;) +alert udp $EXTERNAL_NET any <> $HOME_NET 7000 (msg:"COMMUNITY GAME Battle Carry attempt"; dsize:>8192; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; reference:cve,2005-3493; reference:bugtraq,15282; classtype:attempted-dos; sid:100000182; rev:1;) --- snort-2.8.5.2.orig/rules/p2p.rules +++ snort-2.8.5.2/rules/p2p.rules @@ -0,0 +1,43 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: p2p.rules,v 1.17.2.3.2.3 2005/06/15 23:02:34 mwatchinski Exp $ +#------------- +# P2P RULES +#------------- +# These signatures look for usage of P2P protocols, which are usually +# against corporate policy + +alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login"; flow:to_server,established; content:"|00 02 00|"; depth:3; offset:1; classtype:policy-violation; sid:549; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flow:to_server,established; content:"|00 06 00|"; depth:3; offset:1; classtype:policy-violation; sid:550; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flow:to_server,established; content:"|00 CB 00|"; depth:3; offset:1; classtype:policy-violation; sid:551; rev:7;) +alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flow:from_server,established; content:"|00|_|02|"; depth:3; offset:1; classtype:policy-violation; sid:552; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:1432; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:557; rev:6;) +alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:561; rev:6;) +alert tcp $HOME_NET any <> $EXTERNAL_NET 7777 (msg:"P2P Napster Client Data"; flow:to_server,established; content:".mp3"; nocase; classtype:policy-violation; sid:562; rev:5;) +alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:563; rev:6;) +alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:564; rev:7;) +alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"P2P Napster Server Login"; flow:established; content:"anon@napster.com"; classtype:policy-violation; sid:565; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack kazaa/morpheus GET request"; flow:to_server,established; content:"GET "; depth:4; reference:url,www.kazaa.com; reference:url,www.musiccity.com/technology.htm; classtype:policy-violation; sid:1383; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET"; depth:3; content:"UserAgent|3A| KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:1699; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent announce request"; flow:to_server,established; content:"GET"; depth:4; content:"/announce"; distance:1; content:"info_hash="; offset:4; content:"event=started"; offset:4; classtype:policy-violation; sid:2180; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6889 (msg:"P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; classtype:policy-violation; sid:2181; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"P2P eDonkey transfer"; flow:to_server,established; content:"|E3|"; depth:1; reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2586; rev:2;) +alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"P2P eDonkey server response"; flow:established,from_server; content:"Server|3A| eMule"; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:2;) +alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"P2P Manolito Search Query"; content:"|01 02 00 14|"; depth:4; offset:16; reference:url,openlito.sourceforge.net; reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:3;) --- snort-2.8.5.2.orig/rules/porn.rules +++ snort-2.8.5.2/rules/porn.rules @@ -0,0 +1,51 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: porn.rules,v 1.12.6.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ +#------------- +# PORN RULES +#------------- +# + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.erotica"; flow:to_client,established; content:"alt.binaries.pictures.erotica"; nocase; classtype:kickass-porn; sid:1836; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:kickass-porn; sid:1837; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN free XXX"; content:"FREE XXX"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1310; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore anal"; content:"hardcore anal"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1311; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude cheerleader"; content:"nude cheerleader"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1312; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN up skirt"; content:"up skirt"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1313; rev:5;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN young teen"; content:"young teen"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1314; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hot young sex"; content:"hot young sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1315; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck fuck fuck"; content:"fuck fuck fuck"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1316; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN anal sex"; content:"anal sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1317; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore rape"; content:"hardcore rape"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1318; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN real snuff"; content:"real snuff"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1319; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck movies"; content:"fuck movies"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1320; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN dildo"; content:"dildo"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1781; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nipple clamp"; content:"nipple"; nocase; content:"clamp"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1782; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN oral sex"; content:"oral sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1783; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude celeb"; content:"nude celeb"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1784; rev:1;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN voyeur"; content:"voyeur"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1785; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN raw sex"; content:"raw sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1786; rev:1;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fetish"; content:"fetish"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1793; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN masturbation"; content:"masturbat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1794; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN ejaculation"; content:"ejaculat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1795; rev:1;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin"; content:"virgin "; nocase; flow:to_client,established; classtype:kickass-porn; sid:1796; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN BDSM"; content:"BDSM"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1797; rev:1;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN erotica"; content:"erotic"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1798; rev:1;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fisting"; content:"fisting"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1799; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN naked lesbians"; content:"naked lesbians"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1833; rev:1;) + --- snort-2.8.5.2.orig/rules/snmp.rules +++ snort-2.8.5.2/rules/snmp.rules @@ -0,0 +1,39 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: snmp.rules,v 1.17.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ +# --------------- +# SNMP RULES +# --------------- +# +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:6;) +alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:10;) +alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:10;) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access udp"; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:13;) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access udp"; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:11;) +alert udp any any -> 255.255.255.255 161 (msg:"SNMP Broadcast request"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:9;) +alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:9;) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:11;) +alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SNMP AgentX/tcp request"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:11;) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:4;) --- snort-2.8.5.2.orig/rules/finger.rules +++ snort-2.8.5.2/rules/finger.rules @@ -0,0 +1,37 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: finger.rules,v 1.26.2.2.2.2 2005/05/31 17:13:02 mwatchinski Exp $ +#------------- +# FINGER RULES +#------------- +# + +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER search query"; flow:to_server,established; content:"search"; reference:arachnids,375; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER root query"; flow:to_server,established; content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:323; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER null request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:324; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; reference:arachnids,379; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER bomb attempt"; flow:to_server,established; content:"@@"; reference:arachnids,381; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER redirection attempt"; flow:to_server,established; content:"@"; reference:arachnids,251; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop query"; flow:to_server,established; content:"|0A| "; depth:10; reference:arachnids,132; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER 0 query"; flow:to_server,established; content:"0"; reference:arachnids,131; reference:arachnids,378; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER . query"; flow:to_server,established; content:"."; reference:arachnids,130; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER version query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:1541; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:3151; rev:3;) --- snort-2.8.5.2.orig/rules/sql.rules +++ snort-2.8.5.2/rules/sql.rules @@ -0,0 +1,78 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: sql.rules,v 1.28.2.3.2.4 2005/07/22 19:19:54 mwatchinski Exp $ +#---------- +# SQL RULES +#---------- + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:676; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:677; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; classtype:attempted-user; sid:678; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:679; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:708; rev:10;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:1386; rev:10;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:702; rev:10;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:703; rev:10;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; sid:681; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:689; rev:11;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:690; rev:9;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:692; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; sid:694; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:695; rev:9;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:696; rev:10;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:697; rev:10;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:698; rev:10;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:700; rev:10;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; classtype:attempted-user; sid:673; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:674; rev:8;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:675; rev:9;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:682; rev:10;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:683; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; classtype:attempted-user; sid:684; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; classtype:attempted-user; sid:685; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:686; rev:10;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:687; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:691; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:693; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:699; rev:9;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:701; rev:9;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:704; rev:9;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:705; rev:9;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:706; rev:9;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:707; rev:10;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase; reference:bugtraq,3733; reference:cve,2001-0542; reference:nessus,11217; classtype:attempted-user; sid:1387; rev:9;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"MS-SQL xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:1759; rev:5;) +alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:10;) +alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL/SMB sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:680; rev:9;) +alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:8;) +alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"MS-SQL Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:7;) +alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL ping attempt"; content:"|02|"; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL version overflow attempt"; flowbits:isnotset,ms_sql_seen_dns; dsize:>100; content:"|04|"; depth:1; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; classtype:misc-activity; sid:2050; rev:8;) +alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2329; rev:6;) +# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 4 requests"; content:"|00 04|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3446; rev:3;) +# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 9 requests"; content:"|00 09|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3451; rev:3;) +alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3273; rev:3;) +# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 5 requests"; content:"|00 05|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3447; rev:3;) +# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 2 requests"; content:"|00 02|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3444; rev:3;) +# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 1 requests"; content:"|00 01|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3443; rev:3;) +alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa brute force failed login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3152; rev:3;) +# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 10 requests"; content:"|00 0A|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3452; rev:3;) +# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 6 requests"; content:"|00 06|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3448; rev:3;) +# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 3 requests"; content:"|00 03|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3445; rev:3;) +# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 8 requests"; content:"|00 08|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3450; rev:3;) +# alert udp $HOME_NET 1434 -> any 53 (msg:"MS-SQL DNS query with 7 requests"; content:"|00 07|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; classtype:not-suspicious; sid:3449; rev:3;) --- snort-2.8.5.2.orig/rules/reference.config +++ snort-2.8.5.2/rules/reference.config @@ -0,0 +1,14 @@ +# $Id: reference.config,v 1.4 2003/10/20 15:03:04 chrisgreen Exp $ +# The following defines URLs for the references found in the rules +# +# config reference: system URL + +config reference: bugtraq http://www.securityfocus.com/bid/ +config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name= +config reference: arachNIDS http://www.whitehats.com/info/IDS + +# Note, this one needs a suffix as well.... lets add that in a bit. +config reference: McAfee http://vil.nai.com/vil/content/v_ +config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id= +config reference: url http:// + --- snort-2.8.5.2.orig/rules/ftp.rules +++ snort-2.8.5.2/rules/ftp.rules @@ -0,0 +1,112 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: ftp.rules,v 1.57.2.7.2.6 2005/07/22 19:19:54 mwatchinski Exp $ +#---------- +# FTP RULES +#---------- + + +# protocol verification +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2373; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2374; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:100,relative; pcre:"/^ALLO\s[^\n]{100}/smi"; reference:bugtraq,9953; classtype:attempted-admin; sid:2449; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2389; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2390; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; classtype:attempted-admin; sid:2391; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2392; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:100,relative; pcre:"/^STOR\s[^\n]{100}/smi"; reference:bugtraq,8668; reference:cve,2000-0133; classtype:attempted-admin; sid:2343; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL\s[^\n]{100}/smi"; reference:arachnids,257; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:337; rev:12;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD\s[^\n]{100}/smi"; reference:bugtraq,11542; reference:bugtraq,8704; classtype:attempted-admin; sid:2344; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:1919; rev:22;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1621; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:12;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{100}/smi"; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2340; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; reference:bugtraq,2120; reference:cve,2001-0065; classtype:attempted-admin; sid:1562; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:1920; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:1888; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; classtype:bad-unknown; sid:1971; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER\s[^\n]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; classtype:attempted-admin; sid:1734; rev:30;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; classtype:attempted-admin; sid:1972; rev:16;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR\s[^\n]{100}/smi"; reference:bugtraq,819; classtype:attempted-admin; sid:1942; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:nessus,12108; classtype:attempted-admin; sid:1973; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:1974; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:1975; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:1976; rev:9;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE"; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:1623; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large PWD command"; flow:to_server,established; dsize:10; content:"PWD"; nocase; classtype:protocol-command-decode; sid:1624; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large SYST command"; flow:to_server,established; dsize:10; content:"SYST"; nocase; classtype:protocol-command-decode; sid:1625; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD Root directory transversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2125; rev:8;) + + + + +# bad ftp commands +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:7;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; reference:arachnids,317; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:361; rev:15;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x2a/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:1777; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; pcre:"/^STAT\s+[^\n]*\x3f/smi"; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:attempted-dos; sid:1778; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:12;) + +# bad directories +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; nocase; pcre:"/^CWD\s+~/smi"; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:1672; rev:11;) + +# vulnerabilities against specific implementations of ftp +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u directory transversal"; flow:to_server,established; content:".%20."; nocase; reference:bugtraq,2052; reference:cve,2001-0054; classtype:bad-unknown; sid:360; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt ["; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1377; rev:15;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1378; rev:15;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:1622; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow attempt"; flow:to_server,established,no_stream; dsize:>100; reference:bugtraq,4638; reference:cve,2002-0606; classtype:protocol-command-decode; sid:1748; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:8;) + + +# BAD FILES +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; flow:to_server,established; content:".forward"; reference:arachnids,319; classtype:suspicious-filename-detect; sid:334; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts"; flow:to_server,established; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:335; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:1927; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:3;) + +# suspicious login attempts +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; classtype:suspicious-login; sid:144; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; reference:arachnids,332; classtype:suspicious-login; sid:353; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; reference:arachnids,331; classtype:suspicious-login; sid:354; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; reference:arachnids,324; classtype:suspicious-login; sid:355; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; classtype:suspicious-login; sid:357; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP saint scan"; flow:to_server,established; content:"pass -saint"; reference:arachnids,330; classtype:suspicious-login; sid:358; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP satan scan"; flow:to_server,established; content:"pass -satan"; reference:arachnids,329; classtype:suspicious-login; sid:359; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2178; rev:16;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; classtype:misc-attack; sid:2179; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKDIR format string attempt"; flow:to_server,established; content:"MKDIR"; nocase; pcre:"/^MKDIR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; nocase; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s[^\n]{100,}/smi"; reference:bugtraq,10181; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7861; reference:bugtraq,8486; reference:bugtraq,9675; reference:cve,1999-0349; reference:cve,1999-1510; reference:cve,2000-0129; reference:url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx; classtype:misc-attack; sid:2338; rev:13;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2272; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER"; nocase; content:"y049575046"; nocase; pcre:"/^USER\s+y049575046/smi"; reference:bugtraq,9072; classtype:suspicious-login; sid:2334; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP RMD / attempt"; flow:to_server,established; content:"RMD"; nocase; pcre:"/^RMD\s+\x2f$/smi"; reference:bugtraq,9159; classtype:attempted-dos; sid:2335; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2416; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%"; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2417; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; nocase; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9800; classtype:attempted-admin; sid:2574; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; pcre:"/^RNFR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:3077; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST with numeric argument"; flow:to_server,established; content:"REST"; nocase; pcre:"/REST\s+[0-9]+\n/i"; reference:bugtraq,7825; classtype:attempted-recon; sid:3460; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype:misc-attack; sid:3441; rev:1;) --- snort-2.8.5.2.orig/rules/misc.rules +++ snort-2.8.5.2/rules/misc.rules @@ -0,0 +1,119 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: misc.rules,v 1.53.2.7.2.4 2005/07/22 19:19:54 mwatchinski Exp $ +#----------- +# MISC RULES +#----------- + +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:500; rev:5;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:501; rev:5;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2;) +alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:7;) +alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"MISC Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; reference:arachnids,229; classtype:bad-unknown; sid:505; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"MISC gopher proxy"; flow:to_server,established; content:"ftp|3A|"; nocase; content:"@/"; reference:arachnids,409; classtype:bad-unknown; sid:508; rev:7;) +alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; reference:arachnids,461; classtype:bad-unknown; sid:514; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"MISC SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; reference:arachnids,476; classtype:attempted-recon; sid:517; rev:1;) + +# once we get response, check for content:"|00 01 00|"; offset:0; depth:3; +alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:1;) +# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize:>4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:2;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments"; dsize:< 25; fragbits:M; classtype:bad-unknown; sid:522; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:1384; rev:8;) +alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"Location|3A|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:1388; rev:12;) +alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1393; rev:12;) +alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1752; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"MISC AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:1636; rev:10;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"MISC OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:3;) +alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:5;) + + +# once we get response, check for content:"|03|"; offset:0; depth:1; +alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request RDP"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1447; rev:12;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1448; rev:12;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server no encryption session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2418; rev:4;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"MISC Alcatel PABX 4400 connection attempt"; flow:established,to_server; content:"|00 01|C"; depth:3; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:6;) +alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Disclosure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"MISC xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:7;) + +alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"MISC xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2041; rev:2;) +alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"MISC isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2043; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2047; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2048; rev:6;) + + +# This rule needs some work since you don't have to pass BEGIN and END +# anywhere near each other. +# +#! alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( \ +#! msg:"MISC CVS username overflow attempt"; flow:to_server,established; \ +#! content:"BEGIN AUTH REQUEST|0A|"; content:!"|0A|END AUTH REQUEST|0A|"; \ +#! within:255; classtype:misc-attack;) + + +# normally Idon't like using 3a for :, but in this case... I'd like to remove the false positives stemming from someone using anoncvs to checkout snort rules :) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2008; rev:4;) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2009; rev:2;) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2010; rev:4;) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2011; rev:4;) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2012; rev:2;) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2013; rev:2;) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2317; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2318; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; nocase; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:2;) + + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; dsize:>156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; reference:bugtraq,5807; reference:cve,2002-1214; reference:url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx; classtype:attempted-admin; sid:2126; rev:8;) + +# this rule is specificly not looking for flow, since tcpdump handles lengths wrong +alert tcp any any <> any 179 (msg:"MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:8;) +alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2159; rev:11;) + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:5;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:12;) + + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2532; rev:6;) +alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2533; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2534; rev:6;) + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9978; classtype:web-application-activity; sid:2547; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2548; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:1;) + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2561; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"MISC distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:3061; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"MISC Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:3453; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup generic info probe"; flow:established,to_server; content:"ARKFS|00|root|00|root"; nocase; reference:bugtraq,12594; classtype:attempted-recon; sid:3454; rev:1;) --- snort-2.8.5.2.orig/rules/web-coldfusion.rules +++ snort-2.8.5.2/rules/web-coldfusion.rules @@ -0,0 +1,58 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: web-coldfusion.rules,v 1.27.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ +#--------------------- +# WEB-COLDFUSION RULES +#--------------------- +# + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfcache.map access"; flow:to_server,established; uricontent:"/cfcache.map"; nocase; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp application.cfm"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:904; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:905; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getfile.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-recon; sid:906; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION addcontent.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; nocase; classtype:attempted-recon; sid:907; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION administrator access"; flow:to_server,established; uricontent:"/cfide/administrator/index.cfm"; nocase; reference:bugtraq,1314; reference:cve,2000-0538; classtype:attempted-recon; sid:908; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:909; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION fileexists.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/fileexists.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:910; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exprcalc access"; flow:to_server,established; uricontent:"/cfdocs/expeval/exprcalc.cfm"; nocase; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; classtype:attempted-recon; sid:911; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION parks access"; flow:to_server,established; uricontent:"/cfdocs/examples/parks/detail.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:912; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfappman access"; flow:to_server,established; uricontent:"/cfappman/index.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:913; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION beaninfo access"; flow:to_server,established; uricontent:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:914; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION evaluate.