CVS log for snort/rules/sql.rules
CVS log for snort/rules/sql.rules |
|
Help |
Up to [cvs] / snort / rulesRequest diff between arbitrary revisions
a ton of new rules
a ton of new rules
a ton of new rules
a ton of new rules
a bunch of new rules. thanks microsoft, I didn't want to sleep on my birthday. Really.
a bunch of new rules. go sourcefire.
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
* dedup
* sync sync sync
* sync sync sync
* sync sync sync
* wee, more updates. new rules for NSS SSL foo (judy & me ++)
* massive sync
* massive sync
* sync sync sync
* tons of new rules * tons of new rule references * tons of new rule docs * initial documentation on preprocessor alerts (gen-sid.txt in doc/signatures) * new build of the manual
* massive sync here too
* sync sync sync * go ruleteam go
* massive sync from head
* yet another sync, lets go forward in time, not backwards...
* massive rule updates (go ruleteam, go)
* Syncing changes for rules team
* lets try this *again*
* sync with sforge current
* updating 2.1.3 from sforge
* syncing up sfire with sforge 2.1 branch
* a ton of new rules, a bunch of updates too. 2447 || WEB-MISC ServletManager access || cve,CAN-2001-1195 || nessus,12122 2448 || WEB-MISC setinfo.hts access || bugtraq,9973 || nessus,12120 2449 || FTP ALLO overflow attempt || bugtraq,9953 2450 || CHAT Yahoo IM successful logon 2451 || CHAT Yahoo IM voicechat 2452 || CHAT Yahoo IM ping 2453 || CHAT Yahoo IM conference invitation 2454 || CHAT Yahoo IM conference logon success 2455 || CHAT Yahoo IM conference message 2456 || CHAT Yahoo IM file transfer request 2457 || CHAT Yahoo IM message 2458 || CHAT Yahoo IM successful chat join 2459 || CHAT Yahoo IM webcam offer invitation 2460 || CHAT Yahoo IM webcam request 2461 || CHAT Yahoo IM webcam watch 2462 || EXPLOIT IGMP IGAP account overflow attempt || bugtraq,9952 || cve,CAN-2004-0176 2463 || EXPLOIT IGMP IGAP message overflow attempt || bugtraq,9952 || cve,CAN-2004-0176 2464 || EXPLOIT EIGRP prefix length overflow attempt || bugtraq,9952 || cve,CAN-2004-0176 2465 || NETBIOS SMB-DS IPC$ share access 2466 || NETBIOS SMB-DS IPC$ share unicode access 2467 || NETBIOS SMB D$ share unicode access 2468 || NETBIOS SMB-DS D$ share access 2469 || NETBIOS SMB-DS D$ share unicode access 2470 || NETBIOS SMB C$ share unicode access 2471 || NETBIOS SMB-DS C$ share access 2472 || NETBIOS SMB-DS C$ share unicode access 2473 || NETBIOS SMB ADMIN$ share unicode access 2474 || NETBIOS SMB-DS ADMIN$ share access 2475 || NETBIOS SMB-DS ADMIN$ share unicode access 2476 || NETBIOS SMB-DS Create AndX Request winreg attempt 2477 || NETBIOS SMB-DS Create AndX Request winreg unicode attempt 2478 || NETBIOS SMB-DS DCERPC bind winreg attempt 2479 || NETBIOS SMB-DS DCERPC bind winreg unicode attempt 2480 || NETBIOS SMB-DS DCERPC shutdown unicode attempt 2481 || NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt 2482 || NETBIOS SMB-DS DCERPC shutdown attempt 2483 || NETBIOS SMB-DS DCERPC shutdown little endian attempt 2484 || WEB-MISC source.jsp access || nessus,12119 2485 || WEB-CLIENT Nortan antivirus sysmspam.dll load attempt || bugtraq,9916 2486 || DOS ISAKMP invalid identification payload attempt || bugtraq,10004 2487 || SMTP WinZip MIME content-type buffer overflow || bugtraq,9758 2488 || SMTP WinZip MIME content-disposition buffer overflow || bugtraq,9758 2489 || EXPLOIT esignal STREAMQUOTE buffer overflow attempt || bugtraq,9978 2490 || EXPLOIT esignal SNAPQUOTE buffer overflow attempt || bugtraq,9978 2491 || NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2492 || NETBIOS SMB DCERPC ISystemActivator bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2493 || NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2494 || NETBIOS DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2495 || NETBIOS SMB DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2496 || NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2497 || IMAP invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2498 || IMAP invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2499 || MISC LDAP invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2500 || MISC LDAP invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2501 || POP3 invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2502 || POP3 invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2503 || SMTP invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2504 || SMTP invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2505 || WEB-MISC invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2506 || WEB-MISC invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120
