CVS log for snort/rules/web-misc.rules
CVS log for snort/rules/web-misc.rules |
|
Help |
Up to [cvs] / snort / rulesRequest diff between arbitrary revisions
a bunch of new rules. thanks microsoft, I didn't want to sleep on my birthday. Really.
a bunch of new rules. thanks microsoft, I didn't want to sleep on my birthday. Really.
a bunch of new rules. thanks microsoft, I didn't want to sleep on my birthday. Really.
a bunch of new rules. thanks microsoft, I didn't want to sleep on my birthday. Really.
a bunch of new rules. thanks microsoft, I didn't want to sleep on my birthday. Really.
* more rules. go sourcefire. weee.
* more rules. go sourcefire. weee.
* more rules. go sourcefire. weee.
* more rules. go sourcefire. weee.
* wee. more rules. go sourcefire.
a bunch of new rules. go sourcefire.
a bunch of new rules. go sourcefire.
a bunch of new rules. go sourcefire.
a bunch of new rules. go sourcefire.
Latest rulepack. WINS, NETBIOS, and Backdoors (Backdoors = thanks Rickie, SF's intern. Wish I had such an internship while I was in highschool...)
Latest rulepack. WINS, NETBIOS, and Backdoors (Backdoors = thanks Rickie, SF's intern. Wish I had such an internship while I was in highschool...)
Latest rulepack. WINS, NETBIOS, and Backdoors (Backdoors = thanks Rickie, SF's intern. Wish I had such an internship while I was in highschool...)
Latest rulepack. WINS, NETBIOS, and Backdoors (Backdoors = thanks Rickie, SF's intern. Wish I had such an internship while I was in highschool...)
Latest rulepack. WINS, NETBIOS, and Backdoors (Backdoors = thanks Rickie, SF's intern. Wish I had such an internship while I was in highschool...)
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
more rules. huge amount of effort from the sourcefire rules team. go, team, go.
more rules. huge amount of effort from the sourcefire rules team. go, team, go.
more rules. huge amount of effort from the sourcefire rules team. go, team, go.
more rules. huge amount of effort from the sourcefire rules team. go, team, go.
* dedup
more rules, more rule updates, and more preprocessor docs. yes, just like TBS, we can do 'more' too.
more rules, more rule updates, and more preprocessor docs. yes, just like TBS, we can do 'more' too.
more rules, more rule updates, and more preprocessor docs. yes, just like TBS, we can do 'more' too.
more rules, more rule updates, and more preprocessor docs. yes, just like TBS, we can do 'more' too.
* sync sync sync
* sync sync sync
* sync sync sync
* wee, more updates. new rules for NSS SSL foo (judy & me ++)
* massive sync
* massive sync
* sync sync sync
* tons of new rules * tons of new rule references * tons of new rule docs * initial documentation on preprocessor alerts (gen-sid.txt in doc/signatures) * new build of the manual
* sync ysnc ysnc sync ysnc ysnc sync ysnc ysnc sync ysnc ysnc
* new rules
* massive sync here too
* sync sync sync * go ruleteam go
* massive sync from head
* yet another sync, lets go forward in time, not backwards...
* massive rule updates (go ruleteam, go)
* sync
* fix the fact that someone can't count (oops)
* Syncing changes for rules team
* lets try this *again*
* sync with sforge current
* updating 2.1.3 from sforge
* syncing up sfire with sforge 2.1 branch
* a ton of new rules, a bunch of updates too. 2447 || WEB-MISC ServletManager access || cve,CAN-2001-1195 || nessus,12122 2448 || WEB-MISC setinfo.hts access || bugtraq,9973 || nessus,12120 2449 || FTP ALLO overflow attempt || bugtraq,9953 2450 || CHAT Yahoo IM successful logon 2451 || CHAT Yahoo IM voicechat 2452 || CHAT Yahoo IM ping 2453 || CHAT Yahoo IM conference invitation 2454 || CHAT Yahoo IM conference logon success 2455 || CHAT Yahoo IM conference message 2456 || CHAT Yahoo IM file transfer request 2457 || CHAT Yahoo IM message 2458 || CHAT Yahoo IM successful chat join 2459 || CHAT Yahoo IM webcam offer invitation 2460 || CHAT Yahoo IM webcam request 2461 || CHAT Yahoo IM webcam watch 2462 || EXPLOIT IGMP IGAP account overflow attempt || bugtraq,9952 || cve,CAN-2004-0176 2463 || EXPLOIT IGMP IGAP message overflow attempt || bugtraq,9952 || cve,CAN-2004-0176 2464 || EXPLOIT EIGRP prefix length overflow attempt || bugtraq,9952 || cve,CAN-2004-0176 2465 || NETBIOS SMB-DS IPC$ share access 2466 || NETBIOS SMB-DS IPC$ share unicode access 2467 || NETBIOS SMB D$ share unicode access 2468 || NETBIOS SMB-DS D$ share