CVS log for snort/rules/exploit.rules
CVS log for snort/rules/exploit.rules |
|
Help |
Up to [cvs] / snort / rulesRequest diff between arbitrary revisions
a ton of new rules
a ton of new rules
a ton of new rules
a ton of new rules
a ton of new rules
a bunch of new rules. thanks microsoft, I didn't want to sleep on my birthday. Really.
a bunch of new rules. thanks microsoft, I didn't want to sleep on my birthday. Really.
a bunch of new rules. thanks microsoft, I didn't want to sleep on my birthday. Really.
a bunch of new rules. thanks microsoft, I didn't want to sleep on my birthday. Really.
a bunch of new rules. thanks microsoft, I didn't want to sleep on my birthday. Really.
* more rules. go sourcefire. weee.
* more rules. go sourcefire. weee.
* more rules. go sourcefire. weee.
* more rules. go sourcefire. weee.
a bunch of new rules. go sourcefire.
Latest rulepack. WINS, NETBIOS, and Backdoors (Backdoors = thanks Rickie, SF's intern. Wish I had such an internship while I was in highschool...)
Latest rulepack. WINS, NETBIOS, and Backdoors (Backdoors = thanks Rickie, SF's intern. Wish I had such an internship while I was in highschool...)
Latest rulepack. WINS, NETBIOS, and Backdoors (Backdoors = thanks Rickie, SF's intern. Wish I had such an internship while I was in highschool...)
Latest rulepack. WINS, NETBIOS, and Backdoors (Backdoors = thanks Rickie, SF's intern. Wish I had such an internship while I was in highschool...)
Latest rulepack. WINS, NETBIOS, and Backdoors (Backdoors = thanks Rickie, SF's intern. Wish I had such an internship while I was in highschool...)
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
more rules, more rule updates, and more preprocessor docs. yes, just like TBS, we can do 'more' too.
more rules, more rule updates, and more preprocessor docs. yes, just like TBS, we can do 'more' too.
* sync
* also don't alert if its sslv3
* sync sync sync
* sync sync sync
* sync sync sync
* wee, more updates. new rules for NSS SSL foo (judy & me ++)
* massive sync
* massive sync
* sync sync sync
* tons of new rules * tons of new rule references * tons of new rule docs * initial documentation on preprocessor alerts (gen-sid.txt in doc/signatures) * new build of the manual
* sync ysnc ysnc sync ysnc ysnc sync ysnc ysnc sync ysnc ysnc
* new rules
* massive sync here too
* sync sync sync * go ruleteam go
* massive sync from head
* yet another sync, lets go forward in time, not backwards...
* massive rule updates (go ruleteam, go)
* asn1 rule goodness (Big massive round of applause to Dan for the ASN1 plugin)
* Syncing changes for rules team
* lets try this *again*
* sync with sforge current
* updating 2.1.3 from sforge
* syncing up sfire with sforge 2.1 branch
* a ton of new rules, a bunch of updates too. 2447 || WEB-MISC ServletManager access || cve,CAN-2001-1195 || nessus,12122 2448 || WEB-MISC setinfo.hts access || bugtraq,9973 || nessus,12120 2449 || FTP ALLO overflow attempt || bugtraq,9953 2450 || CHAT Yahoo IM successful logon 2451 || CHAT Yahoo IM voicechat 2452 || CHAT Yahoo IM ping 2453 || CHAT Yahoo IM conference invitation 2454 || CHAT Yahoo IM conference logon success 2455 || CHAT Yahoo IM conference message 2456 || CHAT Yahoo IM file transfer request 2457 || CHAT Yahoo IM message 2458 || CHAT Yahoo IM successful chat join 2459 || CHAT Yahoo IM webcam offer invitation 2460 || CHAT Yahoo IM webcam request 2461 || CHAT Yahoo IM webcam watch 2462 || EXPLOIT IGMP IGAP account overflow attempt || bugtraq,9952 || cve,CAN-2004-0176 2463 || EXPLOIT IGMP IGAP message overflow attempt || bugtraq,9952 || cve,CAN-2004-0176 2464 || EXPLOIT EIGRP prefix length overflow attempt || bugtraq,9952 || cve,CAN-2004-0176 2465 || NETBIOS SMB-DS IPC$ share access 2466 || NETBIOS SMB-DS IPC$ share unicode access 2467 || NETBIOS SMB D$ share unicode access 2468 || NETBIOS SMB-DS D$ share access 2469 || NETBIOS SMB-DS D$ share unicode access 2470 || NETBIOS SMB C$ share unicode access 2471 || NETBIOS SMB-DS C$ share access 2472 || NETBIOS SMB-DS C$ share unicode access 2473 || NETBIOS SMB ADMIN$ share unicode access 2474 || NETBIOS SMB-DS ADMIN$ share access 2475 || NETBIOS SMB-DS ADMIN$ share unicode access 2476 || NETBIOS SMB-DS Create AndX Request winreg attempt 2477 || NETBIOS SMB-DS Create AndX Request winreg unicode attempt 2478 || NETBIOS SMB-DS DCERPC bind winreg attempt 2479 || NETBIOS SMB-DS DCERPC bind winreg unicode attempt 2480 || NETBIOS SMB-DS DCERPC shutdown unicode attempt 2481 || NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt 2482 || NETBIOS SMB-DS DCERPC shutdown attempt 2483 || NETBIOS SMB-DS DCERPC shutdown little endian attempt 2484 || WEB-MISC source.jsp access || nessus,12119 2485 || WEB-CLIENT Nortan antivirus sysmspam.dll load attempt || bugtraq,9916 2486 || DOS ISAKMP invalid identification payload attempt || bugtraq,10004 2487 || SMTP WinZip MIME content-type buffer overflow || bugtraq,9758 2488 || SMTP WinZip MIME content-disposition buffer overflow || bugtraq,9758 2489 || EXPLOIT esignal STREAMQUOTE buffer overflow attempt || bugtraq,9978 2490 || EXPLOIT esignal SNAPQUOTE buffer overflow attempt || bugtraq,9978 2491 || NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2492 || NETBIOS SMB DCERPC ISystemActivator bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2493 || NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2494 || NETBIOS DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2495 || NETBIOS SMB DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2496 || NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2497 || IMAP invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2498 || IMAP invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2499 || MISC LDAP invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2500 || MISC LDAP invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2501 || POP3 invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2502 || POP3 invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2503 || SMTP invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2504 || SMTP invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2505 || WEB-MISC invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2506 || WEB-MISC invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120
* sync sync sync
* sync sync sync
* Added a ton of rules that include vulnerabilities in many high-profile security products, including Checkpoint & ISS gear (see below) * provided a single high-powered rule for detecting all of the evil virus emails * added even more docs. (Go Nigel) 2405 || WEB-PHP phptest.php access || bugtraq,9737 2406 || TELNET APC SmartSlot default admin account attempt || bugtraq,9681 2407 || WEB-MISC util.pl access || bugtraq,9748 2408 || WEB-MISC Invision Power Board search.pl access || bugtraq,9766 2409 || POP3 APOP USER overflow attempt || bugtraq,9794 2410 || WEB-PHP IGeneric Free Shopping Cart page.php access || bugtraq,9773 2411 || WEB-MISC Real Server DESCRIBE buffer overflow attempt || url,www.service.real.com/help/faq/security/rootexploit091103.html || bugtraq,8476 2412 || ATTACK-RESPONSES successful cross site scripting forced download attempt 2413 || EXPLOIT ISAKMP delete hash with empty hash attempt || bugtraq,9416 || bugtraq,CAN-2004-0164 2414 || EXPLOIT ISAKMP initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,CAN-2004-0164 2415 || EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,CAN-2004-0164 2416 || FTP invalid MDTM command attempt 2417 || FTP format string attempt 2418 || MISC MS Terminal Server no encryption session initiation attmept || url,www.microsoft.com/technet/security/bulletin/MS01-052.asp 2419 || MULTIMEDIA realplayer .ram playlist download attempt 2420 || MULTIMEDIA realplayer .rmp playlist download attempt 2421 || MULTIMEDIA realplayer .smi playlist download attempt 2422 || MULTIMEDIA realplayer .rt playlist download attempt 2423 || MULTIMEDIA realplayer .rp