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/evaluate.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:915; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:916; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:917; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION expeval access"; flow:to_server,established; uricontent:"/cfdocs/expeval/"; nocase; reference:bugtraq,550; reference:cve,1999-0477; classtype:attempted-user; sid:918; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:919; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:920; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:921; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION displayfile access"; flow:to_server,established; uricontent:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:922; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:923; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:924; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION mainframeset access"; flow:to_server,established; uricontent:"/cfdocs/examples/mainframeset.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:925; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:926; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:927; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/"; nocase; classtype:attempted-recon; sid:928; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; nocase; reference:bugtraq,550; classtype:attempted-user; sid:929; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION snippets attempt"; flow:to_server,established; uricontent:"/cfdocs/snippets/"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:930; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"; flow:to_server,established; uricontent:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:931; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/application.cfm"; nocase; reference:arachnids,268; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION onrequestend.cfm access"; flow:to_server,established; uricontent:"/onrequestend.cfm"; nocase; reference:arachnids,269; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION startstop DOS access"; flow:to_server,established; uricontent:"/cfide/administrator/startstop.html"; nocase; reference:bugtraq,247; classtype:web-application-attack; sid:935; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION gettempdirectory.cfm access "; flow:to_server,established; uricontent:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:936; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION sendmail.cfm access"; flow:to_server,established; uricontent:"/sendmail.cfm"; nocase; classtype:attempted-recon; sid:1659; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION ?Mode=debug attempt"; flow:to_server,established; uricontent:"Mode=debug"; nocase; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:7;) --- snort-2.8.5.2.orig/rules/dos.rules +++ snort-2.8.5.2/rules/dos.rules @@ -0,0 +1,45 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: dos.rules,v 1.39.2.4.2.3 2005/06/29 15:35:04 mwatchinski Exp $ +#---------- +# DOS RULES +#---------- + +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6;) +# alert udp any 19 <> any 7 (msg:"DOS UDP echo+chargen bomb"; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:5;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:272; rev:10;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:273; rev:8;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; itype:8; content:"+++ath"; nocase; reference:arachnids,264; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:5;) +# alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flow:stateless; flags:S; id:413; seq:6060842; reference:bugtraq,2022; reference:cve,2000-1039; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; classtype:attempted-dos; sid:275; rev:12;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server"; flow:to_server,established; content:"|FF F4 FF FD 06|"; reference:arachnids,411; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:276; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:277; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:5;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; dsize:0; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:arachnids,262; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup"; flow:to_server,established; dsize:>1445; reference:arachnids,261; reference:bugtraq,662; reference:cve,1999-0788; classtype:attempted-dos; sid:282; rev:8;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"DOS Winnuke attack"; flow:stateless; flags:U+; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flow:to_server,established; dsize:>1023; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"DOS iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; reference:bugtraq,6844; reference:cve,1999-1566; classtype:misc-attack; sid:1605; rev:6;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"DOS DB2 dos attempt"; flow:to_server,established; dsize:1; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DOS Cisco attempt"; flow:to_server,established; dsize:1; content:"|13|"; classtype:web-application-attack; sid:1545; rev:8;) +alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:5;) +alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:7;) + +alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"DOS squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:2;) +# alert tcp $EXTERNAL_NET !721:731 -> $HOME_NET 515 (msg:"DOS WIN32 TCP print service denial of service attempt"; flow:to_server,established; dsize:>600; reference:bugtraq,1082; reference:cve,2000-0232; reference:url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx; classtype:attempted-dos; sid:3442; rev:3;) --- snort-2.8.5.2.orig/rules/pop2.rules +++ snort-2.8.5.2/rules/pop2.rules @@ -0,0 +1,26 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: pop2.rules,v 1.11.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ +#-------------- +# POP2 RULES +#-------------- + +alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:established,to_server; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:1934; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:1935; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|EB|,[|89 D9 80 C1 06|9|D9 7C 07 80 01|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:284; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|FF FF FF|/BIN/SH|00|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:285; rev:8;) --- snort-2.8.5.2.orig/rules/community-dos.rules +++ snort-2.8.5.2/rules/community-dos.rules @@ -0,0 +1,16 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-dos.rules,v 1.7 2007/02/22 20:44:35 akirk Exp $ + +#Rule submitted by rmkml +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY DOS Tcpdump rsvp attack"; ip_proto:46; content:"|00 08 14 01 03 00 00 00|"; reference:cve,2005-1280; reference:cve,2005-1281; reference:bugtraq,13391; classtype:attempted-dos; sid:100000134; rev:1;) +alert udp $EXTERNAL_NET any -> $HOME_NET 1069 (msg:"COMMUNITY DOS Ethereal slimp overflow attempt"; content:"|6C C3 B2 A1 02 00 04 00 00 00 00 00 00 00 00 00 FF FF 00 00 01 00 00 00 56 57 F7|"; reference:cve,2005-3243; reference:url,www.ethereal.com/docs/release-notes/ethereal-0.10.13.html; classtype:attempted-dos; sid:100000175; rev:1;) +alert tcp $EXTERNAL_NET any <> $HOME_NET 5005 (msg:"COMMUNITY DOS Trend Micro ServerProtect EarthAgent attempt"; flow:stateless; content:"|21 43 65 87|"; reference:cve,2005-1928; reference:url,www.idefense.com/application/poi/display?id=356&type=vulnerabilities; classtype:attempted-dos; sid:100000215; rev:2;) + +#Rules submitted by the Verisign MSS Operations Team +alert tcp $EXTERNAL_NET any -> $HOME_NET 6667:7000 (msg:"COMMUNITY DOS EnergyMech parse_notice vulnerability - inbound"; flow:to_server,established; content:"NOTICE|20|"; content:!"|5c|"; within:11; reference:bugtraq,18664; classtype:attempted-dos; sid:100000686; rev:2;) +alert tcp $HOME_NET 6667:7000 -> $EXTERNAL_NET any (msg:"COMMUNITY DOS EnergyMech parse_notice vulnerability - outbound"; flow:to_server,established; content:"NOTICE|20|"; content:!"|5c|"; within:11; reference:bugtraq,18664; classtype:attempted-dos; sid:100000687; rev:2;) + +#Rule submitted by Dan Protich +alert udp $EXTERNAL_NET !53 <> $HOME_NET !53 (msg:"COMMUNITY DOS Single-Byte UDP Flood"; content:"0"; dsize:1; classtype:attempted-dos; threshold: type threshold, track by_dst, count 200, seconds 60; sid:100000923; rev:1;) --- snort-2.8.5.2.orig/rules/community-sip.rules +++ snort-2.8.5.2/rules/community-sip.rules @@ -0,0 +1,19 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-sip.rules,v 1.5 2006/06/01 15:51:28 akirk Exp $ + +#Rules submitted by Jiri Markl +#Rule for alerting of INVITE flood attack: +alert ip any any -> any 5060 (msg:"COMMUNITY SIP INVITE message flooding"; content:"INVITE"; depth:6; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000158; rev:2;) +#Rule for alerting of REGISTER flood attack: +alert ip any any -> any 5060 (msg:"COMMUNITY SIP REGISTER message flooding"; content:"REGISTER"; depth:8; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000159; rev:2;) +#Rule for alerting common TCP/UDP flood attack: +alert ip any any -> any 5060 (msg:"COMMUNITY SIP TCP/IP message flooding directed to SIP proxy"; threshold: type both, track by_src, count 300, seconds 60; classtype:attempted-dos; sid:100000160; rev:2;) +#Rule for alerting attack using unresolvable DNS names: +alert udp $DNS_SERVERS 53 -> any any (msg:"COMMUNITY SIP DNS No such name treshold - Abnormaly high count of No such name responses"; content:"|83|"; offset:3; depth:1; threshold: type both, track by_dst, count 100, seconds 60; classtype:attempted-dos; sid:100000161; rev:2;) +#Threshold rule for unauthorized responses: +alert ip any any -> any 5060 (msg:"COMMUNITY SIP 401 Unauthorized Flood"; content:"SIP/2.0 401 Unauthorized"; depth:24; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000162; rev:2;) +alert ip any any -> any 5060 (msg:"COMMUNITY SIP 407 Proxy Authentication Required Flood"; content:"SIP/2.0 407 Proxy Authentication Required"; depth:42; threshold: type both, track by_src, count 100, seconds 60; classtype:attempted-dos; sid:100000163; rev:2;) +#Rule submitted by rmkml +alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/^a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; sid:100000223; rev:1;) --- snort-2.8.5.2.orig/rules/community-web-iis.rules +++ snort-2.8.5.2/rules/community-web-iis.rules @@ -0,0 +1,10 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-web-iis.rules,v 1.2 2005/10/20 13:49:44 akirk Exp $ + +#Rules submitted by rmkml +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost"; flow:to_server,established; content:"localhost"; nocase; pcre:"/http\x3A\/\/localhost\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000138; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"127.0.0.1"; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000139; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent Redirect Overflow attempt"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; pcre:"/\x3fRedirect\x3f[^\s]{100,}/smi"; classtype:web-application-activity; sid:100000173; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent access"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; reference:cve,2005-1118; reference:bugtraq,13168; classtype:web-application-activity; sid:100000174; rev:1;) --- snort-2.8.5.2.orig/rules/gen-msg.map +++ snort-2.8.5.2/rules/gen-msg.map @@ -0,0 +1,175 @@ +# $Id: gen-msg.map,v 1.16.2.2.2.2 2005/04/22 22:11:53 jhewlett Exp $ +# GENERATORS -> msg map +# Format: generatorid || alertid || MSG + +1 || 1 || snort general alert +2 || 1 || tag: Tagged Packet +100 || 1 || spp_portscan: Portscan Detected +100 || 2 || spp_portscan: Portscan Status +100 || 3 || spp_portscan: Portscan Ended +101 || 1 || spp_minfrag: minfrag alert +102 || 1 || http_decode: Unicode Attack +102 || 2 || http_decode: CGI NULL Byte Attack +102 || 3 || http_decode: large method attempted +102 || 4 || http_decode: missing uri +102 || 5 || http_decode: double encoding detected +102 || 6 || http_decode: illegal hex values detected +102 || 7 || http_decode: overlong character detected +103 || 1 || spp_defrag: Fragmentation Overflow Detected +103 || 2 || spp_defrag: Stale Fragments Discarded +104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded +104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted +105 || 1 || spp_bo: Back Orifice Traffic Detected +105 || 2 || spp_bo: Back Orifice Client Traffic Detected +105 || 3 || spp_bo: Back Orifice Server Traffic Detected +106 || 1 || spp_rpc_decode: Fragmented RPC Records +106 || 2 || spp_rpc_decode: Multiple Records in one packet +106 || 3 || spp_rpc_decode: Large RPC Record Fragment +106 || 4 || spp_rpc_decode: Incomplete RPC segment +110 || 1 || spp_unidecode: CGI NULL Attack +110 || 2 || spp_unidecode: Directory Traversal +110 || 3 || spp_unidecode: Unknown Mapping +110 || 4 || spp_unidecode: Invalid Mapping +111 || 1 || spp_stream4: Stealth Activity Detected +111 || 2 || spp_stream4: Evasive Reset Packet +111 || 3 || spp_stream4: Retransmission +111 || 4 || spp_stream4: Window Violation +111 || 5 || spp_stream4: Data on SYN Packet +111 || 6 || spp_stream4: Full XMAS Stealth Scan +111 || 7 || spp_stream4: SAPU Stealth Scan +111 || 8 || spp_stream4: FIN Stealth Scan +111 || 9 || spp_stream4: NULL Stealth Scan +111 || 10 || spp_stream4: NMAP XMAS Stealth Scan +111 || 11 || spp_stream4: VECNA Stealth Scan +111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection +111 || 13 || spp_stream4: SYN FIN Stealth Scan +111 || 14 || spp_stream4: TCP forward overlap detected +111 || 15 || spp_stream4: TTL Evasion attempt +111 || 16 || spp_stream4: Evasive retransmitited data attempt +111 || 17 || spp_stream4: Evasive retransmitited data with the data split attempt +111 || 18 || spp_stream4: Multiple acked +111 || 19 || spp_stream4: Shifting to Emegency Session Mode +111 || 20 || spp_stream4: Shifting to Suspend Mode +111 || 21 || spp_stream4: TCP Timestamp option has value of zero +111 || 22 || spp_stream4: Too many overlapping TCP packets +111 || 23 || spp_stream4: Packet in established TCP stream missing ACK +112 || 1 || spp_arpspoof: Directed ARP Request +112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC +112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST +112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack +113 || 1 || spp_frag2: Oversized Frag +113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack +113 || 3 || spp_frag2: TTL evasion detected +113 || 4 || spp_frag2: overlap detected +113 || 5 || spp_frag2: Duplicate first fragments +113 || 6 || spp_frag2: memcap exceeded +113 || 7 || spp_frag2: Out of order fragments +113 || 8 || spp_frag2: IP Options on Fragmented Packet +113 || 9 || spp_frag2: Shifting to Emegency Session Mode +113 || 10 || spp_frag2: Shifting to Suspend Mode +114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected +114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected +114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected +114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected +115 || 1 || spp_asn1: Indefinite ASN.1 length encoding +115 || 2 || spp_asn1: Invalid ASN.1 length encoding +115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow +115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow +115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length +116 || 1 || snort_decoder: Not IPv4 datagram! +116 || 2 || snort_decoder: WARNING: Not IPv4 datagram! +116 || 3 || snort_decoder: WARNING: hlen < IP_HEADER_LEN! +116 || 4 || snort_decoder: Bad IPv4 Options +116 || 5 || snort_decoder: Truncated IPv4 Options +116 || 45 || snort_decoder: TCP packet len is smaller than 20 bytes! +116 || 46 || snort_decoder: TCP Data Offset is less than 5! +116 || 47 || snort_decoder: TCP Data Offset is longer than payload! +116 || 54 || snort_decoder: Tcp Options found with bad lengths +116 || 55 || snort_decoder: Truncated Tcp Options +116 || 56 || snort_decoder: T/TCP Detected +116 || 57 || snort_decoder: Obsolete TCP options +116 || 58 || snort_decoder: Experimental TCP options +116 || 95 || snort_decoder: Truncated UDP Header! +116 || 96 || snort_decoder: Invalid UDP header, length field < 8 +116 || 97 || snort_decoder: Short UDP packet, length field > payload length +116 || 105 || snort_decoder: ICMP Header Truncated! +116 || 106 || snort_decoder: ICMP Timestamp Header Truncated! +116 || 107 || snort_decoder: ICMP Address Header Truncated! +116 || 108 || snort_decoder: Unknown Datagram decoding problem! +116 || 109 || snort_decoder: Truncated ARP Packet! +116 || 110 || snort_decoder: Truncated EAP Header! +116 || 111 || snort_decoder: EAP Key Truncated! +116 || 112 || snort_decoder: EAP Header Truncated! +116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected! +116 || 130 || snort_decoder: WARNING: Bad VLAN Frame! +116 || 131 || snort_decoder: WARNING: Bad LLC header! +116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info! +116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header! +116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info! +116 || 140 || snort_decoder: WARNING: Bad Token Ring Header! +116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header! +116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header! +116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header! +116 || 150 || snort_decoder: Bad Traffic Loopback IP! +116 || 151 || snort_decoder: Bad Traffic Same Src/Dst IP! +117 || 1 || spp_portscan2: Portscan detected! +118 || 1 || spp_conversation: Bad IP protocol! +119 || 1 || http_inspect: ASCII ENCODING +119 || 2 || http_inspect: DOUBLE DECODING ATTACK +119 || 3 || http_inspect: U ENCODING +119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING +119 || 5 || http_inspect: BASE36 ENCODING +119 || 6 || http_inspect: UTF-8 ENCODING +119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING +119 || 8 || http_inspect: MULTI_SLASH ENCODING +119 || 9 || http_inspect: IIS BACKSLASH EVASION +119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL +119 || 11 || http_inspect: DIRECTORY TRAVERSAL +119 || 12 || http_inspect: APACHE WHITESPACE (TAB) +119 || 13 || http_inspect: NON-RFC HTTP DELIMITER +119 || 14 || http_inspect: NON-RFC DEFINED CHAR +119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY +119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING +119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED +119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL +120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT +121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded +121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded +121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded +121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded +122 || 1 || portscan: TCP Portscan +122 || 2 || portscan: TCP Decoy Portscan +122 || 3 || portscan: TCP Portsweep +122 || 4 || portscan: TCP Distributed Portscan +122 || 5 || portscan: TCP Filtered Portscan +122 || 6 || portscan: TCP Filtered Decoy Portscan +122 || 7 || portscan: TCP Filtered Portsweep +122 || 8 || portscan: TCP Filtered Distributed Portscan +122 || 9 || portscan: IP Protocol Scan +122 || 10 || portscan: IP Decoy Protocol Scan +122 || 11 || portscan: IP Protocol Sweep +122 || 12 || portscan: IP Distributed Protocol Scan +122 || 13 || portscan: IP Filtered Protocol Scan +122 || 14 || portscan: IP Filtered Decoy Protocol Scan +122 || 15 || portscan: IP Filtered Protocol Sweep +122 || 16 || portscan: IP Filtered Distributed Protocol Scan +122 || 17 || portscan: UDP Portscan +122 || 18 || portscan: UDP Decoy Portscan +122 || 19 || portscan: UDP Portsweep +122 || 20 || portscan: UDP Distributed Portscan +122 || 21 || portscan: UDP Filtered Portscan +122 || 22 || portscan: UDP Filtered Decoy Portscan +122 || 23 || portscan: UDP Filtered Portsweep +122 || 24 || portscan: UDP Filtered Distributed Portscan +122 || 25 || portscan: ICMP Sweep +122 || 26 || portscan: ICMP Filtered Sweep +122 || 27 || portscan: Open Port +123 || 1 || frag3: IP Options on fragmented packet +123 || 2 || frag3: Teardrop attack +123 || 3 || frag3: Short fragment, possible DoS attempt +123 || 4 || frag3: Fragment packet ends after defragmented packet +123 || 5 || frag3: Zero-byte fragment +123 || 6 || frag3: Bad fragment size, packet size is negative +123 || 7 || frag3: Bad fragment size, packet size is greater than 65536 +123 || 8 || frag3: Fragmentation overlap +124 || 1 || xlink2state: X-Link2State length greater than 1024 --- snort-2.8.5.2.orig/rules/multimedia.rules +++ snort-2.8.5.2/rules/multimedia.rules @@ -0,0 +1,36 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: multimedia.rules,v 1.13.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ +#------------- +# MULTIMEDIA RULES +#------------- +# These signatures look for people using streaming multimedia technologies. +# Using streaming media may be a violation of corporate policies. + + +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smi"; classtype:policy-violation; sid:1437; rev:6;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MULTIMEDIA Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; nocase; classtype:policy-violation; sid:1436; rev:5;) +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Shoutcast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-scpls"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1439; rev:5;) +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Icecast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-mpegurl"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1440; rev:5;) +alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5; classtype:misc-activity; sid:1428; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .ram playlist download attempt"; flow:to_server,established; uricontent:".ram"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2419; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rmp playlist download attempt"; flow:to_server,established; uricontent:".rmp"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2420; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .smi playlist download attempt"; flow:to_server,established; uricontent:".smi"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2421; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rt playlist download attempt"; flow:to_server,established; uricontent:".rt"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2422; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rp playlist download attempt"; flow:to_server,established; uricontent:".rp"; nocase; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2423; rev:3;) --- snort-2.8.5.2.orig/rules/community-web-dos.rules +++ snort-2.8.5.2/rules/community-web-dos.rules @@ -0,0 +1,5 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-web-dos.rules,v 1.8 2005/03/08 14:41:42 bmc Exp $ + --- snort-2.8.5.2.orig/rules/ddos.rules +++ snort-2.8.5.2/rules/ddos.rules @@ -0,0 +1,66 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: ddos.rules,v 1.23.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $ +#----------- +# DDOS RULES +#----------- + +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; icmp_id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:221; rev:4;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:222; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master PONG message detected"; content:"PONG"; reference:arachnids,187; classtype:attempted-recon; sid:223; rev:3;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:228; rev:3;) + + +alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client login to handler"; flow:from_server,established; content:"login|3A|"; reference:arachnids,254; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"DDOS shaft handler to agent"; content:"alive tijgu"; reference:arachnids,255; classtype:attempted-dos; sid:239; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"DDOS shaft agent to handler"; content:"alive"; reference:arachnids,256; classtype:attempted-dos; sid:240; rev:2;) +# alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flow:stateless; flags:S,12; seq:674711609; reference:arachnids,253; reference:cve,2000-0138; classtype:attempted-dos; sid:241; rev:10;) + + + + +alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186; classtype:attempted-dos; sid:231; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master *HELLO* message detected"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; classtype:attempted-dos; sid:234; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2;) +alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:6;) + + + +alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"DDOS mstream agent to handler"; content:"newserver"; classtype:attempted-dos; sid:243; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; content:"stream/"; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler ping to agent"; content:"ping"; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream agent pong to handler"; content:"pong"; classtype:attempted-dos; sid:246; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; flow:to_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:4;) +alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:to_client,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flow:stateless; flags:S,12; reference:arachnids,111; reference:cve,2000-0138; classtype:attempted-dos; sid:249; rev:8;) +alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:from_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:4;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:251; rev:3;) + + +alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:3;) +alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:6;) +alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:6;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:6;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:6;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:5;) +alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:7;) +alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:7;) +alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:7;) --- snort-2.8.5.2.orig/rules/other-ids.rules +++ snort-2.8.5.2/rules/other-ids.rules @@ -0,0 +1,37 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: other-ids.rules,v 1.10.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ +# --------------- +# OTHER-IDS RULES +# --------------- +# These signatures look for uses of other IDSs. +# +# These signatures serve two purposes. +# 1) If you are "IDS GUY" for a company, and someone else sets up an IDS +# without letting you know, thats bad. +# 2) If you are "pen-tester", this is a good way to find out what IDS +# systems your target is using after you have gained access to their +# network. +# + + +alert tcp $HOME_NET 902 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 event collector connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1760; rev:3;) +alert tcp $HOME_NET 2998 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 daemon connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1761; rev:3;) + +# To limit false positives, limit to the default port of 975 +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OTHER-IDS SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:1629; rev:6;) --- snort-2.8.5.2.orig/rules/community-exploit.rules +++ snort-2.8.5.2/rules/community-exploit.rules @@ -0,0 +1,11 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-exploit.rules,v 1.17 2006/08/18 19:38:06 akirk Exp $ + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit"; flow:to_server,established; pcre:"/.{1050,}/U"; flowbits:set,community_uri.size.1050; flowbits:noalert; reference:cve,2004-0629; reference: bugtraq,10947; classtype:attempted-user; sid: 100000100; rev:2;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2f(pdf|vnd\x2efdf|vnd\x2eadobe\x2exfdf|vnd\x2eadobe\x2exdp+xml|vnd\x2e\ adobe\x2exfd+xml)/smi"; flowbits:isset,community_uri.size.1050; reference:cve,2004-0629; reference:bugtraq,10947; classtype:attempted-user; sid:100000101; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"COMMUNITY EXPLOIT Sentinel LM exploit"; dsize:2048; reference:bugtraq,12742; reference:cve,2005-0353; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=14605; reference:nessus,17326; classtype:attempted-dos; sid:100000165; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"COMMUNITY EXPLOIT HPUX LPD overflow attempt"; flow:to_server,established; content:"|24 7B 49 46 53 7D|"; reference:cve,2005-3277; reference:bugtraq,15136; classtype:attempted-dos; sid:100000176; rev:1;) +alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP spoof attempt"; content:"|3B|branch|3D 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0A|"; nocase; reference:bugtraq,14174; reference:cve,2005-2182; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17838; classtype:attempted-dos; sid:100000180; rev:1;) +alert udp $EXTERNAL_NET any -> $HOME_NET 65535 (msg:"COMMUNITY EXPLOIT LANDesk Management Suite Alerting Service buffer overflow"; dsize:>268; reference: bugtraq,23483; reference: cve,2007-1674; classtype: attempted-admin; sid:100000928; rev:1;) --- snort-2.8.5.2.orig/rules/x11.rules +++ snort-2.8.5.2/rules/x11.rules @@ -0,0 +1,24 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: x11.rules,v 1.19.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ +#---------- +# X11 RULES +#---------- + +alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:4;) --- snort-2.8.5.2.orig/rules/LICENSE +++ snort-2.8.5.2/rules/LICENSE @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) 19yy + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. --- snort-2.8.5.2.orig/rules/imap.rules +++ snort-2.8.5.2/rules/imap.rules @@ -0,0 +1,73 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: imap.rules,v 1.24.2.7.2.5 2005/06/15 23:02:33 mwatchinski Exp $ +#-------------- +# IMAP RULES +#-------------- + +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:1993; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:14;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2105; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:11;) + +# auth is an imap2 function and only accepts literal usage +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:1930; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2330; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2106; rev:7;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845; rev:15;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2118; rev:6;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:8;) + +# FIND does not accept a literal command +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:7;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1755; rev:14;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2046; rev:6;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2120; rev:3;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login brute force attempt"; flow:to_server,established; content:"LOGIN"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2273; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:9;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:13;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2529; rev:6;) +alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2530; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2531; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2665; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2664; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:3007; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:3008; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3074; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3076; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3075; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3066; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:3058; rev:1;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP append literal overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; pcre:"/\sAPPEND\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3065; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:3072; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:256,relative; pcre:"/\sFETCH\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3070; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3067; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3069; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; pcre:"/\sSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3073; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; pcre:"/\sSTATUS\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3071; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3068; rev:1;) --- snort-2.8.5.2.orig/rules/sid +++ snort-2.8.5.2/rules/sid @@ -0,0 +1 @@ +3827 --- snort-2.8.5.2.orig/rules/bad-traffic.rules +++ snort-2.8.5.2/rules/bad-traffic.rules @@ -0,0 +1,41 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: bad-traffic.rules,v 1.31.