* Added a ton of rules that include vulnerabilities in many high-profile security products, including Checkpoint & ISS gear (see below) * provided a single high-powered rule for detecting all of the evil virus emails * added even more docs. (Go Nigel) 2405 || WEB-PHP phptest.php access || bugtraq,9737 2406 || TELNET APC SmartSlot default admin account attempt || bugtraq,9681 2407 || WEB-MISC util.pl access || bugtraq,9748 2408 || WEB-MISC Invision Power Board search.pl access || bugtraq,9766 2409 || POP3 APOP USER overflow attempt || bugtraq,9794 2410 || WEB-PHP IGeneric Free Shopping Cart page.php access || bugtraq,9773 2411 || WEB-MISC Real Server DESCRIBE buffer overflow attempt || url,www.service.real.com/help/faq/security/rootexploit091103.html || bugtraq,8476 2412 || ATTACK-RESPONSES successful cross site scripting forced download attempt 2413 || EXPLOIT ISAKMP delete hash with empty hash attempt || bugtraq,9416 || bugtraq,CAN-2004-0164 2414 || EXPLOIT ISAKMP initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,CAN-2004-0164 2415 || EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,CAN-2004-0164 2416 || FTP invalid MDTM command attempt 2417 || FTP format string attempt 2418 || MISC MS Terminal Server no encryption session initiation attmept || url,www.microsoft.com/technet/security/bulletin/MS01-052.asp 2419 || MULTIMEDIA realplayer .ram playlist download attempt 2420 || MULTIMEDIA realplayer .rmp playlist download attempt 2421 || MULTIMEDIA realplayer .smi playlist download attempt 2422 || MULTIMEDIA realplayer .rt playlist download attempt 2423 || MULTIMEDIA realplayer .rp playlist download attempt 2424 || NNTP sendsys overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2425 || NNTP senduuname overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2426 || NNTP version overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2427 || NNTP checkgroups overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2428 || NNTP ihave overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2429 || NNTP sendme overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2430 || NNTP newgroup overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2431 || NNTP rmgroup overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2432 || NNTP article post without path attempt 2433 || WEB-CGI MDaemon form2raw.cgi overflow attempt || bugtraq,9317 2434 || WEB-CGI MDaemon form2raw.cgi access || bugtraq,9317 2435 || WEB-CLIENT Microsoft emf metafile access || bugtraq,9707 2436 || WEB-CLIENT Microsoft wmf metafile access || bugtraq,9707 2437 || WEB-CLIENT RealPlayer arbitrary javascript command attempt || bugtraq,8453 || bugtraq,9738 || cve,CAN-2003-0726 2438 || WEB-CLIENT RealPlayer playlist file URL overflow attempt || bugtraq,9579 2439 || WEB-CLIENT RealPlayer playlist http URL overflow attempt || bugtraq,9579 2440 || WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579 2441 || WEB-MISC NetObserve authentication bypass attempt || bugtraq,9319 2442 || WEB-MISC Quicktime User-Agent buffer overflow attempt || cve,CAN-2004-0169 2443 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html 2444 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html 2445 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html 2446 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
* 2.1.1-RC1
* MS-SQL probe response overflow attempt (wee, out before anyone else. take that ISS)
* Major add/commit of 2.1 feature set... Will do a tag and then remove the "moved" files
* MASSIVE sync of rules This is the first major sync of rules since I started working for Sourcefire. Many of these updates are a direct result of my employment at Sourcefire. We have time and resources to test and document rules extensively. Many people have contributed to these updates. Too many to mention here. You should continue to see awesome updates, rewrites and new rules as Sourcefire is dedicating serious resources to the Snort project. Even if you don't buy an appliance from Sourcefire, you should send an email to info@sourcefire.com to let them know how much you appreciate their dedication to making snort awesome.
* oops, dup rule merge.
* merge more rules 2004 || MS-SQL Worm propagation attempt OUTBOUND 2005 || RPC UDP kcms_server request 2006 || RPC TCP kcms_server request 2007 || RPC kcms_server directory traversal attempt 2008 || MISC CVS invalid user authentication response 2009 || MISC CVS invalid repository response 2010 || MISC CVS double free exploit attempt response || bugtraq,6650 || cve,CAN-2003-0015 2011 || MISC CVS invalid directory response || bugtraq,6650 || cve,CAN-2003-0015 2012 || MISC CVS missing cvsroot response 2013 || MISC CVS invalid module response
* merge more rules 2004 || MS-SQL Worm propagation attempt OUTBOUND 2005 || RPC UDP kcms_server request 2006 || RPC TCP kcms_server request 2007 || RPC kcms_server directory traversal attempt 2008 || MISC CVS invalid user authentication response 2009 || MISC CVS invalid repository response 2010 || MISC CVS double free exploit attempt response || bugtraq,6650 || cve,CAN-2003-0015 2011 || MISC CVS invalid directory response || bugtraq,6650 || cve,CAN-2003-0015 2012 || MISC CVS missing cvsroot response 2013 || MISC CVS invalid module response
* merge merge merge merge merge. Happy with the merge?