playlist download attempt 2424 || NNTP sendsys overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2425 || NNTP senduuname overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2426 || NNTP version overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2427 || NNTP checkgroups overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2428 || NNTP ihave overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2429 || NNTP sendme overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2430 || NNTP newgroup overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2431 || NNTP rmgroup overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2432 || NNTP article post without path attempt 2433 || WEB-CGI MDaemon form2raw.cgi overflow attempt || bugtraq,9317 2434 || WEB-CGI MDaemon form2raw.cgi access || bugtraq,9317 2435 || WEB-CLIENT Microsoft emf metafile access || bugtraq,9707 2436 || WEB-CLIENT Microsoft wmf metafile access || bugtraq,9707 2437 || WEB-CLIENT RealPlayer arbitrary javascript command attempt || bugtraq,8453 || bugtraq,9738 || cve,CAN-2003-0726 2438 || WEB-CLIENT RealPlayer playlist file URL overflow attempt || bugtraq,9579 2439 || WEB-CLIENT RealPlayer playlist http URL overflow attempt || bugtraq,9579 2440 || WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579 2441 || WEB-MISC NetObserve authentication bypass attempt || bugtraq,9319 2442 || WEB-MISC Quicktime User-Agent buffer overflow attempt || cve,CAN-2004-0169 2443 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html 2444 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html 2445 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html 2446 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
* sync sync sync
* sync new rules downwards
* 44 new rules, 52 updates. see snort-sigs mailing list in a few days for the full details. The cool rules are: (For ISS buffer overflow detection!) NETBIOS SMB Session Setup AndX request username overflow attempt NETBIOS SMB Data Service Session Setup AndX request username overflow attempt NETBIOS SMB Session Setup AndX request unicode username overflow attempt NETBIOS SMB Data Service Session Setup AndX request unicode username overflow attempt (For FW1 ISAKMP buffer overflow detection!) EXPLOIT ISAKMP first payload certificate request length overflow attempt EXPLOIT ISAKMP second payload certificate request length overflow attempt EXPLOIT ISAKMP third payload certificate request length overflow attempt EXPLOIT ISAKMP forth payload certificate request length overflow attempt EXPLOIT ISAKMP fifth payload certificate request length overflow attempt
* oops, a few dups (Thanks to Andreas for pointing them out)
* sync sync sync, sync sync sync, sync your rules
* 2.1.1-RC1
* add stateless to a few more rules that I missed. * Add the following rules: sid:2317 - MISC CVS non-relative path error response || bugtraq,9178 || cve,CAN-2003-0977 sid:2318 - MISC CVS non-relative path access attempt || bugtraq,9178 || cve,CAN-2003-0977 sid:2319 - EXPLOIT ebola PASS overflow attempt || bugtraq,9156 sid:2320 - EXPLOIT ebola USER overflow attempt || bugtraq,9156
* Major add/commit of 2.1 feature set... Will do a tag and then remove the "moved" files
* major push of rules. see snort-sigs email for all the changes.
* MASSIVE sync of rules This is the first major sync of rules since I started working for Sourcefire. Many of these updates are a direct result of my employment at Sourcefire. We have time and resources to test and document rules extensively. Many people have contributed to these updates. Too many to mention here. You should continue to see awesome updates, rewrites and new rules as Sourcefire is dedicating serious resources to the Snort project. Even if you don't buy an appliance from Sourcefire, you should send an email to info@sourcefire.com to let them know how much you appreciate their dedication to making snort awesome.
* merge merge merge merge merge. Happy with the merge?