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $ +#------------------ +# BAD TRAFFIC RULES +#------------------ +# These signatures are representitive of traffic that should never be seen on +# any network. None of these signatures include datagram content checking +# and are extremely quick signatures +# + +alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;) +alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; flow:stateless; dsize:>6; flags:S,12; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:11;) +alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:528; rev:5;) +alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:523; rev:5;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;) +# linux happens. Blah +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; classtype:misc-activity; sid:1322; rev:7;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:3;) +alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flow:stateless; flags:S+; classtype:bad-unknown; sid:1431; rev:9;) +alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2186; rev:3;) +alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2187; rev:3;) +alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2188; rev:3;) +alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2189; rev:3;) --- snort-2.8.5.2.orig/rules/web-cgi.rules +++ snort-2.8.5.2/rules/web-cgi.rules @@ -0,0 +1,396 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: web-cgi.rules,v 1.77.2.7.2.6 2005/07/22 19:19:54 mwatchinski Exp $ +#-------------- +# WEB-CGI RULES +#-------------- +# + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/hsx.cgi"; content:"../../"; content:"%00"; distance:1; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-attack; sid:803; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi access"; flow:to_server,established; uricontent:"/hsx.cgi"; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-activity; sid:1607; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SWSoft ASPSeek Overflow attempt"; flow:to_server,established; uricontent:"/s.cgi"; nocase; content:"tmpl="; reference:bugtraq,2492; reference:cve,2001-0476; classtype:web-application-attack; sid:804; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspeed access"; flow:to_server,established; uricontent:"/wsisa.dll/WService="; nocase; content:"WSMadmin"; nocase; reference:arachnids,467; reference:bugtraq,969; reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb directory traversal attempt"; flow:to_server,established; uricontent:"/YaBB"; nocase; content:"../"; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:806; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb access"; flow:to_server,established; uricontent:"/YaBB"; nocase; reference:arachnids,462; reference:bugtraq,1668; reference:cve,2000-0853; classtype:attempted-recon; sid:1637; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /wwwboard/passwd.txt access"; flow:to_server,established; uricontent:"/wwwboard/passwd.txt"; nocase; reference:arachnids,463; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdriver access"; flow:to_server,established; uricontent:"/webdriver"; nocase; reference:arachnids,473; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; uricontent:"/whois_raw.cgi?"; content:"|0A|"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:web-application-attack; sid:809; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw.cgi access"; flow:to_server,established; uricontent:"/whois_raw.cgi"; reference:arachnids,466; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websitepro path access"; flow:to_server,established; content:" /HTTP/1."; nocase; reference:arachnids,468; reference:bugtraq,932; reference:cve,2000-0066; classtype:attempted-recon; sid:811; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus version access"; flow:to_server,established; uricontent:"/webplus?about"; nocase; reference:arachnids,470; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus directory traversal"; flow:to_server,established; uricontent:"/webplus?script"; nocase; content:"../"; reference:arachnids,471; reference:bugtraq,1102; reference:cve,2000-0282; classtype:web-application-attack; sid:813; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websendmail access"; flow:to_server,established; uricontent:"/websendmail"; nocase; reference:arachnids,469; reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301; classtype:attempted-recon; sid:815; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/dcforum.cgi"; content:"forum=../.."; reference:bugtraq,2611; reference:cve,2001-0436; reference:cve,2001-0437; classtype:web-application-attack; sid:1571; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi access"; flow:to_server,established; uricontent:"/dcforum.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:818; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi invalid user addition attempt"; flow:to_server,established; uricontent:"/dcboard.cgi"; content:"command=register"; content:"%7cadmin"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack; sid:817; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi access"; flow:to_server,established; uricontent:"/dcboard.cgi"; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mmstdod.cgi access"; flow:to_server,established; uricontent:"/mmstdod.cgi"; nocase; reference:bugtraq,2063; reference:cve,2001-0021; reference:nessus,10566; classtype:attempted-recon; sid:819; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anaconda directory transversal attempt"; flow:to_server,established; uricontent:"/apexec.pl"; content:"template=../"; nocase; reference:bugtraq,2338; reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308; classtype:web-application-attack; sid:820; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe overflow attempt"; flow:to_server,established; uricontent:"/imagemap.exe?"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-attack; sid:821; rev:12;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe access"; flow:to_server,established; uricontent:"/imagemap.exe"; nocase; reference:arachnids,412; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-activity; sid:1700; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsweb.cgi access"; flow:to_server,established; uricontent:"/cvsweb.cgi"; nocase; reference:bugtraq,1469; reference:cve,2000-0670; reference:nessus,10465; classtype:attempted-recon; sid:823; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI php.cgi access"; flow:to_server,established; uricontent:"/php.cgi"; nocase; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:824; rev:13;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI glimpse access"; flow:to_server,established; uricontent:"/glimpse"; nocase; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:825; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript attempt"; flow:to_server,established; uricontent:"/htmlscript?../.."; nocase; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:web-application-attack; sid:1608; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript access"; flow:to_server,established; uricontent:"/htmlscript"; nocase; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:attempted-recon; sid:826; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI info2www access"; flow:to_server,established; uricontent:"/info2www"; nocase; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI maillist.pl access"; flow:to_server,established; uricontent:"/maillist.pl"; nocase; classtype:attempted-recon; sid:828; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-test-cgi access"; flow:to_server,established; uricontent:"/nph-test-cgi"; nocase; reference:arachnids,224; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-maillist.pl"; nocase; reference:bugtraq,2563; reference:cve,2001-0400; classtype:attempted-recon; sid:1451; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flow:to_server,established; uricontent:"/nph-publish"; nocase; reference:cve,1999-1177; reference:nessus,10164; classtype:attempted-recon; sid:830; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rguest.exe access"; flow:to_server,established; uricontent:"/rguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:833; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rwwwshell.pl access"; flow:to_server,established; uricontent:"/rwwwshell.pl"; nocase; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi attempt"; flow:to_server,established; uricontent:"/test-cgi/*?*"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:web-application-attack; sid:1644; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi access"; flow:to_server,established; uricontent:"/test-cgi"; nocase; reference:arachnids,218; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:9;) +# testcgi is *one* of many scripts to look for. this *ALSO* triggers on testcgi.exe. +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI testcgi access"; flow:to_server,established; uricontent:"/testcgi"; nocase; reference:bugtraq,7214; reference:nessus,11610; classtype:web-application-activity; sid:1645; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.cgi access"; flow:to_server,established; uricontent:"/test.cgi"; nocase; classtype:web-application-activity; sid:1646; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI textcounter.pl access"; flow:to_server,established; uricontent:"/textcounter.pl"; nocase; reference:bugtraq,2265; reference:cve,1999-1479; reference:nessus,11451; classtype:attempted-recon; sid:836; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI uploader.exe access"; flow:to_server,established; uricontent:"/uploader.exe"; nocase; reference:bugtraq,1611; reference:cve,1999-0177; reference:cve,2000-0769; reference:nessus,10291; classtype:attempted-recon; sid:837; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webgais access"; flow:to_server,established; uricontent:"/webgais"; nocase; reference:arachnids,472; reference:bugtraq,2058; reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon; sid:838; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI finger access"; flow:to_server,established; uricontent:"/finger"; nocase; reference:arachnids,221; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perlshop.cgi access"; flow:to_server,established; uricontent:"/perlshop.cgi"; nocase; reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdisplay.cgi access"; flow:to_server,established; uricontent:"/pfdispaly.cgi"; nocase; reference:bugtraq,64; reference:cve,1999-0270; reference:nessus,10174; classtype:attempted-recon; sid:841; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI aglimpse access"; flow:to_server,established; uricontent:"/aglimpse"; nocase; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:842; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anform2 access"; flow:to_server,established; uricontent:"/AnForm2"; nocase; reference:arachnids,225; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.bat access"; flow:to_server,established; uricontent:"/args.bat"; nocase; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:844; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.cmd access"; flow:to_server,established; uricontent:"/args.cmd"; nocase; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:1452; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-admin.cgi access"; flow:to_server,established; uricontent:"/AT-admin.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-generated.cgi access"; flow:to_server,established; uricontent:"/AT-generated.cgi"; nocase; reference:cve,1999-1072; classtype:attempted-recon; sid:1453; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bnbform.cgi access"; flow:to_server,established; uricontent:"/bnbform.cgi"; nocase; reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon; sid:846; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campas access"; flow:to_server,established; uricontent:"/campas"; nocase; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:attempted-recon; sid:847; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source directory traversal"; flow:to_server,established; uricontent:"/view-source"; nocase; content:"../"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack; sid:848; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source access"; flow:to_server,established; uricontent:"/view-source"; nocase; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:attempted-recon; sid:849; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wais.pl access"; flow:to_server,established; uricontent:"/wais.pl"; nocase; classtype:attempted-recon; sid:850; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwwais access"; flow:to_server,established; uricontent:"/wwwwais"; nocase; reference:cve,2001-0223; reference:nessus,10597; classtype:attempted-recon; sid:1454; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI files.pl access"; flow:to_server,established; uricontent:"/files.pl"; nocase; reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wguest.exe access"; flow:to_server,established; uricontent:"/wguest.exe"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wrap access"; flow:to_server,established; uricontent:"/wrap"; reference:arachnids,234; reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317; classtype:attempted-recon; sid:853; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI classifieds.cgi access"; flow:to_server,established; uricontent:"/classifieds.cgi"; nocase; reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon; sid:854; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI environ.cgi access"; flow:to_server,established; uricontent:"/environ.cgi"; nocase; classtype:attempted-recon; sid:856; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey access"; flow:to_server,established; uricontent:"/faxsurvey"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-activity; sid:857; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI filemail access"; flow:to_server,established; uricontent:"/filemail.pl"; nocase; reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI man.sh access"; flow:to_server,established; uricontent:"/man.sh"; nocase; reference:bugtraq,2276; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snork.bat access"; flow:to_server,established; uricontent:"/snork.bat"; nocase; reference:arachnids,220; reference:bugtraq,1053; reference:cve,2000-0169; classtype:attempted-recon; sid:860; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql access"; flow:to_server,established; uricontent:"/w3-msql/"; nocase; reference:arachnids,210; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:12;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datacopier.cgi access"; flow:to_server,established; uricontent:"/day5datacopier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datanotifier.cgi access"; flow:to_server,established; uricontent:"/day5datanotifier.cgi"; nocase; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI post-query access"; flow:to_server,established; uricontent:"/post-query"; nocase; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI visadmin.exe access"; flow:to_server,established; uricontent:"/visadmin.exe"; nocase; reference:bugtraq,1808; reference:cve,1999-0970; reference:cve,1999-1970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dumpenv.pl access"; flow:to_server,established; uricontent:"/dumpenv.pl"; nocase; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl arbitrary command execution attempt"; flow:to_server,established; uricontent:"/calendar_admin.pl?config=|7C|"; reference:cve,2000-0432; classtype:web-application-attack; sid:1536; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl access"; flow:to_server,established; uricontent:"/calendar_admin.pl"; reference:cve,2000-0432; classtype:web-application-activity; sid:1537; rev:6;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calender_admin.pl access"; flow:to_server,established; uricontent:"/calender_admin.pl"; nocase; reference:cve,2000-0432; classtype:attempted-recon; sid:1456; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar.pl access"; flow:to_server,established; uricontent:"calendar"; nocase; pcre:"/calendar(|[-_]admin)\.pl/Ui"; reference:bugtraq,1215; reference:cve,2000-0432; classtype:attempted-recon; sid:1455; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar access"; flow:to_server,established; uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_admin.pl access"; flow:to_server,established; uricontent:"/user_update_admin.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_passwd.pl access"; flow:to_server,established; uricontent:"/user_update_passwd.pl"; nocase; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snorkerz.cmd access"; flow:to_server,established; uricontent:"/snorkerz.cmd"; nocase; classtype:attempted-recon; sid:870; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI survey.cgi access"; flow:to_server,established; uricontent:"/survey.cgi"; nocase; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI scriptalias access"; flow:to_server,established; uricontent:"///"; reference:arachnids,227; reference:bugtraq,2300; reference:cve,1999-0236; classtype:attempted-recon; sid:873; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI win-c-sample.exe access"; flow:to_server,established; uricontent:"/win-c-sample.exe"; nocase; reference:arachnids,231; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3tvars.pm access"; flow:to_server,established; uricontent:"/w3tvars.pm"; nocase; classtype:attempted-recon; sid:878; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admin.pl access"; flow:to_server,established; uricontent:"/admin.pl"; nocase; reference:bugtraq,3839; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI LWGate access"; flow:to_server,established; uricontent:"/LWGate"; nocase; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI archie access"; flow:to_server,established; uricontent:"/archie"; nocase; classtype:attempted-recon; sid:881; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI flexform access"; flow:to_server,established; uricontent:"/flexform"; nocase; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail arbitrary command execution attempt"; flow:to_server,established; uricontent:"/formmail"; nocase; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:1610; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail access"; flow:to_server,established; uricontent:"/formmail"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:884; rev:14;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf arbitrary command execution attempt"; flow:to_server,established; uricontent:"/phf"; nocase; content:"QALIAS"; nocase; content:"%0a"; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack; sid:1762; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf access"; flow:to_server,established; uricontent:"/phf"; nocase; reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI www-sql access"; flow:to_server,established; uricontent:"/www-sql"; nocase; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwadmin.pl access"; flow:to_server,established; uricontent:"/wwwadmin.pl"; nocase; classtype:attempted-recon; sid:888; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ppdscgi.exe access"; flow:to_server,established; uricontent:"/ppdscgi.exe"; nocase; reference:bugtraq,491; reference:nessus,10187; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendform.cgi access"; flow:to_server,established; uricontent:"/sendform.cgi"; nocase; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.pl access"; flow:to_server,established; uricontent:"/upload.pl"; nocase; classtype:attempted-recon; sid:891; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AnyForm2 access"; flow:to_server,established; uricontent:"/AnyForm2"; nocase; reference:bugtraq,719; reference:cve,1999-0066; reference:nessus,10277; classtype:attempted-recon; sid:892; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo"; nocase; reference:cve,1999-1067; classtype:attempted-recon; sid:893; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh attempt"; flow:to_server,established; uricontent:"/bb-hist.sh?HISTFILE=../.."; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh access"; flow:to_server,established; uricontent:"/bb-hist.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histlog.sh access"; flow:to_server,established; uricontent:"/bb-histlog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:1459; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histsvc.sh access"; flow:to_server,established; uricontent:"/bb-histsvc.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh attempt"; flow:to_server,established; uricontent:"/bb-hostsvc.sh?HOSTSVC?../.."; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-attack; sid:1532; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh access"; flow:to_server,established; uricontent:"/bb-hostsvc.sh"; nocase; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-activity; sid:1533; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-rep.sh access"; flow:to_server,established; uricontent:"/bb-rep.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-replog.sh access"; flow:to_server,established; uricontent:"/bb-replog.sh"; nocase; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI redirect access"; flow:to_server,established; uricontent:"/redirect"; nocase; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wayboard attempt"; flow:to_server,established; uricontent:"/way-board/way-board.cgi"; content:"db="; content:"../.."; nocase; reference:bugtraq,2370; reference:cve,2001-0214; classtype:web-application-attack; sid:1397; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI way-board access"; flow:to_server,established; uricontent:"/way-board"; nocase; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; content:"documentName="; reference:bugtraq,2372; reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack; sid:1222; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi access"; flow:to_server,established; uricontent:"/pals-cgi"; nocase; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi arbitrary file access attempt"; flow:to_server,established; uricontent:"/commerce.cgi"; content:"page="; content:"/../"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:1572; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi access"; flow:to_server,established; uricontent:"/commerce.cgi"; nocase; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; content:"templ="; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-attack; sid:899; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl access"; flow:to_server,established; uricontent:"/sendtemp.pl"; nocase; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-activity; sid:1702; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi directory traversal attempt"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; content:"../../"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs.cgi access"; flow:to_server,established; uricontent:"/webspirs.cgi"; nocase; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tstisapi.dll access"; flow:to_server,established; uricontent:"tstisapi.dll"; nocase; reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendmessage.cgi access"; flow:to_server,established; uricontent:"/sendmessage.cgi"; nocase; reference:bugtraq,3673; reference:cve,2001-1100; classtype:attempted-recon; sid:1308; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI lastlines.cgi access"; flow:to_server,established; uricontent:"/lastlines.cgi"; nocase; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi attempt"; flow:to_server,established; uricontent:"/zml.cgi"; content:"file=../"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1395; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi access"; flow:to_server,established; uricontent:"/zml.cgi"; reference:bugtraq,3759; reference:cve,2001-1209; classtype:web-application-activity; sid:1396; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AHG search.cgi access"; flow:to_server,established; uricontent:"/publisher/search.cgi"; nocase; content:"template="; nocase; reference:bugtraq,3985; classtype:web-application-activity; sid:1405; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi attempt"; flow:to_server,established; uricontent:"/store/agora.cgi?cart_id= + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2462.txt +++ snort-2.8.5.2/doc/signatures/2462.txt @@ -0,0 +1,71 @@ +Rule: +alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account +overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; +byte_test:1,>,16,12; reference:cve,CAN-2004-0176; reference:bugtraq,9952; +classtype:attempted-admin; sid:2462; rev:1;) + +-- +Sid: +2462 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer overflow +associated with the Ethereal decode of the Internet Group membership Authentication +Protocol (IGAP). + +-- +Impact: +A successful attack may allow the execution of arbitrary code as root or +LOCAL_SYSTEM privilege on a vulnerable host. + +-- +Detailed Information: +There is a vulnerability associated with particular versions of Ethereal that +may cause a buffer overflow when a malformed IGAP packet is decoded using Ethereal +or tethereal. This may permit the execution of arbitrary code with root or +LOCAL_SYSTEM privilege. The buffer overflow occurs when a larger than expected +User Account Size value is discovered in the IGAP payload. + +-- +Affected Systems: +Any host running Ethereal/tethereal versions 0.10.0 - 0.10.2. + +-- +Attack Scenarios: +An attacker can create and send a malformed IGAP packet, and if decoded by +a vulnerable version of Ethereal/tethereal, can cause a buffer overflow and the +subsequent execution of arbitrary code. + +-- +Ease of Attack: +Simple. Exploit code is available. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Update to version 0.10.3 of Ethereal. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Judy Novak + +-- +Additional References + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0176 + +Bugtraq: +http://www.securityfocus.com/bid/9952: + +-- --- snort-2.8.5.2.orig/doc/signatures/100000843.txt +++ snort-2.8.5.2/doc/signatures/100000843.txt @@ -0,0 +1,56 @@ + + +Rule: + +-- +Sid: +100000843 +-- +Summary: +This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Koobi Pro" application running on a webserver. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "showtopic" parameter in the "index.php" script used by the "Koobi Pro" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. + +-- +Affected Systems: +All systems running CGI applications using Koobi Pro +-- +Attack Scenarios: +An attacker can supply a malicious link designed to steal information from a user clicking on that link. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +The Cross Site Scripting (XSS) FAQ +http://www.cgisecurity.com/articles/xss-faq.shtml + +-- + --- snort-2.8.5.2.orig/doc/signatures/100000419.txt +++ snort-2.8.5.2/doc/signatures/100000419.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000419 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ashwebstudio Ashnews" application running on a webserver. Access to the file "ashnews.php" using a remote file being passed as the "pathtoashnews" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "pathtoashnews" parameter in the "ashnews.php" script used by the "Ashwebstudio Ashnews" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Ashwebstudio Ashnews + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- snort-2.8.5.2.orig/doc/signatures/3222.txt +++ snort-2.8.5.2/doc/signatures/3222.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3222 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1864.txt +++ snort-2.8.5.2/doc/signatures/1864.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +1864 + +-- +Summary: +This event is generated when an attempt is made to enter the "SITE +NEWER" command on an FTP server. + +-- +Impact: +Denial of Service. Possible execution of arbitrary code is possible. + +-- +Detailed Information: +When issued the "SITE NEWER" command, some versions of wu-ftpd can +consume excessive ammounts of memory whichthen can effectively act as a +denial of service to the entire system. If a user can create files on +the system, it may be possible to execute code as the user running the +ftpd daemon, typically root. + +-- +Affected Systems: + wu-ftpd versions prior to and including 2.4.2. + +-- +Attack Scenarios: +An attacker might be trying to DoS the system, and it could lead to +arbitrary code execution with root privileges. + +-- +Ease of Attack: +Medium + +-- +False Positives: +This can lead to false positives if the ftp service is not wu-ftpd or if +wu-ftpd is greater than version 2.4.2 + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade the wu-ftpd service + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Josh Sakofsky + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/1128.txt +++ snort-2.8.5.2/doc/signatures/1128.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1128 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/3081.txt +++ snort-2.8.5.2/doc/signatures/3081.txt @@ -0,0 +1,145 @@ +Rule: + +-- +Sid: +3081 +-- +Summary: +This event is generated when a Y3KRAT 1.5 server attempts to respond to a client's connect request. + +-- +Impact: +If connected, the attacker could execute a multitude of functions resulting in a complete compromise of the victim's machine. + +-- +Detailed Information: +Y3KRAT 1.5 uses port 5880 by default. This port can be changed by the attacker. + +The following is a list of the commands for many of Y3KRAT 1.5's functions (Command Name: Command String): + +AIM Passwords: aolpwd +AIM Spy: aolspy +Change Internet Explorer Caption: changeiecaptest +Chat With Server: chatsrvY3K Rat user +Clipboard: pastefromclip +Change Desktop Color Scheme: clsys +Change Recycle Bin Name: nrbin +Change System Name: sysname +Change Time: time +Video List: getvideolist +Dialup: autoconnect +Access Directories: getclientgetpaths +Get Directory Paths: getpaths +Disable Mouse Buttons: dbuttons +Disable Num Lock: dnumlock +Disable System Keys: dsyskeys +Disable All Keys: dkeys{all} +DOS Commands: doscommands +Fast Mouse: fastmouseon +Find File: findfile +Flip Screen: flip1hor +FTP: openftp21 +Go To URL: gotourl +Hide Taskbar: hidetask +Hide Clock: hideclock +Hide Desktop Icons: hidedeskicons +Hide Start Button: hidestart +Hide System Tray: hidesystray +ICQ Information: getclienticqinfo +ICQ Passwords: geticqpass +ICQ Spy: icqspy +Internet Explorer Spy: iespy +General Information: general +Lights On: lightson +Lights Off: lightsoff +Live Shot: cap +Logged Passwords: getpasses +Logoff: boot41 +Make File: makefile +Matrix Chat: matrix +Modify File (Read System File): readsysfiles +Modify File (Write System File): writesysfiles +Monitor Off: enablestandby +Mouse Settings (Set Position): setpos +Mouse Settings (Freeze Mouse Position): freezepos +Mouse Settings (Speed Up Cursor): speedcursor +MSN Spy: msnspy +Napster Spy: napsterspy +Net Get: netget +NetStat (Read): netstatread +NetStat (Kill): netstatkill +CD-ROM open: cdopen +CD-ROM close: cdclose +Open File: getfiles +Overclock: upmhz +Play Sound: snd (*followed by the sound, for example, err for the error sound*) +Power Off: boot31 +Print: print +Ras Passwords: getras +Remove Server: killserver +Change Resolution: setdevmode +Restart: boot21 +Safe Mode: safemode +Screenshot: cap +Send Keys: sendtextf +Send Message: messText +Show Windows With Text: showwin +Shutdown: boot11 +Swap Mouse Buttons: swapbuttons +Write System Error: writesystem +Yahoo Spy: yahoospy + + +-- +Affected Systems: + Windows 95, 98, ME, NT, 2000 + +-- + +Attack Scenarios: +The victim must first install the server. Be wary of suspicious files because they often can be backdoors in disguise. +Once the victim mistakenly installs the server program, the attacker usually will employ an IP scanner program +to find the IP addresses of victims that have installed the program. Then the attacker enters the IP address and +presses the connect button and he has access to your computer. + +-- + +Ease of Attack: +Easy. Simply a matter of pressing the connect button once the victim has installed the server. + + +-- + +False Positives: +None known + +-- +False Negatives: +None known + +-- + +Corrective Action: +Remove the Dcomcnofg key located at the following places in the registry: +HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\Run +HKEY_LOCAL_MACHINES\Software\Microsoft\Windows\CurrentVersion\RunServices +HKEY_USERS\Default\Software\Microsoft\Windows\CurrentVersion\Run + +Reboot the computer or close Dcomcnofg.exe. + +Delete Dcomcnofg.exe from the windows system directory. + +If found, delete server.exe and kill the process called server.exe. + +-- +Contributors: +Sourcefire Research Team +Ricky Macatee + +-- +Additional References: + +Dark-E: +http://www.dark-e.com/archive/trojans/y3krat/15/index.shtml + +-- --- snort-2.8.5.2.orig/doc/signatures/3303.txt +++ snort-2.8.5.2/doc/signatures/3303.