access 2469 || NETBIOS SMB-DS D$ share unicode access 2470 || NETBIOS SMB C$ share unicode access 2471 || NETBIOS SMB-DS C$ share access 2472 || NETBIOS SMB-DS C$ share unicode access 2473 || NETBIOS SMB ADMIN$ share unicode access 2474 || NETBIOS SMB-DS ADMIN$ share access 2475 || NETBIOS SMB-DS ADMIN$ share unicode access 2476 || NETBIOS SMB-DS Create AndX Request winreg attempt 2477 || NETBIOS SMB-DS Create AndX Request winreg unicode attempt 2478 || NETBIOS SMB-DS DCERPC bind winreg attempt 2479 || NETBIOS SMB-DS DCERPC bind winreg unicode attempt 2480 || NETBIOS SMB-DS DCERPC shutdown unicode attempt 2481 || NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt 2482 || NETBIOS SMB-DS DCERPC shutdown attempt 2483 || NETBIOS SMB-DS DCERPC shutdown little endian attempt 2484 || WEB-MISC source.jsp access || nessus,12119 2485 || WEB-CLIENT Nortan antivirus sysmspam.dll load attempt || bugtraq,9916 2486 || DOS ISAKMP invalid identification payload attempt || bugtraq,10004 2487 || SMTP WinZip MIME content-type buffer overflow || bugtraq,9758 2488 || SMTP WinZip MIME content-disposition buffer overflow || bugtraq,9758 2489 || EXPLOIT esignal STREAMQUOTE buffer overflow attempt || bugtraq,9978 2490 || EXPLOIT esignal SNAPQUOTE buffer overflow attempt || bugtraq,9978 2491 || NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2492 || NETBIOS SMB DCERPC ISystemActivator bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2493 || NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2494 || NETBIOS DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2495 || NETBIOS SMB DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2496 || NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2003-0813 2497 || IMAP invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2498 || IMAP invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2499 || MISC LDAP invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2500 || MISC LDAP invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2501 || POP3 invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2502 || POP3 invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2503 || SMTP invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2504 || SMTP invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2505 || WEB-MISC invalid SSLv3 data version attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 2506 || WEB-MISC invalid SSLv3 timestamp attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120
* sync sync sync
* sync sync sync
* Added a ton of rules that include vulnerabilities in many high-profile security products, including Checkpoint & ISS gear (see below) * provided a single high-powered rule for detecting all of the evil virus emails * added even more docs. (Go Nigel) 2405 || WEB-PHP phptest.php access || bugtraq,9737 2406 || TELNET APC SmartSlot default admin account attempt || bugtraq,9681 2407 || WEB-MISC util.pl access || bugtraq,9748 2408 || WEB-MISC Invision Power Board search.pl access || bugtraq,9766 2409 || POP3 APOP USER overflow attempt || bugtraq,9794 2410 || WEB-PHP IGeneric Free Shopping Cart page.php access || bugtraq,9773 2411 || WEB-MISC Real Server DESCRIBE buffer overflow attempt || url,www.service.real.com/help/faq/security/rootexploit091103.html || bugtraq,8476 2412 || ATTACK-RESPONSES successful cross site scripting forced download attempt 2413 || EXPLOIT ISAKMP delete hash with empty hash attempt || bugtraq,9416 || bugtraq,CAN-2004-0164 2414 || EXPLOIT ISAKMP initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,CAN-2004-0164 2415 || EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,CAN-2004-0164 2416 || FTP invalid MDTM command attempt 2417 || FTP format string attempt 2418 || MISC MS Terminal Server no encryption session initiation attmept || url,www.microsoft.com/technet/security/bulletin/MS01-052.asp 2419 || MULTIMEDIA realplayer .ram playlist download attempt 2420 || MULTIMEDIA realplayer .rmp playlist download attempt 2421 || MULTIMEDIA realplayer .smi playlist download attempt 2422 || MULTIMEDIA realplayer .rt playlist download attempt 2423 || MULTIMEDIA realplayer .rp playlist download attempt 2424 || NNTP sendsys overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2425 || NNTP senduuname overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2426 || NNTP version overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2427 || NNTP checkgroups overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2428 || NNTP ihave overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2429 || NNTP sendme overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2430 || NNTP newgroup overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2431 || NNTP rmgroup overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2432 || NNTP article post without path attempt 2433 || WEB-CGI MDaemon form2raw.cgi overflow attempt || bugtraq,9317 2434 || WEB-CGI MDaemon form2raw.cgi access || bugtraq,9317 2435 || WEB-CLIENT Microsoft emf metafile access || bugtraq,9707 2436 || WEB-CLIENT Microsoft wmf metafile access || bugtraq,9707 2437 || WEB-CLIENT RealPlayer arbitrary javascript command attempt || bugtraq,8453 || bugtraq,9738 || cve,CAN-2003-0726 2438 || WEB-CLIENT RealPlayer playlist file URL overflow attempt || bugtraq,9579 2439 || WEB-CLIENT RealPlayer playlist http URL overflow attempt || bugtraq,9579 2440 || WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579 2441 || WEB-MISC NetObserve authentication bypass attempt || bugtraq,9319 2442 || WEB-MISC Quicktime User-Agent buffer overflow attempt || cve,CAN-2004-0169 2443 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html 2444 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html 2445 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html 2446 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
* sync sync sync
* sync new rules downwards
* 44 new rules, 52 updates. see snort-sigs mailing list in a few days for the full details. The cool rules are: (For ISS buffer overflow detection!) NETBIOS SMB Session Setup AndX request username overflow attempt NETBIOS SMB Data Service Session Setup AndX request username overflow attempt NETBIOS SMB Session Setup AndX request unicode username overflow attempt NETBIOS SMB Data Service Session Setup AndX request unicode username overflow attempt (For FW1 ISAKMP buffer overflow detection!) EXPLOIT ISAKMP first payload certificate request length overflow attempt EXPLOIT ISAKMP second payload certificate request length overflow attempt EXPLOIT ISAKMP third payload certificate request length overflow attempt EXPLOIT ISAKMP forth payload certificate request length overflow attempt EXPLOIT ISAKMP fifth payload certificate request length overflow attempt
* Bringing RC1 up to 2.1.1
* sync sync sync, sync sync sync, sync your rules
* bunch o bunch o updates
Everybody, get on the floor, lets dance Don't fight your feelings, give yourself a chance Sync sync sync, sync sync sync, sync your RULES, sync your RULES Feel free to sing along, K.C. and Sunshine Band style
* a bunch of rule changes, including a ton of new rules. go PCRE. stable sync will happen later tonight. 2259 || SMTP EXPN overflow attempt || cve,CAN-2002-1337 || bugtraq,6991 || cve,CAN-2003-0161 || bugtraq,7230 || cve,CAN-2003-0161 2260 || SMTP VRFY overflow attempt || cve,CAN-2002-1337 || bugtraq,6991 || cve,CAN-2003-0161 || bugtraq,7230 || cve,CAN-2003-0161 2261 || SMTP SEND FROM sendmail prescan too many addresses overflow || cve,CAN-2002-1337 || bugtraq,6991 2262 || SMTP SEND FROM sendmail prescan too long addresses overflow || cve,CAN-2003-0161 || bugtraq,7230 2263 || SMTP SAML FROM sendmail prescan too many addresses overflow || cve,CAN-2002-1337 || bugtraq,6991 2264 || SMTP SAML FROM sendmail prescan too long addresses overflow || cve,CAN-2003-0161 || bugtraq,7230 2265 || SMTP SOML FROM sendmail prescan too many addresses overflow || cve,CAN-2002-1337 || bugtraq,6991 2266 || SMTP SOML FROM sendmail prescan too long addresses overflow || cve,CAN-2003-0161 || bugtraq,7230 2267 || SMTP MAIL FROM sendmail prescan too many addresses overflow || cve,CAN-2002-1337 || bugtraq,6991 2268 || SMTP MAIL FROM sendmail prescan too long addresses overflow || cve,CAN-2003-0161 || bugtraq,7230 2269 || SMTP RCPT TO sendmail prescan too many addresses overflow || cve,CAN-2002-1337 || bugtraq,6991 2270 || SMTP RCPT TO sendmail prescan too long addresses overflow || cve,CAN-2003-0161 || bugtraq,7230 2271 || BACKDOOR FsSniffer connection attempt || nessus,11854 2272 || FTP LIST integer overflow attempt || bugtraq,8875 || cve,CAN-2003-0854 || cve,CAN-2003-0853 2273 || IMAP login brute force attempt 2274 || POP3 login brute force attempt 2275 || SMTP AUTH LOGON brute