* updated sid:1293 - reduce false positives * updated sid:1294 - reduce false positives * updated sid:604 - corrected references * updated sid:1200 - added reference * moved sid:307 - moved to more appropriate category * moved sid:1382 - moved to more appropriate category Thanks to: Bob Dehnhardt Mathew Johnston Andrew Hintz Jon Hart
* updated sid:107 - corrected bad content checks * updated sid:159 - corrected client/server pair * updated sid:195 - corrected client/server pair * updated sid:1929 - (trust me, it changed between 1,2 and 3) * updated sid:524 - removed invalid references * updated sid:238 - corrected client/server pair * updated sid:1257 - added additional ports that can be targetted * updated sid:306 - added reference * updated sid:1919 - added references * updated sid:1734 - added references * updated sid:361 - added distance to limit false positives * updated sid:362 - removed RETR content check (can be used with STOR as well) * updated sid:1377 - added distance to limit false positives * updated sid:1378 - added distance to limit false positives * re-enabled sid:1748 - should be on by default * updated sid:1844 - use byte_test instead of distance * updated sid:1845 - use byte_test instead of distance * updated sid:1903 - remove additional un-needed content * updated sid:1755 - use within * disabled sid:293 - replaced with other sids * disabled sid:295 - replaced with other sids * disabled sid:296 - replaced with other sids * disabled sid:297 - replaced with other sids * disabled sid:298 - replaced with other sids * disabled sid:299 - replaced with other sids * updated sid:489 - added within * updated sid:1866 - added references * disabled sid:570 - replaced with other sids * disabled sid:571 - replaced with other sids * updated sid:664 - updated MSG to be more clear * updated sid:1289 - added offsets * updated sid:1441 - added offsets * updated sid:1442 - added offsets * updated sid:1443 - added offsets * updated sid:519 - added offsets * updated sid:1149 - updated MSG to be more clear * disabled sid:1287 - too false positive to be on by default * updated sid:1069 - updated MSG to be more clear * updated sid:1519 - updated MSG to be correct, update content to be correct * updated sid:1809 - use HTTP_PORTS instead of 80 * updated sid:1826 - correct uricontent * disabled sid:1171 - too false positive to be on by default * deleted sid:874 - very bad rule * deleted sid:318 - replaced by sid:1939 and sid:1940 * deleted sid:319 - replaced by sid:1939 and sid:1940 * reordered rpc.rules to be a bit more clear * reordered dns.rules to be a bit more clear * added pop2.rules * disaabled asn1_decode, as it shouldn't be on by default * added the following rules: 1929 || BACKDOOR TCPDUMP/PCAP trojan traffic || url,hlug.fscker.com 1930 || IMAP auth overflow attempt || cve,CVE-1999-0005 1931 || WEB-CGI rpc-nlog.pl access || cve,CAN-1999-1278 1932 || WEB-CGI rpc-smb.pl access || cve,CAN-1999-1278 1933 || WEB-CGI cart.cgi access 1934 || POP2 FOLD overflow attempt || cve,CVE-1999-0920 || bugtraq,283 1935 || POP2 FOLD arbitrary file attempt 1936 || POP3 AUTH overflow attempt 1937 || POP3 LIST overflow attempt || cve,CAN-2000-0096 || bugtraq,948 1938 || POP3 XTND overflow attempt 1939 || MISC bootp hardware address lenght overflow || cve,CAN-1999-0798 1940 || MISC bootp invalid hardware type || cve,CAN-1999-0798 1941 || TFTP filename overflow attempt || bugtraq,5328 || cve,CAN-2002-0813 1942 || FTP RMDIR overflow attempt 1943 || WEB-MISC /Carello/add.exe access || bugtraq,1245 || cve,CVE-2000-0396 1944 || WEB-MISC /ecscripts/ecware.exe access 1945 || WEB-IIS unicode directory traversal attempt || cve,CVE-2000-0884 1946 || WEB-MISC answerbook2 admin attempt 1947 || WEB-MISC answerbook2 arbitrary command execution attempt 1948 || DNS zone transfer UDP || arachnids,212 || cve,CAN-1999-0532 1949 || RPC portmap SET attempt TCP 111 1950 || RPC portmap SET attempt UDP 111 1951 || RPC mountd TCP mount request 1952 || RPC mountd UDP export request 1953 || RPC AMD TCP pid request 1954 || RPC AMD UDP pid request 1955 || RPC AMD TCP version request 1956 || RPC AMD UDP version request 1957 || RPC sadmind UDP PING || bugtraq,866 1958 || RPC sadmind TCP PING || bugtraq,866 1959 || RPC portmap request NFS UDP 1960 || RPC portmap request NFS TCP 1961 || RPC portmap request RQUOTA UDP 1962 || RPC portmap