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3303 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/3248.txt +++ snort-2.8.5.2/doc/signatures/3248.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3248 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/977.txt +++ snort-2.8.5.2/doc/signatures/977.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: 977 + + +-- +Summary: +This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). + +-- +Impact: +Information gathering possible administrator access. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. + +The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. + +The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. + +Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. + +-- +Affected Systems: +Any host using IIS. + +-- +Attack Scenarios: +An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. + +Ensure that the IIS implementation is fully patched. + +Ensure that the underlying operating system is fully patched. + +Employ strategies to harden the IIS implementation and operating system. + +Check the host for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/3131.txt +++ snort-2.8.5.2/doc/signatures/3131.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +3131 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in GNU Mailman. + +-- +Impact: +Information disclosure. + +-- +Detailed Information: +GNU Mailman is used to manage mailing lists. It is written in Python and +is available on a variety of platforms. + +GNU Mailman when used with webservers that do not remove extra slashes +from URLs, is prone to a directory traversal attack that may allow an +attacker access to sensitive files on an affected system. + +-- +Affected Systems: + GNU Mailman in conjunction with Apache 1.3.x + +-- +Attack Scenarios: +An attacker can supply extra slashes and dots (....///) to a URL to +escape the web root and access other parts of the host filesystem. + +-- +Ease of Attack: +Simple. Exploit software is not required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- + +Corrective Action: +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/100000706.txt +++ snort-2.8.5.2/doc/signatures/100000706.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000706 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "index.php" script used by the "SmartSiteCMS" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using SmartSiteCMS +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- snort-2.8.5.2.orig/doc/signatures/3373.txt +++ snort-2.8.5.2/doc/signatures/3373.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3373 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/288.txt +++ snort-2.8.5.2/doc/signatures/288.txt @@ -0,0 +1,57 @@ +Rule: + +-- +Sid: +288 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer +overflow in the POP3 service on Linux systems. + +-- +Impact: +An attacker can gain access to a shell running with root privileges. + +-- +Detailed Information: +This rule looks for a piece of shell code (executable code) that is +used to exploit a known vulnerability in an older version of the POP3 +daemon distributed in Linux systems. + +-- +Affected Systems: +Various Linux versions. + +-- +Attack Scenarios: +The attack is done remotely and gives the attacker a command shell +running with root privileges. + +-- +Ease of Attack: +Simple. An exploit is readily available. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Install the available security patches from your linux vendor. + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton +Snort documentation contributed by Steven Alexander + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2938.txt +++ snort-2.8.5.2/doc/signatures/2938.txt @@ -0,0 +1,68 @@ +Rule: + +-- +Sid: +2938 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) +services. + +-- +Impact: +Serious. Execution of arbitrary code with system level privileges + +-- +Detailed Information: +A vulnerability exists in Microsoft NetDDE that may allow an attacker to +run code of their choosing with system level privileges. A programming +error in the handling of network messages may give an attacker the +opportunity to overflow a fixed length buffer by using a specially +crafted NetDDE message. + +This service is not started by default on Microsoft Windows systems, but +this issue can also be exploited locally in an attempt to escalate +privileges after a successful attack from an alternate vector. + +-- +Affected Systems: + Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. + +-- +Attack Scenarios: +An attacker needs to craft a special NetDDE message in order to overflow +the affected buffer. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Disable the NetDDE service. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft Security Bulletin MS04-031: +http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx + +-- --- snort-2.8.5.2.orig/doc/signatures/3365.txt +++ snort-2.8.5.2/doc/signatures/3365.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3365 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/100000854.txt +++ snort-2.8.5.2/doc/signatures/100000854.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000854 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ListMessenger" application running on a webserver. Access to the file "listmessenger.php" using a remote file being passed as the "lm_path" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "lm_path" parameter in the "listmessenger.php" script used by the "ListMessenger" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using ListMessenger +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- snort-2.8.5.2.orig/doc/signatures/2614.txt +++ snort-2.8.5.2/doc/signatures/2614.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +2614 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a Oracle database implementation. + +-- +Impact: +Serious. Execution of arbitrary code may be possible. A Denial of +Service (DoS) condition may also be caused. + +-- +Detailed Information: +Oracle databases allow a user to set a time zone for the session. +The "alter session set time_zone" command contains a programming +error that may allow an attacker to execute a buffer overflow attack. + +This overflow is triggered by a long string in the parameter for the +command. + +If you are running Oracle on a Windows server, make sure that the +variable $ORACLE_PORTS is set to a value of "any". + +-- +Affected Systems: + Oracle 9i + +-- +Attack Scenarios: +An attacker can supply a long string as the value for this command. +The result could permit the attacker to gain escalated privileges and +run code of their choosing. This attack requires an attacker to logon +to the database with a valid username and password combination. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Matt Watchinski +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +Bugtraq +http://www.securityfocus.com/bid/9587 + +Other: +http://www.nextgenss.com/advisories/ora_time_zone.txt + +-- --- snort-2.8.5.2.orig/doc/signatures/463.txt +++ snort-2.8.5.2/doc/signatures/463.txt @@ -0,0 +1,60 @@ +Rule: + +-- + +Sid: +463 + +-- + +Summary: +This event is generated when an ICMP Type 7 datagram with an undefined ICMP Code is detected on the network. + +-- + +Impact: +ICMP Type 7 datagrams are not currently used by any known devices. + +-- + +Detailed Information: +ICMP Type 7 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. + +-- + +Attack Scenarios: +None known + +-- + +Ease of Attack: +Numerous tools and scripts can generate this type of ICMP datagram. + +-- + +False Positives: +None known + +-- + +False Negatives: +None known +-- + +Corrective Action: +Ingress filtering should be utilized to block incoming ICMP Type 7 datagrams +-- + +Contributors: +Original Rule writer unknown +Sourcefire Research Team +Matthew Watchinski (matt.watchinski@sourcefire.com) +Nigel Houghton + +-- + +Additional References: +None + + +-- --- snort-2.8.5.2.orig/doc/signatures/100000384.txt +++ snort-2.8.5.2/doc/signatures/100000384.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000384 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ottoman" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "default_path" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "default_path" parameter in the "index.php" script used by the "Ottoman" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Ottoman + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- snort-2.8.5.2.orig/doc/signatures/1694.txt +++ snort-2.8.5.2/doc/signatures/1694.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: 1694 + +-- + +Summary: +This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. + +-- +Impact: +Serious. An attacker may have gained superuser access to the system. + +-- +Detailed Information: +This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. + +Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. + +This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. + +Oracle servers running on a Windows platform may listen on any arbitrary +port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this +is applicable to the protected network. + +-- + +Attack Scenarios: +Simple. These are Oracle database commands. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. + +-- +False Negatives: +Configure your ORACLE_PORTS variable correctly for the environment you are in. +In many situations ORACLE negotiates a communication port. This means that 1521 +and 1526 are not used for communication during the entire transaction. A new +port is negotiated after the initial connect message, all communication after +that uses this other port. If you are in an environment such as this, you should +set ORACLE_PORTS to "any" in snort.conf. + +Otherwise, there are no known false negatives. + +-- + +Corrective Action: +Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. +Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/333.txt +++ snort-2.8.5.2/doc/signatures/333.txt @@ -0,0 +1,53 @@ +Rule: + +-- +Sid: +333 + +-- +Summary: +This event is generated when a remote user sends a finger request to .@hostname. This may indicate an attempt to discover information about users on the system. + +-- +Impact: +Information gathering. + +-- +Detailed Information: +Finger is a directory service on UNIX and Linux operating systems that allows users to obtain basic information about other users, including account name, home directory, and login status. A malicious user could use the string "finger .@hostname" to obtain a list of each user on the system. This may enable the attacker to view unused or inactive accounts, which are more likely to have default passwords that are relatively easy to guess or susceptible to brute force password attempts. + +-- +Affected Systems: +Any UNIX/Linux distribution with older versions of finger enabled. + +-- +Attack Scenarios: +An attacker issues a finger .@host to the vulnerable server and views a list of users. The attacker then attempts to guess passwords for users with the "Never logged in" status. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +A non-malicious user using finger to obtain a user list will cause this rule to trigger. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Disable finger support on your servers or upgrade to a more recent version of the finger daemon. + +-- +Contributors: +Original rule written by Max Vision +Sourcefire Research Team +Sourcefire Technical Publications Team +Jen Harvey + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/3453.txt +++ snort-2.8.5.2/doc/signatures/3453.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +3453 + +-- +Summary: +This event is generated when an attempt is made to probe for +information on a host running Arkeia Client Backup server. + +-- +Impact: +This may be reconnaissance to find version or operating +system information about the Arkeia Client Backup server +to later run an appropriate exploit. + +-- +Detailed Information: +By default, Arkeia Client Backup servers do not require any +authentication for informational requests. An attacker who +may be planning to exploit a vulnerable version of the software +may attempt to request file or system information. + +-- +Affected Systems: + Arkeia version 5.3 and prior. + +-- +Attack Scenarios: +An attacker can attempt to query an Arkeia Client Backup +server for system or file information. + +-- +Ease of Attack: +Simple. Exploits are publicly available. + +-- +False Positives: +None known. If you run Arkeia Client Backup on your network, +make sure that your the variable $EXTERNAL_NET is configured +to reflect IP addresses outside of your network. Otherwise, +this rule will alert on valid internal traffic. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the most current non-affected version of the product. + +-- +Contributors: +Sourcefire Research Team +Judy Novak + +-- +Additional References + +Metasploit: +http://metasploit.com/research/arkeia_agent + +-- --- snort-2.8.5.2.orig/doc/signatures/2244.txt +++ snort-2.8.5.2/doc/signatures/2244.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2244 + +-- +Summary: +This event is generated when an attempt is made to + +-- +Impact: +Serious. Unauthorized access. + +-- +Detailed Information: +Certain versions of Lucent VitalNet allow access to resources without +the need for a password. + +-- +Affected Systems: + Lucent VitalAnalysis 8.0, 8.1, 8.2 + Lucent VitalEvent 8.0, 8.1, 8.2 + Lucent VitalHelp 8.0, 8.1, 8.2 + Lucent VitalNet 8.0, 8.1, 8.2 + Lucent VitalSuite 8.0, 8.1, 8.2 + +-- +Attack Scenarios: +The attacker merely needs to guess a valid username and can gain access +without the need for a password. + +http://victim.foo.com/cgi-bin/VsSetCookie.exe?vsuser=username + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2451.txt +++ snort-2.8.5.2/doc/signatures/2451.txt @@ -0,0 +1,52 @@ +Rule: + +-- +Sid: +2451 + +-- +Summary: +This event is generated when a user in your network has successfully registered with a Yahoo Instant Messenger server to receive voice chat messages or is receiving voice chat messages. + +-- +Impact: +Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. + +-- +Detailed Information: +Yahoo IM voice chat allows IM users to exchange audio messages. This activity may not be appropriate in a corporate environment. + +-- +Affected Systems: +Any host running Yahoo Instant Messenger. + +-- +Attack Scenarios: +This particular type of Yahoo IM exchange has no known attacks, however it may represent a policy violation because the host is running Yahoo IM. + +-- +Ease of Attack: +Easy to exchange voice messages. + +-- +False Positives: +None Known. + +-- +False Negatives: +It may be possible for Yahoo IM traffic to use other ports than the default expected ones. + +-- +Corrective Action: +Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. + +-- +Contributors: +Sourcefire Research Team +Judy Novak +-- +Additional References: +Yahoo Protocol +http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm + +-- --- snort-2.8.5.2.orig/doc/signatures/1376.txt +++ snort-2.8.5.2/doc/signatures/1376.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1376 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2738.txt +++ snort-2.8.5.2/doc/signatures/2738.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2738 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure alter_priority_number +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1531.txt +++ snort-2.8.5.2/doc/signatures/1531.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1531 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/492.txt +++ snort-2.8.5.2/doc/signatures/492.txt @@ -0,0 +1,102 @@ +Rule: + +-- + +Rule: +-- +Sid: +492 + +-- + +Summary: +This event is generated when an unsuccessful login attempt was made via telnet. + +-- + +Impact: +Possible unauthorized access via password brute-forcing + +An attacker may have attempted to gain access to a valid user's account +via the telnet service, but did not succeed. The telnet service is +running, which uses insecure authentication mechanisms. + +-- + +Detailed Information: +A user tried to log on to a system via telnet, but has been rejected, +either due to invalid username, password, or both. This could mean +someone is trying to log on without proper password (if there are +multiple unsuccessful logins) or they may have just mistyped the +username or the password. + +The telnet server typically runs on TCP port 23. Upon access to the +server, account access is granted based on an unencrypted user name and +password. Upon a failed login (resulting from either an invalid account +or an incorrect password), a login failure message will be returned. +This rule matches the common text "Login failed". + +-- + +Affected Systems: +Any system running a telnet server. + +-- + +Attack Scenarios: +Attackers can, particularly when armed with a valid account name, +attempt to use guessing attacks or brute-force means to gain access via +the telnet service. Many successive events of this type would likely be +indicative of such an attack. + +The use of a telnet server allows the passive attack of traffic +sniffing, which can extract a username and password from any valid +login. + +-- + +Ease of Attack: +Simple. + +This event indicates it is possible to perform a brute-force attack; the +ease of such an attack is dependent upon the strength of passwords, and +rate-limiting techniques employed by the telnet server in question. + +-- + +False Positives: +This event will match any badly-typed or -remembered password, and will +therefore generate a false positive. Look for rapid successive events. + +-- + +False Negatives: +If a password is correctly guessed, no failure will be noted. + +-- + +Corrective Action: +Check how many invalid attempts occurred, change the password of the +user that tried to log in. + +It is best to avoid using telnet whenever possible; its authentication +system is lacking, and encryption is generally unavailable. If your +telnet server can be configured to temporarily disable access after +rapid successive failures, it as advised that you do so. + +-- + +Contributors: +Original Rule Writer Unknown +Snort documentation contributed by Chaos and Nick Black, Reflex Security +Sourcefire Research Team +Nigel Houghton + +-- + +Additional References: + +Telnet RFC: +http://www.faqs.org/rfcs/rfc854.html + +-- --- snort-2.8.5.2.orig/doc/signatures/211.txt +++ snort-2.8.5.2/doc/signatures/211.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +211 + +-- +Summary: +This event is generated when an attacker attempts to connect to a +Telnet server using the phrase "r00t". + +-- +Impact: +Possible theft of data and control of the targeted machine leading to a +compromise of all resources the machine is connected to. + +-- +Detailed Information: +This Trojan affects UNIX operating systems: + +Due to the nature of this Trojan it is unlikely that the attacker's +client IP address has been spoofed. + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This +event is indicative of an existing infection being activated. Initial +compromise may be due to the exploitation of another vulnerability and +the attacker is leaving another way into the machine for further use. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow Telnet access from external sources. + +Use SSH as opposed to Telnet for access from external locations + +Delete the Trojan and kill any associated processes. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/100000810.txt +++ snort-2.8.5.2/doc/signatures/100000810.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000810 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPBB" application running on a webserver. Access to the file "download.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "download.php" script used by the "PHPBB" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using PHPBB +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- snort-2.8.5.2.orig/doc/signatures/122-24.txt +++ snort-2.8.5.2/doc/signatures/122-24.txt @@ -0,0 +1,93 @@ + + +Rule: + +-- +Sid: +122-24 + +-- +Summary: +This event is generated when the pre-processor sfPortscan detects +network traffic that may constitute an attack. Specifically a udp +filtered distributed portscan was detected. + +-- +Impact: +Unknown. This is normally an indicator of possible network +reconnaisance and may be the prelude to a targeted attack against the +targeted systems. + +-- +Detailed Information: +This event is generated when the sfPortscan pre-processor detects +network traffic that may consititute an attack. + +A portscan is often the first stage in a targeted attack against a +system. An attacker can use different portscanning techniques and tools +to determine the target host operating system and application versions +running on the host to determine the possible attack vectors against +that host. + +More information on this event can be found in the individual +pre-processor documentation README.sfportscan in the docs directory of +the snort source. Descriptions of different types of portscanning +techniques can also be found in the same documentation, along with +instructions and examples on how to tune and use the pre-processor. + +-- +Affected Systems: + All. + +-- +Attack Scenarios: +An attacker often uses a portscanning technique to determine operating +system type and version and also application versions to determine +possible effective attack vectors that can be used against the target +host. + +-- +Ease of Attack: +Simple. Many portscanning tools are freely available. + +-- +False Positives: +While not necessarily a false positive, a security audit or penetration +test will often employ the use of a portscan in the same way an +attacker might use the technique. If this is the case, the +pre-processor should be tuned to ignore the audit if so desired. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check for other events targeting the host. + +Check the target host for signs of compromise. + +Apply any appropriate vendor supplied patches as appropriate. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Daniel Roelker +Marc Norton +Jeremy Hewlett +Nigel Houghton + +-- +Additional References: + +Nmap: +http://www.insecure.org/nmap/ + +Port Scanning Techniques and the Defense Against Them - Roger +Christopher, SANS: +http://www.sans.org/rr/whitepapers/auditing/70.php + +Hypervivid Tiger Team - Port-Scanning: A Practical Approach +http://www.hcsw.org/reading/nmapguide.txt + +-- --- snort-2.8.5.2.orig/doc/signatures/2749.txt +++ snort-2.8.5.2/doc/signatures/2749.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2749 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure comment_on_delete_resolution +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2334.txt +++ snort-2.8.5.2/doc/signatures/2334.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: +2334 + +-- +Summary: +This event is generated when an attempt is made to access a Yak! FTP +server using the default username and password. + +-- +Impact: +Administrative access to the server. + +-- +Detailed Information: +Yak FTP servers have a default username and password of "user" and +"y049575046", if this is not changed by the administrator it is possible +for an attacker to gain unauthorised access to the server. + +-- +Affected Systems: + Yak FTP servers + +-- +Attack Scenarios: +An attacker merely needs to login to the server using the default +username and password. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Change the username and password. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2389.txt +++ snort-2.8.5.2/doc/signatures/2389.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2389 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer +overflow vulnerability associated with WuFtpd RNTO command. + +-- +Impact: +Remote access. A successful attack may permit the remote execution of +arbitrary commands with system privileges. + +-- +Detailed Information: +WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists +with the RNTO command that can cause a buffer overflow and permit the +execution of arbitrary commands with system privileges. The buffer +overflow can be caused by supplying an overly long argument to the RNTO +command. + +The issue exists in the realpath() function. It is possible for an +attacker to send malformed data to the realpath() function that will +cause the overflow condition to occur. + +-- +Affected Systems: + Multiple systems using affected C libraries, libc + +-- +Attack Scenarios: +An attacker can use one of the publicly available exploit scripts to +cause the overflow to occur. + +-- +Ease of Attack: +Simple. Many exploits exist. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Use scp as an alternative to ftp + +Disallow ftp access to internal resources from external sources + +Recompile binaries statically linked to the system libc implementation + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/985.txt +++ snort-2.8.5.2/doc/signatures/985.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +985 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a web server running Microsoft Internet Information +Server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. Denial of +Service is possible. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running Microsoft Internet Information Server (IIS). Many known +vulnerabilities exist for this platform and the attack scenarios are +legion. + +-- +Affected Systems: + All systems running Microsoft IIS + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Many exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/100000696.txt +++ snort-2.8.5.2/doc/signatures/100000696.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000696 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "create.php" with SQL commands being passed as the "card_id" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a remote machine via the "card_id" parameter in the "create.php" script used by the "VCard PRO" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using VCard PRO +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- snort-2.8.5.2.orig/doc/signatures/2179.txt +++ snort-2.8.5.2/doc/signatures/2179.txt @@ -0,0 +1,71 @@ +Rule: + +-- + +Sid: +2179 + +-- + +Summary: +This event is generated when a remote attacker attempts to exploit a +format string vulnerability against an FTP server during authentication. + +-- + +Impact: +Attempted Admin. A successful format string attack could result in the +execution of arbitrary code with the same privileges as the user running +the FTP daemon. + +-- + +Detailed Information: +Several FTP daemons are vulnerable to format string exploits during +authentication to the FTP server. A successful exploit attempt could +result in the remote attacker gaining unauthorized root access to the +vulnerable system. + +-- +Affected Systems: + SmallFTP v0.99 + +-- + +Attack Scenarios: +A remote attacker could use a publicly available script to exploit the +vulnerability an gain control of the target host. + +-- +Ease of Attack: +Simple. Numerous attack scripts exist to exploit this vulnerabiliy. + +-- + +False Positives: +None known. + +-- + +False Negatives: +None known. + +-- + +Corrective Action: +SmallFTPD has released an updated software package that resolve the +problem. It can be downloaded from: +http://smallftpd.free.fr + +-- + +Contributors: +Sourcefire Research Team +Matthew Watchinski (matt.watchinski@sourcefire.com) + +-- + +Additional References: +http://www.securityfocus.com/bid/7474 + +-- --- snort-2.8.5.2.orig/doc/signatures/2416.txt +++ snort-2.8.5.2/doc/signatures/2416.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +2416 + +-- +Summary: +This event is generated when activity relating to spurious ftp traffic +is detected on the network. + +-- +Impact: +Varies from information gathering to a serious compromise of an ftp +server. + +-- +Detailed Information: +FTP is used to transfer files between hosts. This event is indicative of +spurious activity in FTP traffic between hosts. + +The event may be the result of a transfer of a known protected file or +it could be an attempt to compromise the FTP server by overflowing a +buffer in the FTP daemon or service. + +-- +Attack Scenarios: +A user may transfer sensitive company information to an external party +using FTP. + +An attacker might utilize a vulnerability in an FTP daemon to gain +access to a host, then upload a Trojan Horse program to gain control of +that host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow access to FTP resources from hosts external to the protected +network. + +Use secure shell (ssh) to transfer files as a replacement for FTP. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1955.txt +++ snort-2.8.5.2/doc/signatures/1955.txt @@ -0,0 +1,57 @@ +Rule: + +-- +Sid: +1955 + +-- +Summary: +This event is generated when a request is made to discover the version and configuration information associated with the Remote Procedure Call (RPC) amd. + +-- +Impact: +Information disclosure. This request can allow an attacker to discover the version of amd running as well as other configuration information about the host. + +-- +Detailed Information: +The amd RPC service implements the automounter daemon on UNIX hosts. The amd service automatically mounts and unmounts requested file systems. An attacker can make a request to amd to discover its version number. A successful request will return the version number along with other valuable configuration information about the server, including the architecture. + +-- +Affected Systems: +Any system running amd. + +-- +Attack Scenarios: +An attacker may request the version number associated with amd. The response may give an attacker valuable configuration information about the host. + +-- +Ease of Attack: +Simple. Execute the command 'amq -v -T -h hostname/IP' + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Limit remote access to RPC services. + +Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. + +Disable unneeded RPC services. + +-- +Contributors: +Original rule written by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/3352.txt +++ snort-2.8.5.2/doc/signatures/3352.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3352 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/100000655.txt +++ snort-2.8.5.2/doc/signatures/100000655.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +100000655 +-- +Summary: +This event is generated when an attempt is made to exploit a cross site +scripting vulnerability in the "MyPHP Guestbook" application running on a +webserver. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit a cross site +scripting vulnerability via the "comment" parameter in the "guestbook.php" +script used by the "MyPHP Guestbook" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to retrieve sensitive data, execute system binaries +or malicious code of the attackers choosing. + +-- +Affected Systems: +All systems running CGI applications using MyPHP Guestbook +-- +Attack Scenarios: +An attacker can supply a malicious link designed to steal information from a +user clicking on that link. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +The Cross Site Scripting (XSS) FAQ +http://www.cgisecurity.com/articles/xss-faq.shtml + +-- + --- snort-2.8.5.2.orig/doc/signatures/2801.txt +++ snort-2.8.5.2/doc/signatures/2801.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2801 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure resume_master_activity +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2279.txt +++ snort-2.8.5.2/doc/signatures/2279.