force attempt 2276 || WEB-MISC oracle portal demo access || nessus,11918 2277 || WEB-MISC PeopleSoft PeopleBooks psdoccgi access || bugtraq,9037 || bugtraq,9038 || cve,CAN-2003-0626 || cve,CAN-2003-0627 2278 || WEB-MISC negative Content-Length attempt || bugtraq,9098 2279 || WEB-PHP UpdateClasses.php access || bugtraq,9057 2280 || WEB-PHP Title.php access || bugtraq,9057 2281 || WEB-PHP Setup.php access || bugtraq,9057 2282 || WEB-PHP GlobalFunctions.php access || bugtraq,9057 2283 || WEB-PHP DatabaseFunctions.php access || bugtraq,9057 2284 || WEB-PHP rolis guestbook arbitrary command execution attempt || bugtraq,9057 2285 || WEB-PHP rolis guestbook access || bugtraq,9057 2286 || WEB-PHP friends.php access || bugtraq,9088 2287 || WEB-PHP Advanced Poll admin_comment.php access || bugtraq,8890 2288 || WEB-PHP Advanced Poll admin_edit.php access || bugtraq,8890 2289 || WEB-PHP Advanced Poll admin_embed.php access || bugtraq,8890 2290 || WEB-PHP Advanced Poll admin_help.php access || bugtraq,8890 2291 || WEB-PHP Advanced Poll admin_license.php access || bugtraq,8890 2292 || WEB-PHP Advanced Poll admin_logout.php access || bugtraq,8890 2293 || WEB-PHP Advanced Poll admin_password.php access || bugtraq,8890 2294 || WEB-PHP Advanced Poll admin_preview.php access || bugtraq,8890 2295 || WEB-PHP Advanced Poll admin_settings.php access || bugtraq,8890 2296 || WEB-PHP Advanced Poll admin_stats.php access || bugtraq,8890 2297 || WEB-PHP Advanced Poll admin_templates_misc.php access || bugtraq,8890 2298 || WEB-PHP Advanced Poll admin_templates.php access || bugtraq,8890 2299 || WEB-PHP Advanced Poll admin_tpl_misc_new.php access || bugtraq,8890 2300 || WEB-PHP Advanced Poll admin_tpl_new.php access || bugtraq,8890 2301 || WEB-PHP Advanced Poll booth.php access || bugtraq,8890 2302 || WEB-PHP Advanced Poll poll_ssi.php access || bugtraq,8890 2303 || WEB-PHP Advanced Poll popup.php access || bugtraq,8890 2304 || WEB-PHP files.inc.php access || bugtraq,8910 2305 || WEB-PHP chatbox.php access || bugtraq,8930 2306 || WEB-PHP gallery arbitrary command execution attempt || bugtraq,8814 || nessus,11876 2307 || WEB-PHP PayPal Storefront arbitrary command execution attempt || bugtraq,8791 || nessus,11873 2308 || NETBIOS SMB DCERPC Workstation Service unicode bind attempt 2309 || NETBIOS SMB DCERPC Workstation Service bind attempt 2310 || NETBIOS SMB DCERPC Workstation Service unicode bind attempt microsoft-ds 2311 || NETBIOS SMB DCERPC Workstation Service bind attempt microsoft-ds 2312 || SHELLCODE x86 0x71FB7BAB NOOP 2313 || SHELLCODE x86 0x71FB7BAB NOOP unicode 2314 || SHELLCODE x86 0x90 NOOP unicode 2315 || NETBIOS DCERPC Workstation Service bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.asp || bugtraq,9011 || cve,CAN-2003-0812 2316 || NETBIOS DCERPC Workstation Service direct service access attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.asp || bugtraq,9011 || cve,CAN-2003-0812
* major sync from CURRENT. lots of changes too many to list. but its all good and stuff.
* remove backticked things from message. this tends to fsck up too many tools
* Major add/commit of 2.1 feature set... Will do a tag and then remove the "moved" files
* added sid:2123 - ATTACK-RESPONSES Microsoft cmd.exe banner * added sid:2124 - BACKDOOR Remote PC Access connection attempt * added sid:2125 - FTP CWD C:\\ * added sid:2126 - MISC Microsoft PPTP Start Control Request buffer overflow attempt * added sid:2127 - WEB-CGI ikonboard.cgi access * added sid:2128 - WEB-CGI swsrv.cgi access * added sid:2129 - WEB-IIS nsiislog.dll access * added sid:2130 - WEB-IIS IISProtect siteadmin.asp access * added sid:2131 - WEB-IIS IISProtect access * added sid:2132 - WEB-IIS Synchrologic Email Accelerator userid list access attempt * added sid:2133 - WEB-IIS MS BizTalk server access * added sid:2134 - WEB-IIS register.asp access * added sid:2135 - WEB-MISC philboard.mdb access * added sid:2136 - WEB-MISC philboard_admin.asp authentication bypass attempt * added sid:2137 - WEB-MISC philboard_admin.asp access * added sid:2138 - WEB-MISC logicworks.ini access * added sid:2139 - WEB-MISC /*.shtml access * added sid:2140 - WEB-PHP p-news.php access * added sid:2141 - WEB-PHP shoutbox.php directory traversal attempt * added sid:2142 - WEB-PHP shoutbox.php access * added sid:2143 - WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt * added sid:2144 - WEB-PHP b2 cafelog gm-2-b2.php access * added sid:2145 - WEB-PHP TextPortal admin.php default password (admin) attempt * added sid:2146 - WEB-PHP TextPortal admin.php default password (12345) attempt * added sid:2147 - WEB-PHP BLNews objects.inc.php4 remote command execution attempt * added sid:2148 - WEB-PHP BLNews objects.inc.php4 access * added sid:2149 - WEB-PHP Turba status.php access * added sid:2150 - WEB-PHP ttCMS header.php remote command execution attempt * added sid:2151 - WEB-PHP ttCMS header.php access * added sid:2152 - WEB-PHP test.php access * added sid:2153 - WEB-PHP autohtml.php directory traversal attempt * added sid:2154 - WEB-PHP autohtml.php access * added sid:2155 - WEB-PHP ttforum remote command execution attempt * added sid:2156 - WEB-MISC mod_gzip_status access * added sid:2157 - WEB-IIS IISProtect GlobalAdmin.asp access * added sid:2158 - MISC BGP invalid length * added sid:2159 - MISC BGP invalid type (0) * added sid:2160 - VIRUS OUTBOUND .exe file attachment * added sid:2161 - VIRUS OUTBOUND .doc file attachment * added sid:2162 - VIRUS OUTBOUND .hta file attachment * added sid:2163 - VIRUS OUTBOUND .chm file attachment * added sid:2164 - VIRUS OUTBOUND .reg file attachment * added sid:2165 - VIRUS OUTBOUND .ini file attachment * added sid:2166 - VIRUS OUTBOUND .bat file attachment * added sid:2167 - VIRUS OUTBOUND .diz file attachment * added sid:2168 - VIRUS OUTBOUND .cpp file attachment * added sid:2169 - VIRUS OUTBOUND .dll file attachment * added sid:2170 - VIRUS OUTBOUND .vxd file attachment * added sid:2171 - VIRUS OUTBOUND .sys file attachment * added sid:2172 - VIRUS OUTBOUND .com file attachment * added sid:2173 - VIRUS OUTBOUND .hsq file attachment * added sid:2174 - NETBIOS SMB winreg access * added sid:2175 - NETBIOS SMB winreg access (unicode) * added sid:2176 - NETBIOS SMB Startup Folder access attempt * added sid:2177 - NETBIOS SMB Startup Folder access attempt (unicode)
* major push of rules. see snort-sigs email for all the changes.
* MASSIVE sync of rules This is the first major sync of rules since I started working for Sourcefire. Many of these updates are a direct result of my employment at Sourcefire. We have time and resources to test and document rules extensively. Many people have contributed to these updates. Too many to mention here. You should continue to see awesome updates, rewrites and new rules as Sourcefire is dedicating serious resources to the Snort project. Even if you don't buy an appliance from Sourcefire, you should send an email to info@sourcefire.com to let them know how much you appreciate their dedication to making snort awesome.
* happy happy joy joy. last commit of rules to 1.9 * remove sid:2103 - byte_test don't exist for 1.9. wtf was i thinking? * update sid:1955 - sever/server * update sid:1250 - no more regex * update sid:1108 - no more regex
* update sid:1845 - add missing offset to byte_test * update sid:1955 - correct flow, use offset/depth * update sid:1250 - remove regex * update sid:1108 - remove regex
* merge merge merge merge merge. Happy with the merge?
* wee. new rules. check snort-sigs in a bit for the changes
* updated sid:107 - corrected bad content checks * updated sid:159 - corrected client/server pair * updated sid:195 - corrected client/server pair * updated sid:1929 - (trust me, it changed between 1,2 and 3) * updated sid:524 - removed invalid references * updated sid:238 - corrected client/server pair * updated sid:1257 - added additional ports that can be targetted * updated sid:306 - added reference * updated sid:1919 - added references * updated sid:1734 - added references * updated sid:361 - added distance to limit false positives * updated sid:362 - removed RETR content check (can be used with STOR as well) * updated sid:1377 - added distance to limit false positives * updated sid:1378 - added distance to limit false positives * re-enabled sid:1748 - should be on by default * updated sid:1844 - use byte_test instead of distance * updated sid:1845 - use byte_test instead of distance * updated sid:1903 - remove additional un-needed content * updated sid:1755 - use within * disabled sid:293 - replaced with other sids * disabled sid:295 - replaced with other sids * disabled sid:296 - replaced with other sids * disabled sid:297 - replaced with other sids * disabled sid:298 - replaced with other sids * disabled sid:299 - replaced with other sids * updated sid:489 - added within * updated sid:1866 - added references * disabled sid:570 - replaced with other sids * disabled sid:571 - replaced with other sids * updated sid:664 - updated MSG to be more clear * updated sid:1289 - added offsets * updated sid:1441 - added offsets * updated sid:1442 - added offsets * updated sid:1443 - added offsets * updated sid:519 - added offsets * updated sid:1149 - updated MSG to be more clear * disabled sid:1287 - too false positive to be on by default * updated sid:1069 - updated MSG to be more clear * updated sid:1519 - updated MSG to be correct, update content to be correct * updated sid:1809 - use HTTP_PORTS instead of 80 * updated sid:1826 - correct uricontent * disabled sid:1171 - too false positive to be on by default * deleted sid:874 - very bad rule * deleted sid:318 - replaced by sid:1939 and sid:1940 * deleted sid:319 - replaced by sid:1939 and sid:1940 * reordered rpc.rules to be a bit more clear * reordered dns.rules to be a bit more clear * added pop2.rules * disaabled asn1_decode, as it shouldn't be on by default * added the following rules: 1929 || BACKDOOR TCPDUMP/PCAP trojan traffic || url,hlug.fscker.com 1930 || IMAP auth overflow attempt || cve,CVE-1999-0005 1931 || WEB-CGI rpc-nlog.pl access || cve,CAN-1999-1278 1932 || WEB-CGI rpc-smb.pl access || cve,CAN-1999-1278 1933 || WEB-CGI cart.cgi access 1934 || POP2 FOLD overflow attempt || cve,CVE-1999-0920 || bugtraq,283 1935 || POP2 FOLD arbitrary file attempt 1936 || POP3 AUTH overflow attempt 1937 || POP3 LIST overflow attempt || cve,CAN-2000-0096 || bugtraq,948 1938 || POP3 XTND overflow attempt 1939 || MISC bootp hardware address lenght overflow || cve,CAN-1999-0798 1940 || MISC bootp invalid hardware type || cve,CAN-1999-0798 1941 || TFTP filename overflow attempt || bugtraq,5328 || cve,CAN-2002-0813 1942 || FTP RMDIR overflow attempt 1943 || WEB-MISC /Carello/add.exe access || bugtraq,1245 || cve,CVE-2000-0396 1944 || WEB-MISC /ecscripts/ecware.exe access 1945 || WEB-IIS unicode directory traversal attempt || cve,CVE-2000-0884 1946 || WEB-MISC answerbook2 admin attempt 1947 || WEB-MISC answerbook2 arbitrary command execution attempt 1948 || DNS zone transfer UDP || arachnids,212 || cve,CAN-1999-0532 1949 || RPC portmap SET attempt TCP 111 1950 || RPC portmap SET attempt UDP 111 1951 || RPC mountd TCP mount request 1952 || RPC mountd UDP export request 1953 || RPC AMD TCP pid request 1954 || RPC AMD UDP pid request 1955 || RPC AMD TCP version request 1956 || RPC AMD UDP version request 1957 || RPC sadmind UDP PING || bugtraq,866 1958 || RPC sadmind TCP PING || bugtraq,866 1959 || RPC portmap request NFS UDP 1960 || RPC portmap request NFS TCP 1961 || RPC portmap request RQUOTA UDP 1962 || RPC portmap request RQUOTA TCP 1963 || RPC RQUOTA UDP getquota overflow attempt || bugtraq,864 || cve,CVE-1999-0974 1964 || RPC tooltalk UDP overflow attempt 1965 || RPC tooltalk TCP overflow attempt 1966 || MISC GlobalSunTech Access Point Information Discolsure attempt || bugtraq,6100 1967 || WEB-PHP phpbb quick-reply.php arbitrary command attempt || bugtraq,6173 1968 || WEB-PHP phpbb quick-reply.php access || bugtraq,6173 1969 || WEB-MISC ion-p access || bugtraq,6091 1970 || WEB-IIS MDAC Content-Type overflow attempt 1971 || FTP SITE EXEC format string attempt 1972 || FTP PASS overflow attempt || cve,CAN-2002-0126 || cve,CAN-2000-1035 1973 || FTP MKD overflow attempt || bugtraq,612 || cve,CAN-1999-0911 1974 || FTP REST overflow attempt || cve,CAN-2001-0826 1975 || FTP DELE overflow attempt || cve,CAN-2001-0826 1976 || FTP RMD overflow attempt || cve,CAN-2001-0826 1977 || WEB-MISC xp_regwrite attempt 1978 || WEB-MISC xp_regdeletekey attempt 1979 || WEB-MISC perl post attempt || nessus,11158 || bugtraq,5520
* major sync from current (look ma, no experimental.rules) * added pop2.rules * regen sid-msg.map
* add my notes to RULES.todo * delete sid:1620 - spp_conversation takes care of this * moved sid:1429,1447,1448,1545,1636,1641,1771,1791,1801,1802,1803,1804,1808, 1810,1811,1812,1819,1821,1832,1838,1842,1843,1844,1845,1902,1903,1904,1846, 1853,1854,1855,1856,1865,1888,1887,1889,1905,1906,1907,1908,1909,1910,1911, 1912,1480,1913,1914,1915,1916,1917,1918 to their final resting place. This marks the end of experimental.rules. Please take a moment of silence.