request RQUOTA TCP 1963 || RPC RQUOTA UDP getquota overflow attempt || bugtraq,864 || cve,CVE-1999-0974 1964 || RPC tooltalk UDP overflow attempt 1965 || RPC tooltalk TCP overflow attempt 1966 || MISC GlobalSunTech Access Point Information Discolsure attempt || bugtraq,6100 1967 || WEB-PHP phpbb quick-reply.php arbitrary command attempt || bugtraq,6173 1968 || WEB-PHP phpbb quick-reply.php access || bugtraq,6173 1969 || WEB-MISC ion-p access || bugtraq,6091 1970 || WEB-IIS MDAC Content-Type overflow attempt 1971 || FTP SITE EXEC format string attempt 1972 || FTP PASS overflow attempt || cve,CAN-2002-0126 || cve,CAN-2000-1035 1973 || FTP MKD overflow attempt || bugtraq,612 || cve,CAN-1999-0911 1974 || FTP REST overflow attempt || cve,CAN-2001-0826 1975 || FTP DELE overflow attempt || cve,CAN-2001-0826 1976 || FTP RMD overflow attempt || cve,CAN-2001-0826 1977 || WEB-MISC xp_regwrite attempt 1978 || WEB-MISC xp_regdeletekey attempt 1979 || WEB-MISC perl post attempt || nessus,11158 || bugtraq,5520
* major sync from current (look ma, no experimental.rules) * added pop2.rules * regen sid-msg.map
* added sid:1934 - POP2 FOLD overflow attempt * added sid:1935 - POP2 FOLD arbitrary file attempt * moved sid:284 - moved to pop2.rules * moved sid:285 - moved to pop2.rules
* updated sid:308 - switched src & dst to be correct (thanks mat@intellitactics)
* add my notes to RULES.todo * delete sid:1620 - spp_conversation takes care of this * moved sid:1429,1447,1448,1545,1636,1641,1771,1791,1801,1802,1803,1804,1808, 1810,1811,1812,1819,1821,1832,1838,1842,1843,1844,1845,1902,1903,1904,1846, 1853,1854,1855,1856,1865,1888,1887,1889,1905,1906,1907,1908,1909,1910,1911, 1912,1480,1913,1914,1915,1916,1917,1918 to their final resting place. This marks the end of experimental.rules. Please take a moment of silence.
* updated sid:1382 - removed dsize, added within
* deleted sid:329 - duplicate of 330
* deleted sid:1477 - duplicate of 1478
* deleted sid:1246 - duplicate of 1248
* deleted sid:1247 - duplicate of 1249
* deleted sid:1171 - broken because of stream reassembly, needs added to httpd decoder
* deleted sid:1104 - broken because of stream reassembly, needs added to httpd decoder
* deleted sid:1087 - broken because of stream reassembly, needs added to httpd decoder
* deleted sid:1780 - duplicate of 1755
* deleted sid:291 - duplicate of 1538
* updated sid:1842 - removed dsize, added within
* updated sid:337 - updated msg, removed dsize, added within
* updated sid:1377 - added CVE references
* updated sid:1378 - added CVE references
* updated sid:1379 - removed dsize, added within
* updated sid:1621 - removed dsize, added within
* updated sid:1529 - removed dsize, added within
* updated sid:1630 - removed dsize, added within
* updated sid:1562 - removed dsize, added within
* updated sid:1734 - removed dsize, added within
* updated sid:1755 - added CVE reference, added within
* updated sid:1388 - removed dsize, added within
* updated sid:1792 - added CVE reference, removed dsize, added within
* updated sid:1538 - added arachnids reference, removed dsize, added within
* updated sid:1866 - removed dsize, added within
* updated sid:1634 - removed dsize, added within
* updated sid:1635 - removed dsize, added within
* disabled sid:596 - soon to be replaced by other rules
* disabled sid:597 - soon to be replaced by other rules
* updated sid:1280 - added within to skip revisions (evasion protection)
* updated sid:598 - added within to skip revisions (evasion protection)
* updated sid:599 - added within to skip revisions (evasion protection)
* updated sid:1281 - added within to skip revisions (evasion protection)
* disabled sid:600 - soon to be replaced by other rules
* disabled sid:1282 - soon to be replaced by other rules
* updated sid:654 - removed dsize, added within
* updated sid:657 - removed dsize, added within
* updated sid:1549 - removed dsize, added within
* updated sid:1550 - removed dsize, added within
* updated sid:804 - removed dsize
* updated sid:821 - removed dsize
* updated sid:1242 - removed dsize
* updated sid:1244 - removed dsize
* updated sid:981:
- removed "/scripts", attackers can use other directories
- s/uricontent/content/ (http decoder decodes uricontent, we don't want to
look at the decoded portion)
* updated sid:982:
- removed "/scripts", attackers can use other directories