* move some policy rules to policy.rules * move some deleted rules to deleted.rules * add sid:2003 - rule for the Slammer worm (MS SQL Buff overflow #30052342)
* large update of signatures. CVS disconnected during the last commit, so this is a recommit
* This is a massive change. Since I'm really busy ATM, this is what changed. * created imap.rules, nntp.rules, pop3.rules, other-ids.rules, web-client.rules, web-php.rules and moved signatures into those. * added the following signatures: 1793 || PORN fetish 1794 || PORN masturbation 1795 || PORN ejaculation 1796 || PORN virgin 1797 || PORN BDSM 1798 || PORN erotica 1799 || PORN fisting 1800 || VIRUS Klez Incoming
* updated sid:312 - added bugtraq ref * updated sid:1751 - added CVE ref * updated sid:499 - corrected MSG * updated sid:1746,1747 - added cve & BUG references * updated sid:1547 - removed false negative (print isn't required) * added the following signatures: 1753 || EXPERIMENTAL WEB-IIS as_web.exe access || bugtraq,4670 1754 || EXPERIMENTAL WEB-IIS as_web4.exe access || bugtraq,4670 1755 || EXPERIMENTAL IMAP PARTIAL BODY attempt 1756 || EXPERIMENTAL WEB-IIS NewsPro administration authentication attempt 1757 || EXPERIMENTAL WEB-MISC b2 arbitrary command execution attempt 1758 || EXPERIMENTAL WEB-MISC b2 acces 1759 || MS-SQL xp_cmdshell program execution (445)
* added a few more things to doc/RULES.todo * updated sid:103 - added url ref * updated sid:260 - added url ref * updated sid:967 - added url ref * updated sid:975 - added url ref * updated sid:1256 - added url ref * updated sid:275 - added CVE ref & 2 url refs * updated sid:271 - cleaned msg * removed 90% of the depth/offsets from the 1433 signatures re CMG's request * added sid:1405 - WEB-CGI AHG search.cgi access * added sid:1406 - WEB-CGI agora.cgi access * added sid:1407 - WEB-MISC smssend.php access * added sid:1408 - EXPERIMENTAL MSDTC DoS sig * added sid:1409 - EXPERIMENTAL SNMP community string overflow (from andrewb) * added sid:1410 - WEB-CGI dcboard.cgi access
* sid:527 - added CVE & CERT refs * sid:252 - added RFC refs * sid:268 - added CVE refs * sid:270 - added CVE & CERT refs * sid:1398 - corrected second offset (re conversation w/ cmg) * sid:330 - added CVE refs * sid:1387 - corrected BID refs (re email from Jensenne @ SecurityFocus) * sid:1387 - corrected BID refs (re email from Jensenne @ SecurityFocus)
* added UPNP, mod-plsql, and ms-sql raiserror signatures
* Added more stuff to the TODO list * moved sid:144 to ftp.rules since thats where it belongs * updated sid:303,1240 (added flags) * commited a ton of updates to sql.rules and ftp.rules (see diffs for full info) from Ryan @ SecurityFocus. (You rock yo) * added a bit of info as to why local.rules exists to local.rules
* Added copyright notices so that the Intrusion.com people might take our intellectual property a bit more seriously
* Added descriptions to many of the .rules files. (More to come soon) * cleaned up a few any any rules * cleaned up the name of a few rules * Created attack-responces.rules (for generic responces of known attacks) * Created bad-traffic.rules (for signatures that shouldn't happen on a 'good' network) * normalized a few msgs. * changed order telnet.rules to speed up the exploit signatures * added sml3com access signature (need to write an overflow attempt sig, but don't have a 3com router to test it. any takers?)
* added support for SID and REV. * added sid-msg.map (maps SID to MSG) SID is a unique ID for each rule. REV is the rule revision.
* Changed default $HOME_NET to any (watch as marty changes it right back :P) * Added classifications to almost every rule NOTE: We are currently using IDMEF's classifications. This may change soon. This is an extremely SIMPLE and well defined set of rule classifications and priorities. It is completely changeable. Read sp_priority and classification.conf for more information.
updated broken rules from last database export
added virus.rules & sql.rules. cleaned up rules to be less false possitive. removed a few duplicate rules.
| snort-team@sourcefire.com |