* re-enable sid:1104,1087,1171 - these don't need to be deleted
* updated sid:1382 - removed dsize, added within
* deleted sid:329 - duplicate of 330
* deleted sid:1477 - duplicate of 1478
* deleted sid:1246 - duplicate of 1248
* deleted sid:1247 - duplicate of 1249
* deleted sid:1171 - broken because of stream reassembly, needs added to httpd decoder
* deleted sid:1104 - broken because of stream reassembly, needs added to httpd decoder
* deleted sid:1087 - broken because of stream reassembly, needs added to httpd decoder
* deleted sid:1780 - duplicate of 1755
* deleted sid:291 - duplicate of 1538
* updated sid:1842 - removed dsize, added within
* updated sid:337 - updated msg, removed dsize, added within
* updated sid:1377 - added CVE references
* updated sid:1378 - added CVE references
* updated sid:1379 - removed dsize, added within
* updated sid:1621 - removed dsize, added within
* updated sid:1529 - removed dsize, added within
* updated sid:1630 - removed dsize, added within
* updated sid:1562 - removed dsize, added within
* updated sid:1734 - removed dsize, added within
* updated sid:1755 - added CVE reference, added within
* updated sid:1388 - removed dsize, added within
* updated sid:1792 - added CVE reference, removed dsize, added within
* updated sid:1538 - added arachnids reference, removed dsize, added within
* updated sid:1866 - removed dsize, added within
* updated sid:1634 - removed dsize, added within
* updated sid:1635 - removed dsize, added within
* disabled sid:596 - soon to be replaced by other rules
* disabled sid:597 - soon to be replaced by other rules
* updated sid:1280 - added within to skip revisions (evasion protection)
* updated sid:598 - added within to skip revisions (evasion protection)
* updated sid:599 - added within to skip revisions (evasion protection)
* updated sid:1281 - added within to skip revisions (evasion protection)
* disabled sid:600 - soon to be replaced by other rules
* disabled sid:1282 - soon to be replaced by other rules
* updated sid:654 - removed dsize, added within
* updated sid:657 - removed dsize, added within
* updated sid:1549 - removed dsize, added within
* updated sid:1550 - removed dsize, added within
* updated sid:804 - removed dsize
* updated sid:821 - removed dsize
* updated sid:1242 - removed dsize
* updated sid:1244 - removed dsize
* updated sid:981:
- removed "/scripts", attackers can use other directories
- s/uricontent/content/ (http decoder decodes uricontent, we don't want to
look at the decoded portion)
* updated sid:982:
- removed "/scripts", attackers can use other directories
- s/uricontent/content/ (http decoder decodes uricontent, we don't want to
look at the decoded portion)
* updated sid:983:
- removed "/scripts", attackers can use other directories
- s/uricontent/content/ (http decoder decodes uricontent, we don't want to
look at the decoded portion)
* updated sid:1044 - removed dsize
* updated sid:1181 - removed dsize
* updated sid:1258 - removed dsize
* updated sid:1260 - removed dsize, added within
* added the following rules:
1902 || EXPERIMENTAL IMAP lsub overflow attempt || cve,CAN-2000-0284 || nessus,10374
1903 || EXPERIMENTAL IMAP rename overflow attempt || cve,CAN-2000-0284 || nessus,10374
1904 || EXPERIMENTAL IMAP find overflow attempt || cve,CAN-2000-0284 || nessus,10374
1905 || RPC AMD UDP amqproc_mount plog overflow attempt || bugtraq,614 || cve,CVE-1999-0704
1906 || RPC AMD TCP amqproc_mount plog overflow attempt || bugtraq,614 || cve,CVE-1999-0704
1907 || RPC CMSD UDP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,CVE-1999-0696
1908 || RPC CMSD TCP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,CVE-1999-0696
1909 || RPC CMSD TCP CMSD_INSERT buffer overflow attempt || url,www.cert.org/advisories/CA-99-08-cmsd.html || cve,CVE-1999-0696
1910 || RPC CMSD udp CMSD_INSERT buffer overflow attempt || url,www.cert.org/advisories/CA-99-08-cmsd.html || cve,CVE-1999-0696
1911 || RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,866 || cve,CVE-1999-0977
1912 || RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,866 || cve,CVE-1999-0977
1913 || RPC STATD UDP stat mon_name format string exploit attempt || bugtraq,1480 || cve,CVE-2000-0666
1914 || RPC STATD TCP stat mon_name format string exploit attempt || bugtraq,1480 || cve,CVE-2000-0666
1915 || RPC STATD UDP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,CVE-2000-0666
1916 || RPC STATD TCP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,CVE-2000-0666
1917 || SCAN UPNP service discover attempt
1918 || SCAN SolarWinds IP scan attempt
1919 || FTP CWD overflow attempt