- s/uricontent/content/ (http decoder decodes uricontent, we don't want to
look at the decoded portion)
* updated sid:983:
- removed "/scripts", attackers can use other directories
- s/uricontent/content/ (http decoder decodes uricontent, we don't want to
look at the decoded portion)
* updated sid:1044 - removed dsize
* updated sid:1181 - removed dsize
* updated sid:1258 - removed dsize
* updated sid:1260 - removed dsize, added within
* added the following rules:
1902 || EXPERIMENTAL IMAP lsub overflow attempt || cve,CAN-2000-0284 || nessus,10374
1903 || EXPERIMENTAL IMAP rename overflow attempt || cve,CAN-2000-0284 || nessus,10374
1904 || EXPERIMENTAL IMAP find overflow attempt || cve,CAN-2000-0284 || nessus,10374
1905 || RPC AMD UDP amqproc_mount plog overflow attempt || bugtraq,614 || cve,CVE-1999-0704
1906 || RPC AMD TCP amqproc_mount plog overflow attempt || bugtraq,614 || cve,CVE-1999-0704
1907 || RPC CMSD UDP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,CVE-1999-0696
1908 || RPC CMSD TCP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,CVE-1999-0696
1909 || RPC CMSD TCP CMSD_INSERT buffer overflow attempt || url,www.cert.org/advisories/CA-99-08-cmsd.html || cve,CVE-1999-0696
1910 || RPC CMSD udp CMSD_INSERT buffer overflow attempt || url,www.cert.org/advisories/CA-99-08-cmsd.html || cve,CVE-1999-0696
1911 || RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,866 || cve,CVE-1999-0977
1912 || RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,866 || cve,CVE-1999-0977
1913 || RPC STATD UDP stat mon_name format string exploit attempt || bugtraq,1480 || cve,CVE-2000-0666
1914 || RPC STATD TCP stat mon_name format string exploit attempt || bugtraq,1480 || cve,CVE-2000-0666
1915 || RPC STATD UDP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,CVE-2000-0666
1916 || RPC STATD TCP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,CVE-2000-0666
1917 || SCAN UPNP service discover attempt
1918 || SCAN SolarWinds IP scan attempt
1919 || FTP CWD overflow attempt
1920 || FTP SITE NEWER overflow attempt || cve,CVE-1999-0800
1921 || FTP SITE ZIPCHK attempt || cve,CVE-2000-0040
1922 || RPC portmap TCP proxy attempt
1923 || RPC portmap UDP proxy attempt
* large update of signatures. CVS disconnected during the last commit, so this is a recommit
* cleaned up snort.conf so its more clear * renamed SMTP to SMTP_SERVERS to be more like the other definitions * updated sid:210,210,211,212,213,214,215,216,217,218,219,220,1430,711,712,713,714,715,717,718,719,1252,1253,709,710,716 - added definition for TELNET_SERVERS * updated sid:1842,1843,1844,1845,1846,1853 - added classtype * updated sid:1800,310,310,490,567,654,655,656,656,657,658,659,660,1450,661,662,663,664,665,666,667,668,669,670,671,672,1446,631,632,1549,1550 - updated SMTP to SMTP_SERVERS
* This is a massive change. Since I'm really busy ATM, this is what changed. * created imap.rules, nntp.rules, pop3.rules, other-ids.rules, web-client.rules, web-php.rules and moved signatures into those. * added the following signatures: 1793 || PORN fetish 1794 || PORN masturbation 1795 || PORN ejaculation 1796 || PORN virgin 1797 || PORN BDSM 1798 || PORN erotica 1799 || PORN fisting 1800 || VIRUS Klez Incoming
* EXPLOT -> EXPLOIT
* added the following signature: 1780 || EXPLOT IMAP partial body overflow attempt || bugtraq,4713
* updated sid:312 - added bugtraq ref * updated sid:1751 - added CVE ref * updated sid:499 - corrected MSG * updated sid:1746,1747 - added cve & BUG references * updated sid:1547 - removed false negative (print isn't required) * added the following signatures: 1753 || EXPERIMENTAL WEB-IIS as_web.exe access || bugtraq,4670 1754 || EXPERIMENTAL WEB-IIS as_web4.exe access || bugtraq,4670 1755 || EXPERIMENTAL IMAP PARTIAL BODY attempt 1756 || EXPERIMENTAL WEB-IIS NewsPro administration authentication attempt 1757 || EXPERIMENTAL WEB-MISC b2 arbitrary command execution attempt 1758 || EXPERIMENTAL WEB-MISC b2 acces 1759 || MS-SQL xp_cmdshell program execution (445)
woohoo. Biggest change we've made in a while. We've removed "flags:A+" in favor of "flow:established". Initial testing shows that this change is about a 200% speed increase. NOTE: I know that not all of the signatures have been converted. There are 144 signatures with flags left to be looked at. I'll commit them later today, but this the majority of them.