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2279 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the PHP web application MediaWiki running on a server. + +-- +Impact: +Possible execution of arbitrary code and unauthorized administrative +access to the target system. + +-- +Detailed Information: +This event indicates that an attempt may have been made to exploit a +known vulnerability in the PHP application MediaWiki . This application +does not perform stringent checks when handling user input, this may +lead to the attacker being able to execute PHP code and include php files +of the attackers choosing. + +-- +Affected Systems: + MediaWiki MediaWiki-stable 20031107 + MediaWiki MediaWiki-stable 20030829 + +-- +Attack Scenarios: +An attacker can exploit weaknesses to gain access as the administrator +by supplying input of their choosing to the underlying PHP script. + +-- +Ease of Attack: +Simple. No exploit code is required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/3449.txt +++ snort-2.8.5.2/doc/signatures/3449.txt @@ -0,0 +1,54 @@ +Rule: + +-- +Sid: +3449 + +-- +Summary: +This rule does not generate an event. It is used in conjunction with +other rules to reduce the possibility of false postives from occuring. + +-- +Impact: +Unknown. + +-- +Detailed Information: +This rule does not generate an event. It is used in conjunction with +other rules to reduce the possibility of false postives from occuring. + +-- +Affected Systems: + NA + +-- +Attack Scenarios: +NA + +-- +Ease of Attack: +NA + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +NA + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1598.txt +++ snort-2.8.5.2/doc/signatures/1598.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1598 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/2440.txt +++ snort-2.8.5.2/doc/signatures/2440.txt @@ -0,0 +1,68 @@ +Rule: + +-- +Sid: +2440 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Real Networks RealPlayer/RealOne player. + +-- +Impact: +Serious. Execution of arbitrary code. + +-- +Detailed Information: +RealNetworks RealPlayer/RealOne player is a streaming media player for +Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. + +A buffer overrun condition is present in some versions of the player +that may present a remote attacker with the opportunity to execute code +of their choosing on a client using one of these players. + +-- +Affected Systems: + Real Networks RealOne Desktop Manager + Real Networks RealOne Enterprise Desktop 6.0.11 .774 + Real Networks RealOne Player 1.0 + Real Networks RealOne Player 2.0 + Real Networks RealOne Player 6.0.11 .868 + Real Networks RealOne Player version 2.0 for Windows + Real Networks RealPlayer 8.0 Win32 + Real Networks RealPlayer 8.0 Unix + Real Networks RealPlayer 8.0 Mac + Real Networks RealPlayer 10.0 BETA + +-- +Attack Scenarios: +An attacker may supply a malformed file to the client to exploit the +issue. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2477.txt +++ snort-2.8.5.2/doc/signatures/2477.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +2477 + +-- +Summary: +This event is generated when an attempt is made to create an AndX entry +via SMB. + +-- +Impact: +Unknown. + +-- +Detailed Information: +This event is generated when an attempt is made to create an AndX entry +via SMB. + +-- +Affected Systems: + Windows systems + +-- +Attack Scenarios: +An attacker may attempt to bind to the service to manipulate host +settings then create an entry in the winreg service. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: +Microsoft Technet +http://support.microsoft.com/support/kb/articles/q153/1/83.asp +CVE +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 +Winreg +http://www.rutherfurd.net/python/winreg/ + +-- --- snort-2.8.5.2.orig/doc/signatures/3170.txt +++ snort-2.8.5.2/doc/signatures/3170.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3170 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/100000531.txt +++ snort-2.8.5.2/doc/signatures/100000531.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +100000531 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection +vulnerability in the "BtitTracker" application running on a webserver. Access +to the file "torrents.php" with SQL commands being passed as the "by" parameter +may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a +remote machine via the "by" parameter in the "torrents.php" script used by the +"BtitTracker" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to compromise the database backend for the +application, the attacker may also be able to execute system binaries or +malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using BtitTracker +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application +if user input is not correctly sanitized or checked before passing that input +to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- snort-2.8.5.2.orig/doc/signatures/1535.txt +++ snort-2.8.5.2/doc/signatures/1535.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1535 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2593.txt +++ snort-2.8.5.2/doc/signatures/2593.txt @@ -0,0 +1,68 @@ +Rule: + + +-- +Sid: +2593 + + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer overflow +associated with the Mail Transfer Agent Exim. + +-- +Impact: +A successful attack may allow the execution of arbitrary code on a vulnerable +server with the privilege of the process running Exim. + +-- +Detailed Information: +Exim is vulnerable to a buffer overflow, permitting an attacker to execute +arbitrary code. The vulnerability may be exploited if Exim is configured to +verify header syntax in the e-mail message body. This is not the default +configuration. If an attacker supplies a large number of spaces after certain +header fields, it may be possible to cause a buffer overflow. + +-- +Affected Systems: +Exim prior to version 4.34 + +-- +Attack Scenarios: +An attacker can create and send mail with a malformed header, +possibly causing a buffer overflow and permitting the execution of arbitrary code. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Judy Novak + +-- +Additional References + +Bugtraq: +http://www.securityfocus.com/bid/10291 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0400 + +Other: +http://www.guninski.com/exim1.html + +-- --- snort-2.8.5.2.orig/doc/signatures/115-1.txt +++ snort-2.8.5.2/doc/signatures/115-1.txt @@ -0,0 +1,71 @@ + + +Rule: + +-- +Sid: +115-1 + +-- +Summary: +This event is generated when the pre-processor asn1 detects network +traffic that may constitute an attack. Specifically an indefinite asn.1 +length encoding was detected. + +-- +Impact: +Unknown. + +-- +Detailed Information: +This event is generated when the asn1 pre-processor detects network +traffic that may consititute an attack. + +Indefinite Lengths are conceptually like BLOB data. The upper bit of +the first byte is set to one, and the bottom seven bits are zero. The +data value follows immediately, and continues until two zero-bytes are +encountered. + +More information on this event can be found in the individual +pre-processor documentation README.asn1 in the docs directory of the +snort source. Detailed instructions and examples on how to tune and use +the pre-processor can also be found in the same document. + +-- +Affected Systems: + All. + +-- +Attack Scenarios: + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the target host for signs of compromise. + +Apply any appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Daniel Roelker +Nigel Houghton + +-- +Additional References: + +ASN1 Information Site: +http://asn1.elibel.tm.fr/ + +-- --- snort-2.8.5.2.orig/doc/signatures/2115.txt +++ snort-2.8.5.2/doc/signatures/2115.txt @@ -0,0 +1,55 @@ +Rule: + +-- +Sid: +2115 +-- +Summary: +This event is generated when an attempt is made to exploit a vulnerability in the Mike Bobbit Album.pl cgi application. + +-- +Impact: +Execution of arbitrary code with the privileges of the user executing the cgi application. + +-- +Detailed Information: +The MIke Bobbit Album is a Perl CGI script used for managing pictures on a webserver. + +A vulnerability exists such that an attacker may execute arbitrary commands on the server when a non-standard configuration file is used. + +Affected Systems: + Mike Bobbit Album 0.61. + +-- +Attack Scenarios: +Simple. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/7444 + +-- --- snort-2.8.5.2.orig/doc/signatures/217.txt +++ snort-2.8.5.2/doc/signatures/217.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +217 + +-- +Summary: +This event is generated when an attacker attempts to connect to a +Telnet server using the phrase "hax0r". This is a known password for +the sm4ck Linux rootkit. + +-- +Impact: +Possible theft of data and control of the targeted machine leading to a +compromise of all resources the machine is connected to. + +-- +Detailed Information: +This Trojan affects Linux operating systems: + +Due to the nature of this Trojan it is unlikely that the attacker's +client IP address has been spoofed. + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This +event is indicative of an existing infection being activated. Initial +compromise may be due to the exploitation of another vulnerability and +the attacker is leaving another way into the machine for further use. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow Telnet access from external sources. + +Use SSH as opposed to Telnet for access from external locations + +Delete the Trojan and kill any associated processes. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/116.txt +++ snort-2.8.5.2/doc/signatures/116.txt @@ -0,0 +1,104 @@ +Rule: +Backdoor.BackOrifice + +-- +Sid: +112, 116 + +-- +Summary: +Backdoor.BackOrifice is a Trojan Horse. + +Server Port: 31337 although in later versions this port can be changed +to a value between 1 and 65535 +Protocol: UDP although in later versions TCP can also be used + +-- +Impact: +Possible theft of data and control of the targeted machine leading to a +compromise of all resources the machine is connected to. This Trojan +also has the ability to delete data, steal passwords and disable the +machine. + +-- +Detailed Information: +This Trojan affects the following operating systems: + + Windows 95 + Windows 98 + Windows ME + Windows NT + +The Trojan changes system registry settings to add the BackOrifice sever +to programs normally started on boot. Due to the nature of this Trojan +it is unlikely that the attacker's client IP address has been spoofed. + +The default name of the server application is UMGR32, which can be +changed on first use. The new application may be installed in the system +or system32 direcory and the original may also be deleted. + +Event messages relating to activity from this Trojan are: + + SID Message + --- ------- + 112 BackOrifice access (outgoing TCP connection) + 116 BackOrifice access (incoming UDP connection) + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This +event is indicative of an existing infection being activated. Initial +compromise can be in the form of a Win32 installation program that may +use the extension ".jpg" or ".bmp" when delivered via e-mail for +example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. +Updated virus definition files are essential in detecting this Trojan. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Edit the system registry to remove the extra keys or restore a +previously known good copy of the registry. + +Affected registry keys are: + + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services + +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ + +HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices + +Registry keys added may vary, look for spurious entries in the above +locations. + +BackOrifice may hide the process from viewing inthe Windows task +manager. A reboot of the infected machine is recommended. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Whitehats arachNIDS +http://www.whitehats.com/info/IDS399 + +Symantec Security Response +http://www.symantec.com/avcenter/venc/data/back.orifice2000.trojan.html + +-- --- snort-2.8.5.2.orig/doc/signatures/1392.txt +++ snort-2.8.5.2/doc/signatures/1392.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1392 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2170.txt +++ snort-2.8.5.2/doc/signatures/2170.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +2170 + + +-- +Summary: +This event is generated when a possible outgoing virus is detected. + +-- +Impact: +Informational event. An virus on an infected host may be attempting to +propogate. + +-- +Detailed Information: +This event indicates that an outgoing email message possibly containing +a virus has been detected. + +This rule generates an event when a filename extension commonly used by +viruses is detected. + +-- +Affected Systems: +Any host. + +-- +Attack Scenarios: +This is indicative of a virus infection. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +A legitimate attachment to an email may generate this event. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the host for signs of virus infection. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/1039.txt +++ snort-2.8.5.2/doc/signatures/1039.txt @@ -0,0 +1,80 @@ +Rule: + +-- +Sid: +1039 + +-- +Summary: +This event is generated when an attempt is made to exploit a potential +weakness on a host running Microsoft Internet Information Server (IIS). + +-- +Impact: +Information gathering possible administrator access. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit potential +weaknesses in a host running Microsoft IIS. + +The attacker may be trying to gain information on the IIS implementation +on the host, this may be the prelude to an attack against that host +using that information. + +This event is generated when an attempt is made to access a sample +application on a Microsoft IIS server. In this case the sample search +functionality. This application may present an attacker with the +opportunity to gain valuable information regarding the implemenation of +IIS on the affected host. + +-- +Affected Systems: + Any host using IIS. + +-- +Attack Scenarios: +An attacker can retrieve a sensitive file containing information on the +IIS implementation. The attacker might then gain administrator access to +the site, deface the content or gain access to a database. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the IIS implementation on the host. Ensure all measures have been +taken to deny access to sensitive files. + +Ensure that the IIS implementation is fully patched. + +Ensure that the underlying operating system is fully patched. + +Employ strategies to harden the IIS implementation and operating system. + +Check the host for signs of compromise. + +Delete or disable access to any sample applications on the host. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft: +http://support.microsoft.com/support/kb/articles/Q188/2/57.ASP&NoWebContent=1 + +-- --- snort-2.8.5.2.orig/doc/signatures/576.txt +++ snort-2.8.5.2/doc/signatures/576.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +576 + +-- +Summary: +This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) amountd (also known as autofsd) is listening. + + +-- +Impact: +Information disclosure. This request is used to discover which port amountd is using. Attackers can also learn what versions of the amountd protocol are accepted by amountd. + +-- +Detailed Information: +The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as amountd run. The amountd RPC service is used by UNIX hosts to automatically mount and unmount autofs files. It can use name service maps to find file systems to be mounted. A vulnerability is present in autofsd that allows an attacker to execute arbitrary commands. The attacker requests a map name that is executable, followed by a malformed client key and commands to be executed. The server improperly interprets the input and executes the commands. + +-- +Affected Systems: +IBM AIX 4.3, SGI IRIX 6.2, 6.3, 6.4, 6.5, and 6.5.1. + +-- +Attack Scenarios: +An attacker can craft an amountd request that executes arbitrary commands on the remote file system. + +-- +Ease of Attack: +Easy. Exploit code is widely available. + +-- +False Positives: +If a legitimate remote user is allowed to access amountd, this rule may trigger. + +-- +False Negatives: +This rule detects probes of the portmapper service for amountd, not probes of the amountd service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the amountd service itself. An attacker may attempt to go directly to the amountd port without querying the portmapper service, which would not trigger the rule. + +-- +Corrective Action: +Limit remote access to RPC services. + +Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. + +Disable unneeded RPC services. + +-- +Contributors: +Original rule written by Max Vision +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/332/info/ + +Arachnids: +http://www.whitehats.com/info/IDS19 + + +-- --- snort-2.8.5.2.orig/doc/signatures/2252.txt +++ snort-2.8.5.2/doc/signatures/2252.txt @@ -0,0 +1,80 @@ +Rule: + +-- +Sid: +2252 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerablity in Microsoft RPCSS service for RPC. + +-- +Impact: +Denial of Service. Possible execution of arbitrary code leading to +unauthorized remote administrative access. + +-- +Detailed Information: +A vulnerability exists in Microsoft RPCSS Service that handles RPC DCOM +requests such that execution of arbitrary code or a Denial of Service +condition can be issued against a host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to the host +running the RPCSS service may result in a buffer overflow condition that +will present the attacker with the opportunity to execute arbitrary code +with the privileges of the local system account. Alternatively the +attacker could also cause the RPC service to stop answering RPC requests +and thus cause a Denial of Service condition to occur. + +-- +Affected Systems: + Windows NT 4.0 Workstation and Server + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a DCERPC bind request followed by a malicious +DCERPC DCOM remote activation request. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139, 445 and 593 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +Disallow the use of RPC over HTTP and HTTPS. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft: +http://www.microsoft.com/technet/security/bulletin/MS03-039.asp + +eEye: +http://www.eeye.com/html/Research/Advisories/AD20030910.html + +-- --- snort-2.8.5.2.orig/doc/signatures/1213.txt +++ snort-2.8.5.2/doc/signatures/1213.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1213 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1516.txt +++ snort-2.8.5.2/doc/signatures/1516.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1516 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/997.txt +++ snort-2.8.5.2/doc/signatures/997.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: 997 + + +-- +Summary: +This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). + +-- +Impact: +Information gathering possible administrator access. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. + +The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. + +The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. + +Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. + +-- +Affected Systems: +Any host using IIS. + +-- +Attack Scenarios: +An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. + +Ensure that the IIS implementation is fully patched. + +Ensure that the underlying operating system is fully patched. + +Employ strategies to harden the IIS implementation and operating system. + +Check the host for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/313.txt +++ snort-2.8.5.2/doc/signatures/313.txt @@ -0,0 +1,57 @@ +Rule: + +-- +Sid: 313 + +-- +Summary: +This event is generated when an attempt to exploit a buffer overflow condition in ntalkd is made. + +-- +Impact: +Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account. + +-- +Detailed Information: +Some versions of the Network Talk Daemon (ntalkd) are vulnerable to a buffer overflow condition which can present the attacker with a root shell. + +Talk is used to communicate between users of UNIX based operating systems. A vulnerability exists such that a buffer overflow condition in talk can be exploited by a malicious user. This may then present the attacker with the opportunity to gain root access to the target system. + +Affected Versions: + Multiple vendors + +-- +Attack Scenarios: +Once the overflow has been created, the attacker is able to supply incorrect hostname information to the target system and gain root access. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Apply vendor supplied patches. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/210 + +-- --- snort-2.8.5.2.orig/doc/signatures/917.txt +++ snort-2.8.5.2/doc/signatures/917.txt @@ -0,0 +1,62 @@ +SID: +917 +-- + +Rule: +-- + +Summary: +This even indicates an attempt to exploit undocumented CFML tags on a +Allaire ColdFusion Server +-- + +Impact: +Extensive server data retrieval including settings and passwords +-- + +Detailed Information: +Undocumented CFML tags allow reading and decryption of sensitive data +contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This +data can be accesses by constructing a hosted application that accesses +these undocumented tags with the possibility of changing values on the +server and reading admin and studio passwords +-- + +Affected Systems: + Allaire ColdFusion Server 2.0 - 4.0.1 +-- + +Attack Scenarios: +A user with permission to create pages on the server installs an +application that accesses the undocumented CFML tags, accessing this +application would allow viewing and possible modifications of these +settings +-- + +Ease of Attack: +Medium, Attackers need the ability to add files to the server. No "In +the Wild" exploits were available at type of writing +-- + +False Positives: +None known +-- + +False Negatives: +None known +-- + +Corrective Action: +Patches are available from Allaire, install them. +-- + +Contributors: +Snort documentation contributed by matthew harvey +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1038.txt +++ snort-2.8.5.2/doc/signatures/1038.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +1038 + +-- +Summary: +This event is generated when an attempt is made to access the Microsoft Site Server site configuration file. + +-- +Impact: +Intelligence gathering. This attack may permit the viewing of the site configuration file, which may contain sensitive information such as the username and password used by the Ad Server to access SQL databases. + +-- +Detailed Information: +Microsoft Site Server Commerce Edition 3.0 contains an AdSamples directory, which is provided for instruction and demonstration of the Ad Server capabilities. Unless directory permissions are altered, an attacker may view the site configuration file, site.csc. This contains sensitive information such as username and password that may be used to gain unauthorized access to SQL databases. + +-- +Affected Systems: +Microsoft Site Server Commerce Edition 3.0 + +-- +Attack Scenarios: +An attacker can craft a URL to reference the site.csc file to view sensitive information. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Delete the directory containing the sample code if it is not required. + +Restrict access to the sample code directory. + +-- +Contributors: +Original rule writer unknown +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +CVE +http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-1520 + +Bugtraq +http://www.securityfocus.com/bid/256 + + +-- --- snort-2.8.5.2.orig/doc/signatures/1072.txt +++ snort-2.8.5.2/doc/signatures/1072.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1072 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/118.txt +++ snort-2.8.5.2/doc/signatures/118.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +118 + +-- +Summary: +Satans Backdoor is a Trojan Horse capable of stealing passwords. This +event is generated when an infected machine replies to the attackers +connection attempt. + +-- +Impact: +Possible theft of data and passwords. + +-- +Detailed Information: +This Trojan affects the following operating systems: + + Windows 95 + Windows 98 + Windows ME + Windows NT + Windows 2000 + +The Trojan server always communcates via port 666 and cannot be changed +by the attacker. The server portion itself is named winvmm32.exe, this +also cannot be changed. The main purpose of this Trojan is password +stealing thus presenting the attacker with access to other machines and +possible further compromise of data. + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This +event is indicative of an existing infection being activated. Initial +compromise can be in the form of a Win32 installation program that may +use the extension ".jpg" or ".bmp" when delivered via e-mail for +example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. +Updated virus definition files are essential in detecting this Trojan. + +The Trojan server is located called winvmm32.exe. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Delete the file winvmm32.exe. + +Kill the process winvmm32.exe. + +-- +Contributors: +Orignal rule by webmaster@tlsecurity.net + +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Whitehats arachNIDS +http://www.whitehats.com/info/IDS316 + +-- --- snort-2.8.5.2.orig/doc/signatures/100000383.txt +++ snort-2.8.5.2/doc/signatures/100000383.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000383 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "OsTicket" application running on a webserver. Access to the file "open_form.php" using a remote file being passed as the "include_path" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "include_path" parameter in the "open_form.php" script used by the "OsTicket" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using OsTicket + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- snort-2.8.5.2.orig/doc/signatures/1540.txt +++ snort-2.8.5.2/doc/signatures/1540.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +1540 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a ColdFusion web server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. Denial of +Service is possible. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running Coldfusion. Many known vulnerabilities exist for this platform and +the attack scenarios are legion. + +-- +Affected Systems: + All systems running ColdFusion + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Many exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/541.txt +++ snort-2.8.5.2/doc/signatures/541.txt @@ -0,0 +1,51 @@ +Rule: + +-- +Sid: 541 + +-- +Summary: +This event is generated when activity relating to network chat clients is detected. + +-- +Impact: +Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations. + +-- +Detailed Information: +Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall. + +Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host. + +-- +Attack Scenarios: +A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client. + +An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2857.txt +++ snort-2.8.5.2/doc/signatures/2857.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2857 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure switch_snapshot_master +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/611.txt +++ snort-2.8.5.2/doc/signatures/611.txt @@ -0,0 +1,58 @@ +Rule: + +-- +Sid: 611 + +-- +Summary: +This event is generated when a remote login attempt using rlogin fails. + +-- +Impact: +Someone has tried to login using rlogin and failed + +-- +Detailed Information: +This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution. + +Multiple events may indicate that an attacker is attempting a brute force password guessing attack. + +-- +Attack Scenarios: +An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times. + +-- +Ease of Attack: +Simple, no exploit software required + +-- +False Positives: +A legitimate user may generate an event by entering an incorrect password. + +-- +False Negatives: +None Known + +-- +Corrective Action: +Investigate logs on the target host for further details and more signs of suspicious activity + +Use ssh for remote access instead of rlogin. + +-- +Contributors: +Original rule by Max Vision modified from a signature written by Ron Gula +Snort documentation contributed by Anton Chuvakin +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 + +Arachnids: +http://www.whitehats.com/info/IDS392 + +-- --- snort-2.8.5.2.orig/doc/signatures/3336.txt +++ snort-2.8.5.2/doc/signatures/3336.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3336 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1682.txt +++ snort-2.8.5.2/doc/signatures/1682.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: 1682 + +-- + +Summary: +This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. + +-- +Impact: +Serious. An attacker may have gained superuser access to the system. + +-- +Detailed Information: +This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. + +Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. + +This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. + +Oracle servers running on a Windows platform may listen on any arbitrary +port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this +is applicable to the protected network. + +-- + +Attack Scenarios: +Simple. These are Oracle database commands. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. + +-- +False Negatives: +Configure your ORACLE_PORTS variable correctly for the environment you are in. +In many situations ORACLE negotiates a communication port. This means that 1521 +and 1526 are not used for communication during the entire transaction. A new +port is negotiated after the initial connect message, all communication after +that uses this other port. If you are in an environment such as this, you should +set ORACLE_PORTS to "any" in snort.conf. + +Otherwise, there are no known false negatives. + +-- + +Corrective Action: +Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. +Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2062.txt +++ snort-2.8.5.2/doc/signatures/2062.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +2062 + +-- +Summary: +server performance and statistics package. + +-- +Impact: +Information disclosure + +-- +Detailed Information: +iPlanet web server uses the file .perf to display performance statistics +for the server. + +An attacker can access the statistics for the server by making a request +for the file .perf. + +-- +Affected Systems: +iPlanet web servers using this object. + +-- +Attack Scenarios: +The attacker merely needs to access http://www.foo.com/.perf + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow viewing of web server statistics from external sources. + +Remove the appropriate lines from the obj.conf file to disallow viewing +of server performance statistics. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/100000323.txt +++ snort-2.8.5.2/doc/signatures/100000323.txt @@ -0,0 +1,78 @@ + + +Rule: + +-- +Sid: +100000323 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "ScozNet ScozNews" application running on a +webserver. Access to the file "news.php" using a remote file being passed as +the "main_path" parameter may indicate that an exploitation attempt has been +attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "main_path" parameter in the "news.php" script used by +the "ScozNet ScozNews" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using ScozNet ScozNews + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- snort-2.8.5.2.orig/doc/signatures/3080.txt +++ snort-2.8.5.2/doc/signatures/3080.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +3080 + +-- +Summary: +This event is generated when a remote attacker sends an overly long "secure" +query to a host acting as an Unreal engine server. This may +indicate an attempt to exploit a buffer overflow vulnerability. + +-- +Impact: +Serious. A successful buffer overflow can permit the execution of arbitrary +code on a vulnerable system. + +-- +Detailed Information: +Unreal Tournament 2003 and 2004 are popular games developed by EpicGames and +available for Linux, Windows and Macintosh platforms. The Unreal engine is +used for both client and server functionality. An overly long "secure" +query can be sent to the game server, causing a buffer overflow and the +subsequent execution of arbitrary code. + +-- +Affected Systems: + Multiple versions of the Unreal Engine running on Linux, Microsoft + Windows and Macintosh platforms. + +-- +Attack Scenarios: +An attacker can send an overly long "secure" query to a vulnerable host, causing +a buffer overflow and the subsequent execution of arbitrary code. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +Unreal servers can be configured to run on arbitrary ports. +Administrators should either change the port used in the rule or create +a variable for the ports to be used in the rule. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the most current nonaffected version of the software. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Judy Novak + +-- +Additional References: + +OSVDB +http://www.osvdb.org/displayvuln.php?osvdb_id=7217&Lookup=Lookup + +-- --- snort-2.8.5.2.orig/doc/signatures/1821.txt +++ snort-2.8.5.2/doc/signatures/1821.