* updated sid:654 - added nocase (see emails on snort-sigs re this) * added the following signatures: 1751 || EXPLOIT cachefsd buffer overflow attempt || bugtraq,4631
* updated sid:258 - added bugtraq ref * updated sid:259 - added bugtraq ref * updated sid:260 - added bugtraq ref * updated sid:275 - added bugtraq ref * updated sid:1622 - corrected content to look for RNFR * updated sid:315 - added bugtraq ref * updated sid:316 - added bugtraq ref * updated sid:317 - added bugtraq ref * updated sid:588 - added bugtraq ref * updated sid:806 - added bugtraq ref, corrected MSG * updated sid:1395 - added bugtraq ref * updated sid:1396 - added bugtraq ref * updated sid:1242 - added bugtraq ref * updated sid:1245 - added bugtraq ref * updated sid:1037 - added bugtraq ref * Added the following signatures: 1630 || EXPERIMENTAL FTP EXPLOIT CWD overflow 1631 || MISC AIM login 1632 || MISC AIM send message 1633 || MISC AIM recieve message 1634 || EXPERIMENTAL POP3 PASS overflow attempt || cve,CAN-1999-1511 1635 || EXPERIMENTAL POP3 APOP overflow attempt || cve,CAN-2000-0841 1636 || MISC Xtramail Username overflow attempt || bugtraq,791 || cve,CAN-1999-511 1637 || WEB-CGI yabb.cgi access || bugtraq,1668 || arachnids,462 || cve,CVE-2000-0853
* updated a TON of sigs (too many to mention) oops. s/flow:A+;/flags:A+;/ * updated a TON of sigs (too many to mention) added CVE refs 1449 || INFO FTP anonymous (ftp) login attempt 1450 || SMTP expn *@ || cve,CAN-1999-1200 1451 || WEB-CGI NPH-publish access || cve,CAN-2001-0400 1452 || WEB-CGI args.cmd access || cve,CAN-1999-1374 1453 || WEB-CGI AT-generated.cgi access || cve,CAN-1999-1072 1454 || WEB-CGI wwwwais access || cve,CAN-2001-0223 1455 || WEB-CGI calender.pl access || cve,CVE-2000-0432 1456 || WEB-CGI calender_admin.pl access || cve,CVE-2000-0432 1457 || WEB-CGI user_update_admin.pl access || cve,CVE-2000-0627 1458 || WEB-CGI user_update_passwd.pl access || cve,CVE-2000-0627 1459 || WEB-CGI bb-histlog.sh access || cve,CAN-1999-1462 || bugtraq,142 1460 || WEB-CGI bb-histsvc.sh access || cve,CAN-1999-1462 || bugtraq,142 1461 || WEB-CGI bb-rep.sh access || cve,CAN-1999-1462 || bugtraq,142 1462 || WEB-CGI bb-replog.sh access || cve,CAN-1999-1462 || bugtraq,142
* Added the following signatures: 1428 || EXPERIMENTAL audio galaxy keepalive 1429 || EXPERIMENTAL poll.gotomypc.com access || url,www.gotomypc.com/help2.tmpl 1430 || EXPERIMENTAL TELNET solaris memory mismanagement exploit attempt 1431 || EXPERIMENTAL BAD TRAFFIC syn to multicast address 1432 || INFO GNUTella GET 1433 || WEB-MISC .history access 1434 || WEB-MISC .bash_history access 1435 || DNS named authors attempt || arachnids,480 1436 || MULTIMEDIA Quicktime User Agent access 1437 || MULTIMEDIA Windows Media audio download 1438 || MULTIMEDIA Windows Media Video download 1439 || MULTIMEDIA Shoutcast playlist redirection 1440 || MULTIMEDIA Icecast playlist redirection 1441 || TFTP GET nc.exe 1442 || TFTP GET shadow 1443 || TFTP GET passwd 1444 || TFTP Get 1445 || FTP file_id.diz access 1446 || SMTP vrfy root * Massive flow updates. I hope nobody is using these signatures with 1.8.*
* moved a bunch of experimental rules to their final resting place * regenerated sid-msg.map
* updated sid:209 - added arachnids ref * updated sid:216 - added arachnids ref * updated sid:1321 - added RFC ref, added microsoft kb ref * updated sid:303 - changed CVE CAN to CVE CVE. * updated sid:314 - changed CVE CAN to CVE CVE. * updated sid:1246 - added microsoft bulletin ref * updated sid:1248 - added microsoft bulletin ref * disabled sid:1049 - redundant sig (/../../../)
* updated sid:216 - added a bit more information to the MSG. * removed sid:280 - duplicate sig. * updated sid:314 - synced msg with sid:303. Corrected CVE ref. * updated sid:303 - corrected CVE ref. * updated sid:333 - corrected CVE ref. * updated sid:1003 - corrected spelling in MSG. * updated sid:1171 - added URL ref. Added a bit more info in MSG. * updated sid:1139 - added URL ref. Added a bit more info in MSG. * updated sid:1104 - added URL ref. * updated sid:1087 - added URL ref.