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1821 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in dvips on some RedHat Linux systems. + +-- +Impact: +Execution of commands with the privileges of the lp daemon. + +-- +Detailed Information: +dvips is used to convert DVI documents into PostScript format for +printing. The line printer daemon may use dvips to print DVI documents +using a filter. + +A configuration error in some distributions of RedHat Linux allows a +remote attacker to execute commands via this utility. + +-- +Affected Systems: + RedHat Linux 6.2, 7.0 and 7.1 + +-- +Attack Scenarios: +The attacker can place the commands to be excuted in a DVI file and send +that to the lp daemon. + +-- +Ease of Attack: +Simple. No exploit software is required. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + + +Ensure that dvips is executed in safe mode by the lp daemon by +specifying the use of the -R flag in the dvi-to-ps.fpi configuration file. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/2845.txt +++ snort-2.8.5.2/doc/signatures/2845.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2845 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure register_snapshot_repgroup +. This procedure is included in +sys.dbms_repcat_sna_utl. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/100000580.txt +++ snort-2.8.5.2/doc/signatures/100000580.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000580 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "cat_view.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the "cat_view.php" +script used by the "Indexu" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- snort-2.8.5.2.orig/doc/signatures/775.txt +++ snort-2.8.5.2/doc/signatures/775.txt @@ -0,0 +1,97 @@ +Rule: + +-- +Sid: +775 + +-- +Summary: +QAZ is a Trojan Horse. + +-- +Impact: +Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. + +-- +Detailed Information: +This Trojan affects the following operating systems: + + Windows 95 + Windows 98 + Windows ME + Windows NT + Windows 2000 + Windows XP + +No other systems are affected. This is a windows exceutable that makes changes to the system registry. + +The Trojan changes system startup files and registry settings to add the QAZ sever to programs normally started on boot. + + SID Message + --- ------- + 108 QAZ Worm Client Login access + 731 Virus - Possible QAZ Worm (Indicates worm activity) + 775 Virus - Possible QAZ Worm Infection (Indicates worm activity) + 733 Virus - Possible QAZ Worm Calling Home (Indicates the worm is trying to send mail) + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +This is a particularly difficult Trojan to remove and should only be attempted by an experienced Windows Administrator. + +Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. + +Affected registry keys are: + + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run + +Registry keys added are: + + StartIE=C:\WINDOWS\notepad.exe qazwsx.hsq + +This will start the Trojan each time notepad is executed. + +Look for the existence of the file note.com. The file notepad.exe may have been replaced with a Trojaned version that is approximately 120 kb in size (the original is 52 kb). + +A machine reboot is required to clear the existing process from running in memory. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Whitehats arachNIDS +http://www.whitehats.com/info/IDS501 +http://www.whitehats.com/info/IDS498 +http://www.whitehats.com/info/IDS499 + +McAfee +http://vil.nai.com/vil/content/v_98775.htm + +Symantec Security Response +http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html + +Diamond Computer Systems Security Advisory +http://www.diamondcs.com.au/web/alerts/qaz.htm + +-- --- snort-2.8.5.2.orig/doc/signatures/1105.txt +++ snort-2.8.5.2/doc/signatures/1105.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1105 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/3191.txt +++ snort-2.8.5.2/doc/signatures/3191.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3191 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/538.txt +++ snort-2.8.5.2/doc/signatures/538.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +538 + +-- +Summary: +This event is generated when an attempt is made to gain access to +private resources using Samba. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. + +-- +Detailed Information: +This event is generated when an attempt is made to use Samba to gain +access to private or administrative shares on a host. + +-- +Affected Systems: + All systems using Samba for file sharing. + All systems using file and print sharing for Windows. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +direct access to Windows adminsitrative shares. + +-- +Ease of Attack: +Simple. Exploit software is not required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1831.txt +++ snort-2.8.5.2/doc/signatures/1831.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: + +1831 + +-- +Summary: +This event is generated when an attempt is made to exploit a Denial of Service (DoS) condition in the Jigsaw web server from W3C. + +-- +Impact: +Denial of Service. + +-- +Detailed Information: +Jigsaw is a Java-based web server developed by W3C. Jigsaw version 2.2.1 is vulnerable to a DoS attack caused by improper handling of requests for DOS device names. + +Jigsaw web server versions prior to 2.2.1 (Build 20020711) contain a Denial of Service vulnerability in a handler that processes HTTP requests for DOS device files. This may result in process threads hanging and a consumption of all available resources. + + +-- +Affected Systems: + Jigsaw 2.2.1 + +-- +Attack Scenarios: +It is possible to crash the Jigsaw web server by requesting /servlet/con about 30 times. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +Certain HTTP requests may generate an event. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest version of Jigsaw (2.2.1 Build 20020711 or later) + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/5258/ + +-- --- snort-2.8.5.2.orig/doc/signatures/1826.txt +++ snort-2.8.5.2/doc/signatures/1826.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +1826 + +-- +Summary: +This event is generated when an attempt is made to access the WEB-INF +directory on a web server. + +-- +Impact: +Information disclosure. + +-- +Detailed Information: +This event is generated when an attempt is made to access the WEB-INF +directory on a web server. + +Multiple vendors are affected by an information disclosure issue where +sensitive contents of a web application server can be revealed to an +attacker by requesting the contents of this directory. + +-- +Affected Systems: + Multiple vendors, see references. + +-- +Attack Scenarios: +The attacker can make a simple web request for the directory that will +reveal the sensitive files. The attacker can then retrieve the files for +information that can be used in later attacks against the server or +application. + +-- +Ease of Attack: +Simple. Exploit software not required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/1199.txt +++ snort-2.8.5.2/doc/signatures/1199.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1199 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/409.txt +++ snort-2.8.5.2/doc/signatures/409.txt @@ -0,0 +1,60 @@ +Rule: + +-- + +Sid: +409 + +-- + +Summary: +This event is generated when a network host generates an ICMP Echo Reply with an invalid or undefined ICMP Code. + +-- + +Impact: +Information-gathering. An ICMP Echo Reply message is sent in response to an ICMP Echo Request message. If the ICMP Echo Reply message reaches the requesting host it indicates that the replying host is alive. Most OS's (operating systems) will accept an ICMP Echo Reply message with an invalid or undefined ICMP code set as a valid ICMP Echo Reply. + +-- + +Detailed Information: +ICMP Type 0 Code 0 is the RFC defined messaging type for ICMP Echo Reply datagrams. This type of message is used to determine if a host is active on the network. + +-- + +Attack Scenarios: +Remote attackers my generate ICMP Echo Reply datagrams with invalid ICMP Codes in an attempt to cause faults in the applications or hosts generating ICMP Echo Requests. + +-- + +Ease of Attack: +Numerous tools and scripts can generate this type of ICMP datagram. + +-- + +False Positives: +None known + +-- + +False Negatives: +None known +-- + +Corrective Action: +Use ingress filtering to prevent ICMP Type 0 messages from entering the network. + +-- + +Contributors: +Original rule writer unknown +Sourcefire Research Team +Matthew Watchinski (matt.watchinski@sourcefire.com) + +-- + +Additional References: +None + + +-- --- snort-2.8.5.2.orig/doc/signatures/432.txt +++ snort-2.8.5.2/doc/signatures/432.txt @@ -0,0 +1,61 @@ +Rule: + +-- + +Sid: +432 + +-- + +Summary: +This event is generated when a host generates and ICMP Type 40 Code 3 Decryption Failed datagram. + +-- + +Impact: +ICMP Type 40 Code 3 datagrams are an indication that a received datagram failed a decryption check for a given SPI. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. + +-- + +Detailed Information: +Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 Code 3 datagrams are generated when a received datagram fails the decryption check for a given SPI (Security Parameters Index). + +-- + +Attack Scenarios: +None known + +-- + +Ease of Attack: +Numerous tools and scripts can generate this type of ICMP datagram. + +-- + +False Positives: +None known + +-- + +False Negatives: +None known + +-- + +Corrective Action: +ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. + +-- + +Contributors: +Original Rule writer unknown +Sourcefire Research Team +Matthew Watchinski (matt.watchinski@sourcefire.com) + +-- + +Additional References: +RFC2521 + + +-- --- snort-2.8.5.2.orig/doc/signatures/924.txt +++ snort-2.8.5.2/doc/signatures/924.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: +924 + +-- +Summary: +This event is generated when an attempt is made to exploit an +authentication vulnerability in a web server or an application running +on that server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a web server or an application running ona web server. Some +applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + +-- +Attack Scenarios: +An attacker can access the authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Disallow administrative access from sources external to the protected +network. + +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2215.txt +++ snort-2.8.5.2/doc/signatures/2215.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: +2215 + +-- +Summary: +This event is generated when an attempt is made to access nsManager.cgi on an internal web server. This may indicate an attempt to exploit an authentication vulnerability in Alabanza Control Panel 3.0 and earlier. + +-- +Impact: +System integrity. + +-- +Detailed Information: +Alabanza Control Panel 3.0 is an application that manages automated virtual domain administration. It contains a vulnerability which allows an attacker to bypass authentication using specially crafted HTTP requests to add, modify, or delete domains, or change MX and CNAME host information for managed hosts. + +-- +Affected Systems: +Any domains managed by an administrator using Alabanza Control Panel 3.0 or earlier. + +-- +Attack Scenarios: +An attacker crafts a URL that adds or deletes a virtual domain and transmits it to nsManager.cgi. The Alabanza Control Panel makes the requested change without prompting for a username or password. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +If a legitimate remote user accesses nsManager.cgi, this rule may generate an event. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest version of the software, or apply the vendor-provided patch. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Sourcefire Technical Publications Team +Jennifer Harvey + +-- +Additional References: +Bugtraq +http://www.securityfocus.com/bid/1710 + +-- --- snort-2.8.5.2.orig/doc/signatures/2338.txt +++ snort-2.8.5.2/doc/signatures/2338.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +2338 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in GtkFtpd. + +-- +Impact: +Execution of arbitrary code. Possible unauthorized root access. + +-- +Detailed Information: +GtkFtpd fails to perform sufficient checks on user supplied data to the +daemon. An attacker may exploit this vulnerability to execute code of +their choosing as the root user. This may also lead to remote root +access to the server. + +-- +Affected Systems: + GtkFtpd 1.0.2, 1.0.3 and 1.0.4 + +-- +Attack Scenarios: +An attacker may use a publicly available exploit script to take +advantage of the vulnerability. + +-- +Ease of Attack: +Simple. Exploit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Upgrade to the latest non-affected version of the software. + +Use scp/sftp as an alternative to ftp. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2752.txt +++ snort-2.8.5.2/doc/signatures/2752.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2752 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure comment_on_repgroup +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2951.txt +++ snort-2.8.5.2/doc/signatures/2951.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +2951 + +-- +Summary: +This event is generated when multiple stacked SMB requests are made. + +-- +Impact: +Possible IDS evasion. + +-- +Detailed Information: +This event is generated when multiple stacked SMB requests are detected. +This behavior does not occur on a regular basis in normal network +traffic. This event may indicate an attempt to evade an IDS. + +-- +Affected Systems: + All systems using SMB. + +-- +Attack Scenarios: +An attacker might create multiple stacked SMB requests in an attempt to +bypass an IDS. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +If the second and third stacked requests are of a combined length that +is less than 37 bytes this rule will not generate an event. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Disallow the use of SMB. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/304.txt +++ snort-2.8.5.2/doc/signatures/304.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: 304 + +-- +Summary: +This event is genereated when an attempt to overflow the buffer of a SCO server is attempted. + +-- +Impact: +Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account. + +-- +Detailed Information: +Some versions of SCO UNIX Calserver are vulnerable to a buffer overflow condition which can present the attacker with a root shell. + +Affected Systems: + SCO Internet faststart 1.0, 1.1 + SCO Open Server 5.0, 5.0.2, 5.0.3 and 5.0.4 + +-- +Attack Scenarios: +Exploit scripts are available + +-- +Ease of Attack: +Simple. Exploits are available. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Apply vendor supplied patches. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0306 + +Bugtraq: +http://www.securityfocus.com/bid/2353 + +-- --- snort-2.8.5.2.orig/doc/signatures/2156.txt +++ snort-2.8.5.2/doc/signatures/2156.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: +2156 + +-- +Summary: +This event is generated when an attempt is made to ascertain the status of the Apache module mod_gzip on a host. + +-- +Impact: +Information gathering. + +-- +Detailed Information: +This event indicates that an attempt has been made to ascertain the status of the Apache module mod_gzip on a host from a source external to the protected network. + +mod_gzip is used to compress data sent by an Apache webserver in an attempt to preserve bandwidth and speed up communications between client and server. + +The attacker may be trying to gain information on the server by making a query to the mod_gzip_status page. This could lead to information disclusure which might then be used in further attacks against that host. + +-- +Affected Systems: +Any host using the Apache module mod_gzip. + +-- +Attack Scenarios: +An attacker can retrieve information on the server by making a request for the status of mod_gzip. This request would take the form http://www.foo.com/mod_gzip_status + +-- +Ease of Attack: +Simple. No exploit required. + +-- +False Positives: +The event will also be generated if Nessus is used to scan the host for this vulnerability. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Disable the mod_gzip module. + +Disallow access to mod_gzip_status from sources external to the protected network. + +Use the Apache directive to disallow access to the mod_gzip status page to the localhost only in the following manner: + + + Order deny,allow + Deny from all + Allow from localhost + + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/2386.txt +++ snort-2.8.5.2/doc/signatures/2386.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +2386 + +-- +Summary: +This event is generated when an attempt is made to scan for a known +vulnerability in the Microsoft implementation of the ASN.1 Library using +Nessus. + +-- +Impact: +Intelligence gathering. + +-- +Detailed Information: +A buffer overflow condition in the Microsoft implementation of the ASN.1 +Library. It may be possible for an attacker to exploit this condition by +sending specially crafted authentication packets to a host running a +vulnerable operating system. + +When the taget system decodes the ASN.1 data, exploit code may be included +in the data that may be excuted on the host with system level privileges. +Alternatively, the malformed data may cause the service to become +unresponsive thus causing the DoS condition to occur. + +This event indicates a possible attempt to enumerate vulnerable hosts using +Nessus. + +-- +Affected Systems: + Microsoft Windows NT + Microsoft Windows NT Terminal Server Edition + Microsoft Windows 2000 + Microsoft Windows XP + Microsoft Windows 2003 + +-- +Ease of Attack: +Simple. Exploit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +References: + +CVE +http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0818 + +US-CERT +http://www.us-cert.gov/cas/techalerts/TA04-041A.html + +Microsoft +http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp + +-- --- snort-2.8.5.2.orig/doc/signatures/2221.txt +++ snort-2.8.5.2/doc/signatures/2221.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: +2221 + +-- +Summary: +This event is generated when an attempt is made to access ws_mail.cgi on an internal web server. This may indicate an attempt to exploit a remote command execution vulnerability in cgiCentral WebStore 400 4.14. + +-- +Impact: +Execution of arbitrary code. An attacker must be an authenticated WebStore administrator to successfully execute this exploit. + +-- +Detailed Information: +cgiCentral WebStore 400 is an online shopping cart application for web servers. It contains a vulnerability in the "kill" parameter, where a malicious user with an authorized administrative WebStore account can execute arbitrary code on the web server and gain root access to the compromised server. + +-- +Affected Systems: +Any web server running cgiCentral WebStore 400 4.14 or WebStore 400 CS 4.14. + +-- +Attack Scenarios: +An attacker with a valid WebStore administrator account sends a specially crafted HTTP request with shell commands in the URL's kill parameter. The shell commands are then executed with the security context of the server, allowing the attacker to obtain root access to the compromised machine. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +If a legitimate remote user accesses ws_mail.cgi, this rule may generate an event. + +-- +False Negatives: +None known. + +-- +Corrective Action: +It is unknown if this vulnerability was fixed with WebStore 4.15. Contact the vendor, RDC Software (http://www.ratite.com/) for more information. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Sourcefire Technical Publications Team +Jennifer Harvey + +-- +Additional References: +Bugtraq +http://www.securityfocus.com/bid/2861 + +-- --- snort-2.8.5.2.orig/doc/signatures/1186.txt +++ snort-2.8.5.2/doc/signatures/1186.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +1186 + +-- +Summary: +This event is generated when an attempt is made to exploit a +vulnerability in some versions of Netscape Enterprise Server. + +-- +Impact: +Information leak which could provide an attacker with the data needed to +launch further attacks or gain more detailed information about your web server. + +-- +Detailed Information: +A user can see a directory listing by appending a Web Publishing command +to the end of a directory URL, for example: "http://www.sun.com/?wp-ver-diff". + +This exploit will work on Netscape Enterprise Server regardless of +directory indexing settings. + +It will not work on iPlanet Web Server if directory indexing is set to +"none" or "fancy" (the default). Web Publishing need not be enabled for +this exploit to work. + +-- +Affected Systems: + Netscape Enterprise Server 3.0, 3.51 and 3.6 + +-- +Attack Scenarios: +The gathering of information such as directory listings is valuable when +planning to attack a web server. + +-- +Ease of Attack: +Simple. No exploit software required however, an automated tool for +scanning exists as does an exploit script. + +-- +False Positives: +A web server that uses URLs which contain web publishing commands. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Disable directory indexing. For earlier versions of Netscape Enterprise +Server, this may not fix the problem. On iPlanet, you can also change +the indexing type to "fancy". + +To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8. + +-- +Contributors: +Snort documentation contributed by Kevin Peuhkurinen +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +iPlanet Knowledge Base Article 4302: +http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html + +iPlanet Knowledge Base Article 7761: +http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html + +-- --- snort-2.8.5.2.orig/doc/signatures/727.txt +++ snort-2.8.5.2/doc/signatures/727.txt @@ -0,0 +1,91 @@ +Rule: + +-- +Sid: +727 + + +-- +Summary: +This event is generated when worm activity is detected. More specifcally +this event indicates possible "My Romeo" propogation. + +-- +Impact: +Serious. The victim host may be infected with a worm. + +-- +Detailed Information: +This worm propogates via electronic mail and exploits a known +vulnerability in the way that versions of Microsoft Outlook and Internet +Explorer handle trusted HTML pages. The worm is launched via a compiled +HTML file (.chm) which is used by Microsoft WIndows Help. + +The executable part of the worm is called from within the trusted +compiled HTML file. The worm attempts to propagate using hard coded +addresses of SMTP servers. + +This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A + +-- +Affected Systems: + Microsoft Windows 9x + Microsoft Windows 2000 + +-- +Attack Scenarios: +Symantec Anti-Virus center states that the worm arrives as an email +message that has an HTML body and two attachments named Myjuliet.chm +and Myromeo.exe. The subject of the email is selected at random from +the following set: + +Romeo&Juliet +hello world +subject +ble bla, bee +I Love You ;) +sorry... +Hey you ! +Matrix has you... +my picture +from shake-beer + +-- +Ease of Attack: +Simple. This is worm activity. + +-- +False Positives: +Legitimate electronic mail containing the known subject lines used by +MyRomeo may cause this rule to generate an event. + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches and service packs. + +Use Anti-Virus software to detect and delete virus laden email. + +This worm makes changes to the system registry, removal of the affected +registry keys should be done using an appropriate virus removal tool or +by an experienced Windows administrator. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +McAfee +http://vil.nai.com/vil/content/v_98894.htm + +Symantec Security Response +http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html + +-- --- snort-2.8.5.2.orig/doc/signatures/273.txt +++ snort-2.8.5.2/doc/signatures/273.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +273 + +-- +Summary: +This event is generated when a remote attacker transmits fragmented IGMP packets with malformed headers to the internal network, indicating an IGMP Denial of Service (DoS) attack. + +-- +Impact: +Denial of service. + +-- +Detailed Information: +If an IGMP packet with a malformed header is transmitted to an unpatched Microsoft Windows computer, the computer may crash when it attempts to process the packet. + +-- +Affected Systems: +Microsoft Windows 95 +Microsoft Windows 98 +Microsoft Windows 98 SE +Microsoft Windows NT 4 + +-- +Attack Scenarios: +An attacker sends fragmented IGMP packets with malformed headers to a target computer. If the computer is running an unpatched version of Windows, it may crash. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Install the latest patches available for your operating system. See http://www.microsoft.com/technet/security/bulletin/ms99-034.asp for more information. + +Implement a packet-filtering firewall to block inappropriate traffic to the network. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Sourcefire Technical Publications Team +Jen Harvey + +-- +Additional References: + +Bugtraq +http://www.securityfocus.com/bid/514 + +Microsoft +http://www.microsoft.com/technet/security/bulletin/ms99-034.asp + +-- --- snort-2.8.5.2.orig/doc/signatures/899.txt +++ snort-2.8.5.2/doc/signatures/899.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +899 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/1772.txt +++ snort-2.8.5.2/doc/signatures/1772.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +1772 + +-- +Summary: +This event is generated when an attempt is made to access the +pbserver.dll component associated with the Microsoft Phone Book Service. + +-- +Impact: +Remote access. Malicious access of the pbserver.dll component can allow +the execution of arbitrary commands on a vulnerable server. + +-- +Detailed Information: +The Microsoft Phone Book Service allows dial-in clients to download +phone book updates from the Internet Information Server (IIS) running +the Phone Book Service. The pbserver.dll is the Internet Services +Application Programming Interface (ISAPI) that implements the update +service. A buffer overflow exists in pbserver.dll that may permit the +execution of arbitrary commands on the server. + +-- +Affected Systems: + Windows NT 4.0 + Windows 2000 Server + +-- +Attack Scenarios: +An attacker can craft an HTTP request for a phone book update to a host +running the Phone Book Service. + +-- +Ease of Attack: +Simple. Exploit code is available. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Delete pbserver.dll if the Phone Book Service is unnecessary. + +Apply the appropriate vendor supplied patches. + +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Judy Novak + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1428.txt +++ snort-2.8.5.2/doc/signatures/1428.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +1428 + +-- +Summary: +This event is generated when network traffic indicating the use of a +multimedia application is detected. + +-- +Impact: +This may be a violation of corporate policy since these applications can +be used to bypass security measures designed to restrict the flow of +corporate information to destinations external to the corporation. + +-- +Detailed Information: +Multimedia client applications can be used to view movies and listen to +music files. Some also include file sharing facilities. Use of these +programs may constitute a violation of company policy. + +Clients may also contain vulnerabilities that can give an attacker an +attack vector for delivering Trojan horse programs and viruses. + +-- +Affected Systems: + All systems running multimedia applications + +-- +Attack Scenarios: +A user can download files from a source external to the protected +network that may contain malicious code hidden in the file giving an +attacker the opportunity to gain access to a host inside the protected +network. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/415.txt +++ snort-2.8.5.2/doc/signatures/415.txt @@ -0,0 +1,60 @@ +Rule: + +-- + +Sid: +415 + +-- + +Summary: +This event is generated when a network host generates an ICMP Information Reply datagram. + +-- + +Impact: +ICMP Information Reply datagrams contain the network number of the network segment the datagram was generated on. This could be an indication of an improperly configured host attempting to locate the network number of the subnet it is located in. + +-- + +Detailed Information: +This message is generated in response to an ICMP Information Request Message. Hosts that generated ICMP Information Request Messages are attempting to obtain the network number of subnet it is on. + +-- + +Attack Scenarios: +None known + +-- + +Ease of Attack: +Numerous tools and scripts can generate this type of ICMP datagram. + +-- + +False Positives: +None known + +-- + +False Negatives: +None known +-- + +Corrective Action: +ICMP Type 16 datagrams are not normal network activity. Hosts generating ICMP Information Request messages or Information Reply Messages should be checked for configuration errors. + +-- + +Contributors: +Original rule writer unknown +Sourcefire Research Team +Matthew Watchinski (matt.watchinski@sourcefire.com) + +-- + +Additional References: +None + + +-- --- snort-2.8.5.2.orig/doc/signatures/360.txt +++ snort-2.8.5.2/doc/signatures/360.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +360 + +-- +Summary: +This event is generated when an attempt is made to exploit a known vulnerability in Serv-U FTP from CatSoft. + +-- +Impact: +Possible theft of data and control of the targeted machine leading to a +compromise of all resources the machine is connected to. + +-- +Detailed Information: +Serv-U FTP from CatSoft is an FTP server for Windows 2000, NT and 9x systems. + +An attacker can download and upload files on the same partition as the ftp root. The attacker can use a standard user account with write and read access to a home folder. + +The vulnerability appears in Catsoft Serv-U FTP Server version 2.5a-h. A Unicode support implementation error was made, which allows an attacker to submit %20..%20.. to receive a "..", which allows an attacker to traverse the directory structure of the server. + +-- +Affected Systems: +CatSoft Serv-U 2.4 +CatSoft Serv-U 2.5 +Note: CatSoft Serv-U 2.5i is not affected. + +-- +Attack Scenarios: +Any standard user can break into the system root and access any file. An attacker could also guess a login and weak password, login and use the directory traversal to gain the Serv-U FTP Server's configuration file. The configuration file can be modified to give "execute" rights, uploaded using %20. directory traversal and trojans can be installed. + +-- +Ease of Attack: +Simple. No exploit code is required. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Check FTP log files for signs of compromise. + +-- +Contributors: +Original Rule Writer Unknown +Snort documentation contributed by Ueli Kistler, +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/3163.txt +++ snort-2.8.5.2/doc/signatures/3163.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3163 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1492.txt +++ snort-2.8.5.2/doc/signatures/1492.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1492 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/2977.txt +++ snort-2.8.5.2/doc/signatures/2977.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +2977 + +-- +Summary: +This event is generated when an attempt is made to access the C$ default +administrative share of a Windows host. + +-- +Impact: +Serious. Possible administrator access to the host. Information +disclosure. + +-- +Detailed Information: +By default, Windows hosts have default administrative shares of the +local hard drives using the format %DRIVE_LETTER% + $. Anybody with +administrative rights can remotely access the share. + +-- +Affected Systems: + Windows hosts. + +-- +Attack Scenarios: +An attacker may be attempting to access files located on the C drive of +the host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow Netbios access from external networks (tcp port 139). + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton +Snort documentation contributed by Josh Sakofsky + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS339 + +Microsoft: +http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 + +-- --- snort-2.8.5.2.orig/doc/signatures/1021.txt +++ snort-2.8.5.2/doc/signatures/1021.txt @@ -0,0 +1,67 @@ +Rule: + +Sid: +1021 + +-- + +Summary: +This event is generated when an attempt is made to retrieve file +contents by exploiting a vulnerability in Microsoft Internet +Information Server (IIS) ISAPI component. + +-- +Impact: +Information Disclosure. + +-- +Detailed Information: +Default installations of IIS 4.0 and IIS 5.0 contain a vulnerability in +ISM.DLL that can allow an attacker to retrieve the contents of +files on the system. This could be used to retrieve web application +source code or the contents of other sensitive files. + +-- +Affected Systems: + Microsoft IIS 4.0 and 5.0 + Multiple vendor implementations of IIS. + +-- +Attack Scenarios: +The attacker sends a URL containing the file to be retrieved (without the +extension), followed by approximately 230 "%20" (ascii space) characters +followed by ".htr". + +Note: This attempt can only be performed once. The server must be +restarted to make another sucessful request. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None Known + +-- +False Negatives: +None known + +-- +Corrective Action: +Check server logs for signs of compromise. + +-- +Contributors: +Original rule writer unknown +Original document author unkown +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +References: + +CVE: CAN-2000-0457 +Bugtraq: BID 1193 + +-- --- snort-2.8.5.2.orig/doc/signatures/3137.txt +++ snort-2.8.5.2/doc/signatures/3137.txt @@ -0,0 +1,77 @@ +Rule: + +-- +Sid: +3137 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft systems using Server Message Block (SMB). + +-- +Impact: +Serious. Execution of arbitrary code leading to unauthorized +administrative access to the target host. Denial of Service (DoS) is +also possible. + +-- +Detailed Information: +SMB is a client - server protocol used in sharing resources such as +files, printers, ports, named pipes and other things, between machines +on a network. + +A vulnerability in the Microsoft implementation of SMB exists due to a +programming error which may present an attacker with the opportunity to +exploit the service and run code of their choosing on an affected +system. The attacker may then cause a DoS condition in the service or +possibly gain unauthorized access to the target host. + +A malicious attacker can exploit the vulnerability by sending a +malicious response from a server in response to a client request using +SMB. + +-- +Affected Systems: + Microsoft Windows 2003 + Microsoft Windows 2000 + Microsoft Windows XP + +-- +Attack Scenarios: +An attacker can supply extra data in the message from the server +containing code of their choosing to be run on the client. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Turn off windows file and print services. + +Use Samba as an alternative. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +eEye: +http://www.eeye.com/html/research/advisories/AD20050208.html + +-- --- snort-2.8.5.2.orig/doc/signatures/1440.txt +++ snort-2.8.5.2/doc/signatures/1440.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +1440 + +-- +Summary: +This event is generated when network traffic indicating the use of a +multimedia application is detected. + +-- +Impact: +This may be a violation of corporate policy since these applications can +be used to bypass security measures designed to restrict the flow of +corporate information to destinations external to the corporation. + +-- +Detailed Information: +Multimedia client applications can be used to view movies and listen to +music files. Some also include file sharing facilities. Use of these +programs may constitute a violation of company policy. + +Clients may also contain vulnerabilities that can give an attacker an +attack vector for delivering Trojan horse programs and viruses. + +-- +Affected Systems: + All systems running multimedia applications + +-- +Attack Scenarios: +A user can download files from a source external to the protected +network that may contain malicious code hidden in the file giving an +attacker the opportunity to gain access to a host inside the protected +network. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/3309.txt +++ snort-2.8.5.2/doc/signatures/3309.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3309 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/100000130.txt +++ snort-2.8.5.2/doc/signatures/100000130.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +100000130 + +-- +Summary: +This event is generated when a request for the file "Filelist.html" is sent to +the PY Software Active Webcam Server. + +-- + +Impact: +A denial of service will result, and the server will need to be manually +restarted. + +-- +Detailed Information: +Requests for the file "Filelist.html" will cause the PY Software Active Webcam +Server to crash. This rule looks for such requests on port 8080, the default +port for this server. + +-- +Affected Systems: +PY Software Active WebCam 4.3 +PY Software Active WebCam 5.5 + +-- + +Attack Scenarios: +This vulnerability may be exploited with a web browser or a script. + +-- + +Ease of Attack: +Simple, as it can be exploited using a web browser. + +-- + +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- + +Corrective Action: +Currently, there are no known workarounds or fixes. + +-- +Contributors: +Alex Kirk + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1166.txt +++ snort-2.8.5.2/doc/signatures/1166.txt @@ -0,0 +1,63 @@ +Rule: + +Sid: +1166 + +-- + +Summary: +This event is generated when an attempt is made to download the file ws_ftp.ini +via a web request. + +-- +Impact: +Serious. Information Disclosure. + +-- +Detailed Information: +When a user of WS_FTP chooses "save password" when connecting to an FTP +server, the password is stored in the file ws_ftp.ini which may be +accessible via a web server. The stored passwords use a weak encryption +scheme that is easy broken. + +-- +Affected Systems: + +-- +Attack Scenarios: +An attacker might be able to retrieve the file, use one of the widely +available password cracking tools and gain valid login information to +the server. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Check the host for signs of compromise. + +Change all passwords used on the host. + +Disallow the use of ftp on the server, consider the use of scp to +transfer files. + +-- +Contributors: +Original rule writer unknown +Original document author unkown +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/100000482.txt +++ snort-2.8.5.2/doc/signatures/100000482.txt @@ -0,0 +1,72 @@ +Rule: + +-- +Sid: +100000482 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "BoastMachine" application running on a webserver. +Access to the file "vote.php" using a remote file being passed as the "bmc_dir" +parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "bmc_dir" parameter in the "vote.php" script used by the +"BoastMachine" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using BoastMachine +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- snort-2.8.5.2.orig/doc/signatures/2936.txt +++ snort-2.8.5.2/doc/signatures/2936.txt @@ -0,0 +1,68 @@ +Rule: + +-- +Sid: +2936 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) +services. + +-- +Impact: +Serious. Execution of arbitrary code with system level privileges + +-- +Detailed Information: +A vulnerability exists in Microsoft NetDDE that may allow an attacker to +run code of their choosing with system level privileges. A programming +error in the handling of network messages may give an attacker the +opportunity to overflow a fixed length buffer by using a specially +crafted NetDDE message. + +This service is not started by default on Microsoft Windows systems, but +this issue can also be exploited locally in an attempt to escalate +privileges after a successful attack from an alternate vector. + +-- +Affected Systems: + Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. + +-- +Attack Scenarios: +An attacker needs to craft a special NetDDE message in order to overflow +the affected buffer. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Disable the NetDDE service. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft Security Bulletin MS04-031: +http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx + +-- --- snort-2.8.5.2.orig/doc/signatures/2676.txt +++ snort-2.8.5.2/doc/signatures/2676.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2676 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure drop_site_instantiation +. This procedure is included in +dbms_repcat_rgt. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/661.txt +++ snort-2.8.5.2/doc/signatures/661.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +661 + +-- +Summary: +This event is generated when an attempt is made to exploit a problem with Majordomo software that allows arbitrary commands to be executed on the server. + +-- +Impact: +Attempted administrator access. This is an attempt to execute a command on a server where Majordomo is installed. + +-- +Detailed Information: +Majordomo is an application that automates mailing list management. An input validation error allows attackers to use a malformed email header as a command that will be executed on the host. To be vulnerable, the server must use a list or a hidden list and the configuration file must specify an advertise or noadvertise option. This has been documented as either a local or remote attack on the host. + +-- +Affected Systems: +Majordomo versions up to and including 1.94.4. + +-- +Attack Scenarios: +An attacker can send a malformed e-mail header to the Majordomo host. The host executes a command that facilitates access to the host. + + +-- +Ease of Attack: +Simple. Use an appropriate malformed header and supply a command that enables access to the host. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to Majordomo version 1.94.5 or higher. +-- +Contributors: +Original rule written by Max Vision +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/2310 + +Arachnids: +http://www.whitehats.com/info/IDS143 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0207 + + +-- --- snort-2.8.5.2.orig/doc/signatures/1931.txt +++ snort-2.8.5.2/doc/signatures/1931.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1931 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2972.txt +++ snort-2.8.5.2/doc/signatures/2972.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +536 + +-- +Summary: +This event is generated when an attempt is made to gain access to +private resources using Samba. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. + +-- +Detailed Information: +This event is generated when an attempt is made to use Samba to gain +access to private or administrative shares on a host. + +-- +Affected Systems: + All systems using Samba for file sharing. + All systems using file and print sharing for Windows. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +direct access to Windows adminsitrative shares. + +-- +Ease of Attack: +Simple. Exploit software is not required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/973.txt +++ snort-2.8.5.2/doc/signatures/973.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +973 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer overflow associated with a file with a .idc extension. + +-- +Impact: +Remote access. This attack may permit the execution of arbitrary commands on the victim server. + +-- +Detailed Information: +Microsoft Internet Information Service (IIS) supports files extensions including .idc that call the ISM.DLL. A buffer overflow vulnerability exists in ISM.DLL code when it receives a malformed request, permitting the execution of arbitrary code. + +-- +Affected Systems: +IIS 4.0 hosts + +-- +Attack Scenarios: +An attacker can send a malformed request of a .idc file that causes a buffer overflow. + +-- +Ease of Attack: +Simple. Exploit code is freely available. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to a more current version of IIS. + +-- +Contributors: +Original rule writer unknown +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +CVE +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0874 + +Bugtraq: +http://www.securityfocus.com/bid/307 + +-- --- snort-2.8.5.2.orig/doc/signatures/2843.txt +++ snort-2.8.5.2/doc/signatures/2843.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2843 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure drop_snapshot_repobject +. This procedure is included in +sys.dbms_repcat_sna_utl. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1942.txt +++ snort-2.8.5.2/doc/signatures/1942.txt @@ -0,0 +1,54 @@ +Rule: + +-- +Sid: +1942 + +-- +Summary: +This event is generated when activity relating to spurious ftp traffic is detected on the network. + +-- +Impact: +Varies from information gathering to a serious compromise of an ftp server. + +-- +Detailed Information: +FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts. + +The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service. + +-- +Attack Scenarios: +A user may transfer sensitive company information to an external party using FTP. + +An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow access to FTP resources from hosts external to the protected network. + +Use secure shell (ssh) to transfer files as a replacement for FTP. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2405.txt +++ snort-2.8.5.2/doc/signatures/2405.txt @@ -0,0 +1,72 @@ +Rule: + +-- +Sid: +2405 + +-- +Summary: +This event is generated when an attempt is made to access the file "phptest.php". +BadBlue Personal Edition 2.4 servers could disclose confidential +information on the software configuration towards an attacker. + +-- +Impact: +Information gathering. +This signature is usually indicative of a reconaissance probe. +Succesful exploitation would provide the originator of the attack with the +installation path of the software. + +-- +Detailed Information: +Web servers running BadBlue Personal Edition 2.4, a +personal file sharing server, are vulnerable to a path disclosure attack. +When a client requests the phptest.php file from such a server, the source +of the HTTP reply page contains the installation path of the software. +This path can be used as information for further attacks. + +-- +Affected Systems: + BadBlue Personal Edition 2.4 + +-- +Attack Scenarios: +During the reconaissance phase, an attacker could obtain the installation +path of the BadBlue server. This can become valuable information during +the later execution of directory traversal or buffer overflow attacks. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +While not a true false positive, many PHP installation howtos advise the +creation of a small file "phptest.php" which contains a call for the +phpinfo() function. When this file is accessed legitimately by +someone testing a fresh install, this signature will also trigger. + +NOTE: The amount of information provided (installation directory, version +numbers, environment variables), could also constitute a vulnerability +if this file is present on a production web server. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Snort documentation contributed by Maarten Van Horenbeeck +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/981.txt +++ snort-2.8.5.2/doc/signatures/981.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +981 + +-- +Summary: +This event is generated when an attempt is made use a unicode encoded representaion of a "/" in a URL request. This may permit an attacker to navigate to files and directories outside the web root of a vulnerable Internet Information Services (IIS) server. + +-- +Impact: +Remote access. This attack can allow an attacker to execute commands a vulnerable IIS server. + +-- +Detailed Information: +User access should be restricted to an assigned web root directory and subdirectories when interacting with a web server. Attackers who attempt to perform directory traversals outside the web root should be denied access. A vulnerability exists in IIS web servers that allows directory traversal outside the web root directory when unicode encoding of specific characters is used. This particular attack uses the unicode encoding of the "/" to escape the web root. This may permit an attacker to execute commands on the vulnerable server. + +-- +Affected Systems: +IIS 4.0, 5.0 servers + +-- +Attack Scenarios: +An attacker can unicode encode a directory traversal character permitting execution of commands on the IIS server. + +-- +Ease of Attack: +Simple. +GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Apply the patch referenced in the Microsoft link. + +-- +Contributors: +Original rule writer unknown +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +CVE +http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0084 + +Microsoft +http://www.microsoft.com/technet/security/bulletin/ms00-078.asp + +-- --- snort-2.8.5.2.orig/doc/signatures/481.txt +++ snort-2.8.5.2/doc/signatures/481.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: +481 + +-- +Summary: +This event is generated when an ICMP echo request is made from a Windows host running TJPingPro 1.1 Build 2 software. + +-- +Impact: +Information gathering. An ICMP echo request can determine if a host is active. + +-- +Detailed Information: +An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running TJPingPro 1.1 Build 2 software contains a unique payload in the message request. + +-- +Affected Systems: +All + +-- +Attack Scenarios: +An attacker may attempt to determine live hosts in a network prior to launching an attack. + +-- +Ease of Attack: +Simple + +-- +False Positives: +An ICMP echo request may be used to legimately troubleshoot networking problems. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Block inbound ICMP echo requests. + +-- +Contributors: +Original rule written by Max Vision +Documented by Steven Alexander +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS167 + +-- --- snort-2.8.5.2.orig/doc/signatures/2563.txt +++ snort-2.8.5.2/doc/signatures/2563.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +2563 + +-- +Summary: +This event is generated when an attempt is made to exploit a vulnerability +associated with the Symantec Firewall. + +-- +Impact: +A successful attack may cause a heap overflow, permitting the execution +of arbitrary code on the vulnerable host. + +-- +Detailed Information: +There is a vulnerability in the way the Symantec Firewall handles NetBIOS +Name Service response packets. If an attacker crafts a malicious UDP NetBIOS +Name Service unsolicited response to a vulnerable Symantec Firewall that does +not block port 137, it is possible to cause a heap overflow and execute +abitrary code with kernel privileges. The vulnerability exists because of +improper validation of the existence of required fields for the NetBIOS name +returned. The default configuration does not allow UDP port 137 traffic and +should not be exploitable if UDP port 137 is blocked. + +-- +Affected Systems: +Symantec Norton Internet Security and Professional 2002,2003,2004 +Symantec Norton Personal Firewall 2002,2003,2004 +Symantec Norton AntiSpam 2004 +Symantec Client Firewall 5.01, 5.1.1 +Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1) + +-- +Attack Scenarios: +An attacker can craft a malicious UDP NetBIOS Name Service response, +possibly causing a heap overflow and the subsequent execution of +arbitrary code with kernel privileges on an exploitable host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Judy Novak + +-- +Additional References + +CVE: +http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0444 + +Bugtraq: +http://www.securityfocus.com/bid/10335 + +Misc: +http://www.eeye.com/html/Research/Advisories/AD20040512C.html + +-- --- snort-2.8.5.2.orig/doc/signatures/100000601.txt +++ snort-2.8.5.2/doc/signatures/100000601.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +100000601 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "inv_markunpaid.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the +"inv_markunpaid.php" script used by the "Indexu" application running on a +webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- snort-2.8.5.2.orig/doc/signatures/1544.txt +++ snort-2.8.5.2/doc/signatures/1544.txt @@ -0,0 +1,78 @@ +Rule: +-- +Sid: +1544 +-- +Summary: +This event is generated when an attempt is made to list the user +configuration file on a Cisco router or switch. +-- +Impact: +If successful, the switch will reveal the local authentication user +configuration file to an attacker without requiring prior +authentication. +-- +Detailed Information: +The HTTP server that is part of some versions of the Cisco IOS software +allows remote command execution when the access control method is set to +local authentication. + +-- +Affected Systems: +The following Cisco products can be affected. Whether they actually +are vulnerable or not depends on the version of IOS that they are +running. To properly determine if your product is vulnerable, see the +Cisco website referenced below. This is not exploitable if the device +is using an access control method other than local authentication. +Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, +1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, +AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and 12000 +series. +Most recent versions of the LS1010 ATM switch. +The Catalyst 6000 and 5000 if they are running Cisco IOS software. +The Catalyst 2900XL and 3500XL LAN switch only if it is running Cisco +IOS software. +The Catalyst 2900 and 3000 series LAN switches are affected. +The Cisco Distributed Director. +-- +Attack Scenarios: +By making the request to a vulnerable system, an attacker can take +complete control of a Cisco device. +-- +Ease of Attack: +Simple. HTTP GET request, a browser may be used. +-- +False Positives: +None known. + +-- +False Negatives: +This rule only looks for one particular command (show config cr). +However, this vulnerability will allow any other command to be executed +on the device at the highest privilege level, and this rule will +not detect them. + +This rule only looks for attacks against systems that are included +in the $HTTP_SERVERS group. Many administrators do not consider +routers or switches to be web servers, and therefore may not include +vulnerable devices in this group, causing an attack to proceed +unnoticed. If you think one of your routers or switches is vulnerable, +reference it in the $HTTP_SERVERS group. +-- +Corrective Action: +Turn off the web server functionality, use access lists to ensure only +trusted hosts have access to the device, use TACACS+ or RADIUS for +access control, or upgrade your version of IOS. +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Snort documentation contributed by Kevin Peuhkurinen + +-- +Additional References: + +Cisco +http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html + +-- --- snort-2.8.5.2.orig/doc/signatures/100000171.txt +++ snort-2.8.5.2/doc/signatures/100000171.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +100000171 + +-- +Summary: +This event is generated when an overly long Accept: parameter is sent in an +HTTP request, which will cause a buffer overflow to occur in the GFI +MailSecurity for Exchange/SMTP web interface. + +-- +Impact: +A denial of service will occur in the vulnerable application, and remote code +may be executed with the priviliges of the user running the application. + +-- +Detailed Information: +GFI MailSecurity for Exchange/SMTP is an anti-virus program that integrates +with Microsoft Exchange servers. Its web interface is vulnerable to a buffer +overflow attack, which may be triggered by sending a Accept: parameter of 100 +or more bytes in an HTTP request. Vulnerable versions of the application will +crash, and code may be executed with the priviliges of the user running the +program. + +-- +Affected Systems: +GFI MailSecurity for Exchange/SMTP 8.1 + +-- +Attack Scenarios: +Attackers will likley exploit this with a script. + +-- +Ease of Attack: +Simple, as no authentication is required, and HTTP is a well-documented +protocol, which allows for easy creation of malicious packets. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Download and apply the patch referenced below. + +-- +Contributors: +rmkml +Sourcefire Research Team + +-- +Additional References +ftp://ftp.gfi.com/patches/MSEC8_PATCH_20050919_01.zip + +-- --- snort-2.8.5.2.orig/doc/signatures/3121.txt +++ snort-2.8.5.2/doc/signatures/3121.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +3121 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft License Logging Service. + +-- +Impact: +Serious. Execution of arbitrary code leading to unauthorized +administrative access to the target host. Denial of Service (DoS) is +also possible. + +-- +Detailed Information: +Microsoft License Logging Service is used to manage licenses for +Microsoft server products. + +A vulnerability in the service exists due to a programming error such +that an unchecked buffer may present an attacker with the opportunity to +exploit the service and run code of their choosing on an affected +system. The attacker may then cause a DoS condition in the service or +possibly gain administrative access to the target host. + +The unchecked buffer exists when processing the length of messages sent +to the logging service. + +-- +Affected Systems: + Microsoft Windows Server 2003 + Microsoft Windows Server 2000 + Microsoft Windows NT Server + +-- +Attack Scenarios: +An attacker can supply extra data in the message to the service +containing code of their choosing to be run on the server. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- + +Corrective Action: +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2315.txt +++ snort-2.8.5.2/doc/signatures/2315.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +2315 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the Microsoft Windows Workstation service. + +-- +Impact: +Serious. Denial of Service (DoS), execution of arbitrary code is +possible. + +-- +Detailed Information: +Due to insufficient bounds checking in the Microsoft Windows Workstation +service, it may be possible for an attacker to overwrite portions of +memory. This can result in the attacker being presented with the +opportunity to execute code of their choosing. Under some circumstances +a Denial of Service condition may be possible against the target host. + +Specifically, the DCE/RPC service allows for overly long strings to be +sent to the Workstation logging function. This logging function does not +check parameters sufficiently which results in the buffer overflow +condition. + +-- +Affected Systems: + Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 + Microsoft Windows XP, Microsoft Windows XP Service Pack 1 + Microsoft Windows XP 64-Bit Edition + +-- +Attack Scenarios: +The attacker may use one of the available exploits to target a +vulnerable host. + +-- +Ease of Attack: +Simple. Exploit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches and service packs. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +CERT: +http://www.cert.org/advisories/CA-2003-28.html +http://www.kb.cert.org/vuls/id/567620 + +Microsoft: +http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-049.asp + +-- --- snort-2.8.5.2.orig/doc/signatures/1060.txt +++ snort-2.8.5.2/doc/signatures/1060.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +1060 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: +NGS Whitepaper - Advanced SQL Injection +www.nextgenss.com/papers/advanced_sql_injection.pdf + +-- --- snort-2.8.5.2.orig/doc/signatures/474.txt +++ snort-2.8.5.2/doc/signatures/474.txt @@ -0,0 +1,65 @@ +Rule: +-- +Sid: +474 + +-- +Summary: +This event is generated when an ICMP Echo Request from the Windows based +scanner SuperScan is detected. + +-- +Impact: +Information gathering. + +-- +Detailed Information: +SuperScan is a freely available Windows based scanner from Foundstone. +The scanners default behavior is to send an ICMP Echo Request before +starting the scan. This ICMP packet has a special payload of eight (8) bytes, +consisting of the number zero (0). + +This scanner is fairly popular among Windows users. + +-- +Affected Systems: + All + +-- +Attack Scenarios: +SuperScan may be used as an information gathering tool to detect active hosts +on a network by sending icmp echo requests. + +-- +Ease of Attack: +Simple. SuperScan is widely available. + +-- +False Positives: +Tools other than SuperScan may generate echo requests with the same content. + +-- +False Negatives: +None Known + +-- +Corrective Action: + +-- +Contributors: +Original rule writer unknown +Snort documentation contributed by Johan Augustsson + and Josh Gray +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +Foundstone +http://www.foundstone.com/ + +McAfee: +http://vil.nai.com/vil/content/v_103727.htm + +-- --- snort-2.8.5.2.orig/doc/signatures/2558.txt +++ snort-2.8.5.2/doc/signatures/2558.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +2558 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Oracle Application Server Web Cache. + +-- + +Impact: +Serious. Possible execution of arbitrary code leading to remote +administrative access. + +-- +Detailed Information: +The Oracle Application Server Web Cache is vulnerable to a buffer +overrun caused by poor checking of the length of an HTTP Header. If a +large invalid HTTP Request Method is supplied to a vulnerable system, an +attacker may be presented with the opportunity to overrun a fixed length +buffer and subsequently execute code of their choosing on the server. + +-- +Affected Systems: +Oracle Application Server Web Cache 10g 9.0.4 .0 +Oracle Oracle9i Application Server Web Cache 2.0 .0.4 +Oracle Oracle9i Application Server Web Cache 9.0.2 .3 +Oracle Oracle9i Application Server Web Cache 9.0.2 .2 +Oracle Oracle9i Application Server Web Cache 9.0.3 .1 + +-- + +Attack Scenarios: +An attacker might supply an HTTP Request Method of more than 432 bytes, +causing the overflow to occur. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +None Known + +-- +False Negatives: +This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible +to configure the Oracle Web Cache server to run on different ports. The rule +should be configured to reflect the appropriate ports of Oracle Web Cache +servers on your network. + +-- + +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Judy Novak +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2996.txt +++ snort-2.8.5.2/doc/signatures/2996.txt @@ -0,0 +1,66 @@ +Rule: + +-- +Sid: +2996 + +-- +Summary: +This event is generated when an attempt is made to shutdown a Windows +system via SMB. + +-- +Impact: +Serious. + +-- +Detailed Information: +This event indicates that an attempt was made to shutdown a Windows +system via SMB across the network. + +It may be possible for an attacker to manipulate a Windows system +from a remote location. Shutting down a system may lead to a Denial of +Service for the target host. + +-- +Affected Systems: + Microsoft Windows systems. + +-- +Attack Scenarios: +An attacker may be able to manipulate a target system using SMB. The +attacker may gain complete control over the affected system. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the host for signs of system compromise. + +Turn off file and print sharing on the target host. + +Use a packet filtering firewall to disallow SMB access to the host from +sources external to the protected network. + +Disallow remote registry manipulation. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2223.txt +++ snort-2.8.5.2/doc/signatures/2223.txt @@ -0,0 +1,54 @@ +Rule: + +-- +Sid: +2223 + +-- +Summary: +This event is generated when an attempt is made to access csNews.cgi on an internal web server. This may indicate an attempt to exploit a file disclosure vulnerability in csNews.cgi, a script distributed by CGIScript.NET. + +-- +Impact: +Information disclosure. The attacker must have an authenticated account to successfully execute this exploit. + +-- +Detailed Information: +csNews.cgi is a Perl script that manages web-based news items, and contains a vulnerability in its ability to decode and filter out double-decoded URL data on the Advanced Settings page. An authenticated attacker can insert double-decoded directory traversals and file names into the header or footer parameters in csNews.cgi, and the files will appear in the header or footer of the page. + +-- +Affected Systems: +Systems running CGISCRIPT.NET csNews 1.0 or CGISCRIPT.NET csNews Professional 1.0 + +-- +Attack Scenarios: +An attacker crafts a URL with /../../passwd double-encoded in the header or footer parameter. If the password file exists in that location, the file will appear in the header or footer of the web page. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +If a legitimate remote user accesses csNews.cgi, this rule may generate an event. + +-- +False Negatives: +None known. + +-- +Corrective Action: +It is not known if this vulnerability has been patched or fixed in later versions. Contact the vendor for more information. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Sourcefire Technical Publications Team +Jennifer Harvey + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2230.txt +++ snort-2.8.5.2/doc/signatures/2230.txt @@ -0,0 +1,57 @@ +Rule: + +-- +Sid: +2230 + +-- +Summary: +This event is generated when an attempt is made to access the web +administration interface for a Netgear router using the default username +and password. + +-- +Impact: +Administrative access to the router + +-- +Detailed Information: +Netgear routers have a default username and password of "admin" and +"password", if this is not changed by the administrator it is possible +for an attacker to gain administrative access to the router. + +-- +Affected Systems: + Netgear routers + +-- +Attack Scenarios: +An attacker merely needs to login to the interface using the default +username and password via a web browser. + +-- +Ease of Attack: +Simple. NO exploit software required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Change the username and password. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2667.txt +++ snort-2.8.5.2/doc/signatures/2667.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +2667 + +-- +Summary: +This event is generated when an attempt is made to access the file +ping.asp. + +-- +Impact: +Possible Denial of Service (DoS) + +-- +Detailed Information: +The script ping.asp allows a user to use the system ping command to send +ICMP echo request messages to a third party from the web server hosting +the script. + +This script does not properly sanitize user input and may be used as a +tool in a DoS attack against that third party server. + +-- +Affected Systems: + All systems + +-- +Attack Scenarios: +An attacker can supply the address of a target host and pass parameters +to the ping command via the web interface to cause a possible exhaustion +of resources on a target host to cause the DoS condition. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Uninstall the script ping.asp + +Only allow usage from authenticated users + +-- +Contributors: +Sourcefire Vulnerability Research Team +Alex Kirk +Nigel Houghton + +-- +Additional References: + +SecurityFocus mailing list: +http://online.securityfocus.com/archive/82/275088 + +-- --- snort-2.8.5.2.orig/doc/signatures/1570.txt +++ snort-2.8.5.2/doc/signatures/1570.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +1570 + +-- +Summary: +This event is generated when an attempt is made to access the file +loadpage.cgi. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain access to the +script loadpage.cgi, part of the CGI application AHG EZshopper running +on a web server. Some applications do not perform stringent checks when +validating the credentials of a client host connecting to the services +offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored +on the machine can be compromised and trust relationships between the +victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + + AHG EZshopper v3.0 and v2.0 for UNIX + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +NSFocus: +http://www.nsfocus.com/english/homepage/research/0009.htm + +-- --- snort-2.8.5.2.orig/doc/signatures/870.txt +++ snort-2.8.5.2/doc/signatures/870.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +870 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2063.txt +++ snort-2.8.5.2/doc/signatures/2063.txt @@ -0,0 +1,72 @@ +Rule: + +-- +Sid: +2063 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Demarc PureSecure. + +-- +Impact: +Administrative control of the Demarc PureSecure IDS, Information +disclosure + +-- +Detailed Information: +Demarc PureSecure is a Snort based Intrusion Detection System. A +vulnerability exists where an attacker can bypass login authorization +using SQL injection. + +Versions of Demarc PureSecure up to 1.6 suffer from poor authentication +methods, where input in the form of specially constructed SQL queries +can allow an attacker to gain administrative access to the IDS. + +-- +Affected Systems: +Demarc PureSecure prior to version 1.6 + +-- +Attack Scenarios: +The attacker needs to send specially constructed SQL queries directly to +the Demarc login page. + +For example, the attacker might send his own variables for the session +id or session key in a query s_key=' OR current_session_id LIKE '%' the +attacker would of course, need to convert spaces to their encoded +equivalents and escape special characters. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq +http://www.securityfocus.com/bid/4520 + +CVE +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0539 + +-- --- snort-2.8.5.2.orig/doc/signatures/100000619.txt +++ snort-2.8.5.2/doc/signatures/100000619.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +100000619 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "link_validate_edit.php" using a remote file being passed as +the "admin_template_path" parameter may indicate that an exploitation attempt +has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the +"link_validate_edit.php" script used by the "Indexu" application running on a +webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- snort-2.8.5.2.orig/doc/signatures/3425.txt +++ snort-2.8.5.2/doc/signatures/3425.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3425 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2419.txt +++ snort-2.8.5.2/doc/signatures/2419.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2419 + +-- +Summary: +This event is generated when an attempt is made to download a file that +may be an attack vector for a known exploit to a vulnerability in Real +Networks RealPlayer/RealOne player. + +-- +Impact: +Serious. Execution of arbitrary code. + +-- +Detailed Information: +RealNetworks RealPlayer/RealOne player is a streaming media player for +Microsoft Windows, Apple Macintosh and UNIX/Linux based operating systems. + +A buffer overrun condition is present in some versions of the player +that may present a remote attacker with the opportunity to execute code +of their choosing on a client using one of these players. + +-- +Affected Systems: + Real Networks RealOne Desktop Manager + Real Networks RealOne Enterprise Desktop 6.0.11 .774 + Real Networks RealOne Player 1.0 + Real Networks RealOne Player 2.0 + Real Networks RealOne Player 6.0.11 .868 + Real Networks RealOne Player version 2.0 for Windows + Real Networks RealPlayer 8.0 Win32 + Real Networks RealPlayer 8.0 Unix + Real Networks RealPlayer 8.0 Mac + Real Networks RealPlayer 10.0 BETA + +-- +Attack Scenarios: +An attacker may supply a malformed file to the client to exploit the +issue. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1820.txt +++ snort-2.8.5.2/doc/signatures/1820.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1820 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2481.txt +++ snort-2.8.5.2/doc/signatures/2481.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2176 + + +-- +Summary: +This event is generated when an attempt is made to shutdown a service via SMB. + +-- +Impact: +Serious. + +-- +Detailed Information: +This event indicates that an attempt was made to shutdown a service +on a system using SMB across the network. + +-- +Affected Systems: + Microsoft Windows systems. + +-- +Attack Scenarios: +An attacker may try to deny services to other users. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the host for signs of system compromise. + +Turn off file and print sharing on the target host. + +Use a packet filtering firewall to disallow SMB access to the host from +sources external to the protected network. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/1648.txt +++ snort-2.8.5.2/doc/signatures/1648.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1648 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/725.txt +++ snort-2.8.5.2/doc/signatures/725.txt @@ -0,0 +1,91 @@ +Rule: + +-- +Sid: +725 + + +-- +Summary: +This event is generated when worm activity is detected. More specifcally +this event indicates possible "My Romeo" propogation. + +-- +Impact: +Serious. The victim host may be infected with a worm. + +-- +Detailed Information: +This worm propogates via electronic mail and exploits a known +vulnerability in the way that versions of Microsoft Outlook and Internet +Explorer handle trusted HTML pages. The worm is launched via a compiled +HTML file (.chm) which is used by Microsoft WIndows Help. + +The executable part of the worm is called from within the trusted +compiled HTML file. The worm attempts to propagate using hard coded +addresses of SMTP servers. + +This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A + +-- +Affected Systems: + Microsoft Windows 9x + Microsoft Windows 2000 + +-- +Attack Scenarios: +Symantec Anti-Virus center states that the worm arrives as an email +message that has an HTML body and two attachments named Myjuliet.chm +and Myromeo.exe. The subject of the email is selected at random from +the following set: + +Romeo&Juliet +hello world +subject +ble bla, bee +I Love You ;) +sorry... +Hey you ! +Matrix has you... +my picture +from shake-beer + +-- +Ease of Attack: +Simple. This is worm activity. + +-- +False Positives: +Legitimate electronic mail containing the known subject lines used by +MyRomeo may cause this rule to generate an event. + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches and service packs. + +Use Anti-Virus software to detect and delete virus laden email. + +This worm makes changes to the system registry, removal of the affected +registry keys should be done using an appropriate virus removal tool or +by an experienced Windows administrator. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +McAfee +http://vil.nai.com/vil/content/v_98894.htm + +Symantec Security Response +http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html + +-- --- snort-2.8.5.2.orig/doc/signatures/100000532.txt +++ snort-2.8.5.2/doc/signatures/100000532.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +100000532 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection +vulnerability in the "BtitTracker" application running on a webserver. Access +to the file "torrents.php" with SQL commands being passed as the "order" +parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a +remote machine via the "order" parameter in the "torrents.php" script used by +the "BtitTracker" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to compromise the database backend for the +application, the attacker may also be able to execute system binaries or +malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using BtitTracker +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application +if user input is not correctly sanitized or checked before passing that input +to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- snort-2.8.5.2.orig/doc/signatures/1984.txt +++ snort-2.8.5.2/doc/signatures/1984.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +1984 + +-- +Summary: +Deepthroat is a Trojan Horse offering the attacker control of the target. + +-- +Impact: +Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine. + +-- +Detailed Information: +This Trojan affects the following operating systems: + + Windows 95 + Windows 98 + Windows ME + +The Trojan changes system registry settings to add the Deepthroat sever to programs normally started on boot. + +See also rules with sids 195, 1980, 1981, 1982 and 1983. + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. Once compromised, this Trojan grants the attacker the ability to almost completely control the target. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. + +Affected registry keys are: + + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ + +Registry keys added are: + + Systemtray + +Removal of the files pddt.dat and systray.exe from the Windows system directory is required. + +Ending the process systray.exe is also necessary. A reboot of the infected machine is recommended. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Whitehats arachNIDS +http://www.whitehats.com/info/IDS106 + +Symantec Security Response +http://securityresponse.symantec.com/avcenter/venc/data/deepthroat.trojan.html + +-- --- snort-2.8.5.2.orig/doc/signatures/100000374.txt +++ snort-2.8.5.2/doc/signatures/100000374.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000374 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_words.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_words.php" script used by the "phpNuke" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using phpNuke + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- snort-2.8.5.2.orig/doc/signatures/100000845.txt +++ snort-2.8.5.2/doc/signatures/100000845.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000845 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Invision Power Board" application running on a webserver. Access to the file "ipsclass.php" with SQL commands being passed as the "HTTP_CLIENT_IP" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a remote machine via the "HTTP_CLIENT_IP" parameter in the "ipsclass.php" script used by the "Invision Power Board" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Invision Power Board +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- snort-2.8.5.2.orig/doc/signatures/3013.txt +++ snort-2.8.5.2/doc/signatures/3013.txt @@ -0,0 +1,85 @@ +Rule: + +-- +Sid: +3013 +-- +Summary: +This event is generated when an attacker attempts to connect to the +victim using the Asylum 0.1 trojan. + +-- +Impact: +If successful, the attacker would gain unauthorized access to the +system, enabling him to upload and execute files on the computer and +reboot it at will, resulting in a full compromise of the victim's computer. + +-- +Detailed Information: +When executed, Asylum 0.1 opens up its assigned port (default is 23432) +for communication with the attacker. Asylum 0.1 has four functions: +Upload File, Open File, Reboot Computer, and Remove Server. + +Upload File: Look for traffic on port 23432 containing UPL followed by a file location. +Open File: Look for traffic on port 23432 containing RUN followed by a file location. +Reboot: Look for the string "RBT" on port 23432. +Remove Server: Look for the string "DIE" on port 23432. + +-- +Affected Systems: +Windows 95/98/ME/NT/2000 + +-- +Attack Scenarios: +The victim must first install the server. Be wary of suspicious files +because they often can be backdoors in disguise. Once the victim +mistakenly installs the server program, the attacker usually will employ +an IP scanner program to find the IP addresses of victims that have +installed the program. Then the attacker enters the IP address, port +number (which is assigned to the server program by the attacker: +default is 23432), and presses the connect button and he has access to +the computer. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: + +Delete the System Administration key (if found) in +HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or +HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices or +HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. + +Open the system.ini and (if found) replace shell=Explore.exe win32cmp.exe to shell=explore.exe + +Open the win.ini and (if found) delete load=c:\windows\wincmp32.exe or run=c:\windows\wincmp32.exe + +Find and delete the Asylum 0.1 trojan server file, usually called wincmp32.exe. + +Keep anti-virus programs updated with the latest definitions. + +-- +Contributors: +Sourcefire Research Team +Ricky Macatee + +-- +Additional References: + +PestPatrol: +http://www.pestpatrol.com/PestInfo/A/Asylum.asp + +Dark-E: +http://www.dark-e.com/archive/trojans/asylum/01/index.shtml + +-- --- snort-2.8.5.2.orig/doc/signatures/1506.txt +++ snort-2.8.5.2/doc/signatures/1506.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1506 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/1112.txt +++ snort-2.8.5.2/doc/signatures/1112.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1112 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- snort-2.8.5.2.orig/doc/signatures/690.txt +++ snort-2.8.5.2/doc/signatures/690.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +690 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft SQL. + +-- +Impact: +Information gathering and data integrity compromise. Possible unauthorized +administrative access to the server or application. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to an implementation of Microsoft SQL server or client. This can +lead to unauthorized access and possibly escalated privileges to that of +the administrator. Data stored on the machine can be compromised and +trust relationships between the victim server and other hosts can be +exploited by the attacker. + +-- +Affected Systems: + +-- +Attack Scenarios: +An attacker can access the authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Disallow administrative access from sources external to the protected +network. + +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/100000100.txt +++ snort-2.8.5.2/doc/signatures/100000100.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +100000100 + +-- +Summary: +This event is generated when a URI of 1,050 bytes ore more is requested from an +internal web server. + +-- + +Impact: +Unknown. + +-- +Detailed Information: +This rule is used in conjunction with SID 100000101 to detect buffer overflow +attacks against the Adobe Acrobat/Acrobat Reader ActiveX Control, pdf.ocx. This +rule should never generate an alert. + +-- +Affected Systems: +Adobe Acrobat 5.0 +Adobe Acrobat 5.0.5 +Adobe Acrobat 6.0 +Adobe Acrobat 6.0.1 +Adobe Acrobat Reader 5.0 +Adobe Acrobat Reader 5.0.5 +Adobe Acrobat Reader 5.1 +Adobe Acrobat Reader 6.0 +Adobe Acrobat Reader 6.0.1 + +-- + +Attack Scenarios: +A web browser or automated script may be used to exploit this vulnerability. + +-- + +Ease of Attack: +Simple, as simply typing a long URI into a web browser will suffice. + +-- + +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- + +Corrective Action: +Upgrade to Adobe Acrobat/Acrobat Reader 6.0.2. +An alternate workaround is available: disable "Display PDF in browser" under +Edit -> Preferences. + +-- +Contributors: +Sourcefire Research Team +Judy Novak +Alex Kirk + +-- +Additional References: +http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=2589&fileID=2433 + +-- --- snort-2.8.5.2.orig/doc/signatures/958.txt +++ snort-2.8.5.2/doc/signatures/958.txt @@ -0,0 +1,76 @@ +Rule: +-- +Sid: +958 + +-- + +Summary: +This event is generated when an attempt is made to access a file with +sensitive information on a webserver with Microsoft Frontpage extensions +enabled. + +-- + +Impact: +If successful, the attacker can read sensitive data about the Frontpage web. + +-- + +Detailed Information: +On systems running Microsoft Frontpage Extensions on IIS or Apache web +servers the file _vti_pvt/service.cnf exists which may contain sensitive +information about the web server. This file is meant to be only used +internally by FPSE and never directly by the user. + +-- + +Affected Systems: + Systems using Microsoft FrontPage Server Extensions 98 + +-- + +Attack Scenarios: +An attacker can request the file from its standard location, entering the exact URL. + +-- + +Ease of Attack: +Simple. No exploit software required. + +-- + +False Positives: +None known. + +-- + +False Negatives: +None known. + +-- + +Corrective Action: +Disable direct access to the file /_vti_pvt/service.cnf. + +-- + +Contributors: +Original Rule Writer Unknown +Snort documentation contributed by Chaos +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- + +Additional References: + +Microsoft: +http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q188/2/57.ASP&NoWebContent=1&NoWebContent=1 + + + + + + +-- --- snort-2.8.5.2.orig/doc/signatures/100000793.txt +++ snort-2.8.5.2/doc/signatures/100000793.txt @@ -0,0 +1,56 @@ + + +Rule: + +-- +Sid: +100000793 +-- +Summary: +This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "Pivot" application running on a webserver. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "line1" parameter in the "blogroll.php" script used by the "Pivot" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. + +-- +Affected Systems: +All systems running CGI applications using Pivot +-- +Attack Scenarios: +An attacker can supply a malicious link designed to steal information from a user clicking on that link. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +The Cross Site Scripting (XSS) FAQ +http://www.cgisecurity.com/articles/xss-faq.shtml + +-- + --- snort-2.8.5.2.orig/doc/signatures/2410.txt +++ snort-2.8.5.2/doc/signatures/2410.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2410 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a PHP web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a PHP application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the PHP application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running PHP applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying PHP script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/641.txt +++ snort-2.8.5.2/doc/signatures/641.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: 641 + +-- +Summary: +This event is generated when a buffer overflow attack is attempted against a target machine. + +-- +Impact: +Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. + + +-- +Detailed Information: +This rule tracks the bit combination which may occur in network packets aimed at overflowing Digital UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. + +A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. + +-- +Attack Scenarios: +An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. + +-- +Ease of Attack: +Simple + + +-- +False Positives: +This event may be generated by legitimate traffic to the specified port. + + +-- +False Negatives: +This event is specific to the shell code defined in the rule. +Other shell code sequences may not be detected. + +-- +Corrective Action: +Check the target host for other signs of compromise. + +Look for other events concerning the target host. + +Apply vendor supplied patches and keep the operating system up to date. + +-- +Contributors: +Original Rule Writer Unkown +Snort documentation contributed by Anton Chuvakin +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS352 + +-- --- snort-2.8.5.2.orig/doc/signatures/361.txt +++ snort-2.8.5.2/doc/signatures/361.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +361 + +-- +Summary: +This event is generated when a remote user executes the SITE EXEC command in a session with an internal FTP server. This may indicate an attempt to exploit a vulnerability in the SITE EXEC command in wu-ftpd version 2.4.1. + +-- +Impact: +Arbitrary code execution, leading to remote root compromise. The attacker must have a valid, non-anonymous FTP account on the server to attempt this exploit. + +-- +Detailed Information: +A misconfiguration in the pathnames.h configuration file in wu-ftpd 2.4.1 allows users to execute commands from /bin instead of ~username/bin. An attacker with a valid FTP account on the server can exploit this vulnerability to execute arbitrary shell code using the SITE EXEC command. + +-- +Affected Systems: +Servers running Washington University wu-ftpd version 2.4.1 or earlier. + +-- +Attack Scenarios: +An attacker logs into the system using a valid FTP account, and then executes arbitrary shell code to obtain root access to the server. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +If a legitimate remote user uses the SITE EXEC command, this rule may generate an event. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to a later version of the wu-ftp daemon. + +-- +Contributors: +Original rule writer unknown. +Sourcefire Research Team +Sourcefire Technical Publications Team +Jen Harvey + +-- +Additional References: + +CVE +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0080 + +CERT +http://www.cert.org/advisories/CA-1995-16.html + +-- --- snort-2.8.5.2.orig/doc/signatures/1926.txt +++ snort-2.8.5.2/doc/signatures/1926.txt @@ -0,0 +1,58 @@ +Rule: + +-- +Sid: +1926 + +-- +Summary: +This event is generated when a request is made to Network File System (NFS) to list all exported file systems and to indicate which clients are permitted to mount each file system. + +-- +Impact: +Information disclosure. This can allow an attacker to discover exported NFS file systems and client mount permissions. + +-- +Detailed Information: +The mountd Remote Procedure Call (RPC) implements the NFS mount protocol. When an NFS client requests a mount of an NFS file system, mountd examines the list of exported file systems. If the NFS client is permitted access to the requested file system, mountd returns a file handle for the requested directory. An attacker or legitimate NFS client may request a list of exported file systems and client mount permissions. + +-- +Affected Systems: +All systems running NFS. + +-- +Attack Scenarios: +An attacker may attempt to list the exported NFS file systems as a precursor to mounting them to read or change a specific file. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +If a legitimate remote user is allowed to list exported NFS file systems, this rule may trigger. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Limit remote access to RPC services. + +Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. + +Disable unneeded RPC services. + +-- +Contributors: +Original rule written by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: +http://www.whitehats.com/info/IDS26 + + +-- --- snort-2.8.5.2.orig/doc/signatures/2033.txt +++ snort-2.8.5.2/doc/signatures/2033.txt @@ -0,0 +1,85 @@ +Rule: + +-- +Sid: +2033 + +-- +Summary: +A request has been made to rpc.ypserv from an external source that +should not have access to this service. This may be indicative of an +intelligence gathering activity as a prelude to a more serious +compromise of system resources. + +service against the target host. + +-- +Impact: +Disclosure of sensitive system information to an unauthorized user. +Possible denial of service. + +-- +Detailed Information: +The rpc.ypserv daemon queries information in the local NIS maps. A +response to this query may divulge important information to the user +performing the query. This could lead to futher exploitation of +resources on the network. + +In addition, a vulnerability exists in ypserv on some Linux platforms +that could lead to a buffer overflow and root compromise of the target +host. This is achieved by making a multitude of requests for a NIS map +that does not exist. + +-- +Affected Systems: +Multiple systems running versions of ypserv prior to 2.5. + +-- +Attack Scenarios: +The attacker can craft a malicious request to rpc.ypserv such that +valuable information can be returned to the attacker. + +In the case of a buffer overflow, the attacker might issue a large +therefore, be seen many times. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow all RPC requests from external sources and use a firewall to +block access to RPC ports from outside the LAN. + +Upgrade ypserv to the latest version. + +Use /var/yp/securenets to list the hosts allowed to access this resource +where appropriate. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/6016 +http://www.securityfocus.com/bid/5914 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1232 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1043 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1042 + +-- --- snort-2.8.5.2.orig/doc/signatures/100000620.txt +++ snort-2.8.5.2/doc/signatures/100000620.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000620 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "link_view.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the "link_view.php" +script used by the "Indexu" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- snort-2.8.5.2.orig/doc/signatures/1811.txt +++ snort-2.8.5.2/doc/signatures/1811.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +1811 + +-- +Summary: +This event is generated when a remote user has exploited a flaw in a +local SSH server. + +-- +Impact: +Serious + +-- +Detailed Information: +OpenSSH has a flaw in the challenge-response mechanism when configured +with either the "PAMAuthenticationViaKbdInt" or the +"ChallengeResponseAuthentication" options. This flaw can be exploited by +a user who is not authenicated and can lead to the attacker obtaining a +root shell. + +-- +Affected Systems: +OpenSSH versions 1.2 to 3.3, Solaris 9.0, IBM Linux +Affinity Toolkit, and HP HP-UX Secure Shell A.03.10. + +-- +Attack Scenarios: +An attacker can cause the service to restart or hang, leaving the +service unavailable to users. + +-- +Ease of Attack: +Simple. Exploit code available. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to latest version of OpenSSH + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Josh Sakofsky + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/5093 + +-- --- snort-2.8.5.2.orig/doc/signatures/2825.txt +++ snort-2.8.5.2/doc/signatures/2825.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2825 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure validate_flavor_definition +. This procedure is included in +sys.dbms_repcat_fla. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2688.txt +++ snort-2.8.5.2/doc/signatures/2688.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2688 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure enable_receiver_trace +. This procedure is included in +sys.dbms_internal_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- snort-2.8.5.2.orig/doc/signatures/2931.txt +++ snort-2.8.5.2/doc/signatures/2931.txt @@ -0,0 +1,68 @@ +Rule: + +-- +Sid: +2931 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) +services. + +-- +Impact: +Serious. Execution of arbitrary code with system level privileges + +-- +Detailed Information: +A vulnerability exists in Microsoft NetDDE that may allow an attacker to +run code of their choosing with system level privileges. A programming +error in the handling of network messages may give an attacker the +opportunity to overflow a fixed length buffer by using a specially +crafted NetDDE message. + +This service is not started by default on Microsoft Windows systems, but +this issue can also be exploited locally in an attempt to escalate +privileges after a successful attack from an alternate vector. + +-- +Affected Systems: + Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. + +-- +Attack Scenarios: +An attacker needs to craft a special NetDDE message in order to overflow +the affected buffer. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Disable the NetDDE service. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft Security Bulletin MS04-031: +http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx + +-- --- snort-2.8.5.2.orig/doc/signatures/2072.txt +++ snort-2.8.5.2/doc/signatures/2072.txt @@ -0,0 +1,72 @@ +Rule: + +-- +Sid: +2072 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Lyris List Manager. + +-- +Impact: +Unauthorized escalation of user privileges. + +-- +Detailed Information: +Lyris List Manager is a web based mailing list management interface. It +is possible for an attacker to gain administrator privileges for mailing +lists by modifying variables sent to the lyris.pl script. + +The variable list_admin is used to identify the user as an +administrator, by changing this value from F to T the attacker can +identify himself as the mailing list administrator. + +-- +Affected Systems: + Lyris List Manager 3.0 + Lyris List Manager 4.0 + +-- +Attack Scenarios: +The attacker can save a copy of the HTML interface locally and modify +the value of the list_admin variable, then submit the form directly to +lyris.pl. + +Alternatively the attacker can choose to submit the data in a URI. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate patches from the vendor. + +Upgrade to the latest version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0758 + +Bugtraq: +http://www.securityfocus.com/bid/1584 + +-- --- snort-2.8.5.2.orig/doc/signatures/1667.txt +++ snort-2.8.5.2/doc/signatures/1667.txt @@ -0,0 +1,75 @@ +Rule: +-- +Sid: +1667 +-- +Summary: +This event indicates that a cross-site scripting attack using the "img +src=javascript" vulnerability is being attempted, or a potential +attacker is testing your site to determine if it is vulnerable. + +-- +Impact: +Successful cross-site scripting attacks generally target the users of +your web site. Attackers can potentially gain access to your users +cookies or session ids, allowing the attacker to impersonate your +user. They could also set up elaborate fake logon screens to steal +user names and passwords. + +-- +Detailed Information: +Whenever a web application accepts input and then uses that input as +part of the HTML of a new page without filtering, the application is +vulnerable to cross-site scripting. The traditional means of exploiting +this is to embed a "