* sid:1382 - one too many anys. * sid:1246 - lowercase proto * sid:1248 - lowercase proto * spo_csv.h - s/dsport/dstport/ pointed out by Vaclav Moucha
* Added more stuff to the TODO list * moved sid:144 to ftp.rules since thats where it belongs * updated sid:303,1240 (added flags) * commited a ton of updates to sql.rules and ftp.rules (see diffs for full info) from Ryan @ SecurityFocus. (You rock yo) * added a bit of info as to why local.rules exists to local.rules
added sig for the ettercap exploit. and no gobble, your snort signatures doesn't actually work.
* disable ssh2 filler sig. yes, thats crud.
* more FAQ foo (from Erek Adams) * updated SID:307,308, removed SID:1063 (re cmg)
* added Zeno (did much of the leg work for web-attacks.rules) to the CREDITS * fixed a speeling error for sid:1257 * increased the filler signature lenght. * moved sid:1113 to the end of the web-misc.rules (lets be less generic if possible)
added 4 ssh crc32 signatures (Special thanks to Dave Dittrich for the capture)
added rwhoisd exploit sig
* Added copyright notices so that the Intrusion.com people might take our intellectual property a bit more seriously
* clean hex so its easier to read
* corrected CVE references * regen sid-msg.map
* added aix pdnsd overflow sig * added aix long basic authorization string (This may trigger on long posts as well. It hasn't on my network yet, but it might elsewhere)
* cleaned up a huge amount of dup rules Thanks to Jimmy Staggs for pointing out the duplicates
* Added CVE & Bugtraq references to a few zillion rules. * Fixed sid:1048 (caught by John Berkers)
* Added SID->reference maps (sid-ref.map) * Added BIDs to a few zillion rules. Thanks to the guys at SF for the data
* added a bunch of signatures * added better 'output' of broken rules in sp_pattern_match.c
* added support for SID and REV. * added sid-msg.map (maps SID to MSG) SID is a unique ID for each rule. REV is the rule revision.
I need a rules speel checker... :)
* fixed priority code pointer problem * fixed incorrect URI assignment in http_decode
* Changed default $HOME_NET to any (watch as marty changes it right back :P) * Added classifications to almost every rule NOTE: We are currently using IDMEF's classifications. This may change soon. This is an extremely SIMPLE and well defined set of rule classifications and priorities. It is completely changeable. Read sp_priority and classification.conf for more information.
---------------------------------------------------------------------- Added: * ntpdx overflow attempt (from arachnids) Modified: * Lotus Domino Directory Traversal - Added better content matching * added uricontent for 5 rules. More coming soon Modified Files: exploit.rules web-misc.rules ----------------------------------------------------------------------
Damn cvs. Fixed the rules that were not ment to be commited yet.
Added x11.rules, x11.rules, and virus.rules
* uncommented line that shouldn't have been commented
* Fix for the ghetto patch, this one works... ;)
* Disabled reseerved bits scan detection, false positives for ECN traffic aren't detectable with the current code and I'm seeing a lot of noise out there about this... * committed the new rules set from Forster/Caswell
| snort-team@sourcefire.com |