1920 || FTP SITE NEWER overflow attempt || cve,CVE-1999-0800
1921 || FTP SITE ZIPCHK attempt || cve,CVE-2000-0040
1922 || RPC portmap TCP proxy attempt
1923 || RPC portmap UDP proxy attempt
* moved to proper .rules file from experimental.rules: 1605,1504,1890,1891,1638,1822,1823,1824,1825,1868,1869,1870,1875,1876,1877, 1878,1840,1841,1817,1818,1814,1826,1820,1827,1828,1829,1830,1831,1835,1839, 1847,1848,1849,1850,1851,1852,1857,1859,1860,1861,1862,1863,1871,1872,1873, 1874,1881,1815,1816,1834 * updated sid:1337,1338 - correced content, don't include the full path
* large update of signatures. CVS disconnected during the last commit, so this is a recommit
* added default-login-attempt classification * added notes for sid:1447,1448 about signature responses * updated sid:1847 - added references * updated sid:345 - update to remove a potentual false negative * updated sid:1622 - removed extra spaces * updated sid:517 - removed extra spaces * added notes for sid:517,1867 * updated sid:1634 - added references * updated sid:1635 - added references * updated sid:1549 - added references * updated sid:805 - added references * updated sid:807 - added references, corrected message * updated sid:808 - added references * updated sid:809 - added references, corrected message * updated sid:810 - added references, corrected message * updated sid:815 - added references * updated sid:838 - added references * updated sid:1454 - added references * updated sid:853 - added references * updated sid:861 - added references * updated sid:867 - added references * updated sid:896 - added references, corrected message * updated sid:900 - added references * updated sid:901 - added references * updated sid:1482 - added references * updated sid:1125 - added references * updated sid:1126 - removed extra spaces * updated sid:1158 - added references * updated sid:1231 - added references, moved to be near 1232 * updated sid:1232 - added references * updated sid:1499 - added references * added the following signatures: 1857 || WEB-MISC robot.txt access || nessus,10302 1858 || EXPERIMENTAL WEB-MISC CISCO PIX Firewall Manager directory traversal attempt || nessus,10819 || bugtraq,691 1859 || EXPERIMENTAL WEB-MISC Sun JavaServer default password login attempt || nessus,10995 1860 || EXPERIMENTAL WEB-MISC Linksys router default password login attempt \(\:admin\) || nessus,10999 1861 || EXPERIMENTAL WEB-MISC Linksys router default password login attempt \(admin\:admin\) || nessus,10999 1862 || EXPERIMENTAL WEB-CGI mrtg.cgi directory traversal attempt || nessus,11001 1863 || EXPERIMENTAL WEB-CGI mrtg.cgi access || nessus,11001 1864 || EXPERIMENTAL FTP SITE NEWER attempt || nessus,10319 || cve,CVE-1999-0880 1865 || WEB-CGI webdist.cgi arbitrary command attempt || nessus,10299 || cve,CVE-1999-0039 || bugtraq,374 1866 || POP3 USER overflow attempt || :nessus,10311 || cve,CVE-1999-0494 1867 || MISC xdmcp info query || nessus,10891
* updated sid:1171 - attempt to remove some frequent false positives (don't look at reassembled packets)
* updated sid:1630 - added references * updated sid:560 - updated content to look for multiple versions * updated sid:837 - added references * updated sid:890 - added references * updated sid:1163 - corrected MSG, added references * updated sid:1076 - moved to web-iis.rules, added references * updated sid:1016 - added references, updated content to limit false positives * updated sid:1043 - added references, re-enabled * added the following signatures: 1842 || EXPERIMENTAL IMAP login buffer overflow attempt || cve,CVE-1999-0005 || nessus,10125 1843 || EXPERIMENTAL BACKDOOR trinity connection attempt || cve,CAN-2000-0138 || nessus,10501 1844 || EXPERIMENTAL IMAP authenticate overflow attempt || cve,CVE-1999-0042 || nessus,10292 1845 || EXPERIMENTAL IMAP list overflow attempt || cve,CAN-2000-0284 || nessus,10374 1846 || EXPERIMENTAL POLICY vnc viewer java applet download attempt || nessus,10758 1847 || EXPERIMENTAL WEB-MISC webalizer access || cve,CAN-1999-0643 1848 || WEB-MISC webcart-lite access || nessus,10298 || cve,CAN-1999-0610 1849 || WEB-MISC webfind.exe access || nessus,10475 || cve,CAN-2000-0622 1850 || WEB-MISC way-board.cgi access || nessus,10610 1851 || WEB-MISC active.log access || cve,CAN-2000-0642 || nessus,10470 1852 || WEB-MISC robots.txt access || nessus,10302 1853 || EXPERIMENTAL BACKDOOR win-trin00 connection attempt || nessus,10307 || cve,CAN-2000-0138
* rmp -> rpm ( thanks to Owen Crow )
* added the following signatures: 1809 || WEB-MISC Apache Chunked-Encoding worm attempt || cve,CAN-2002-0392 || bugtraq,5033 || cve,CAN-2002-0079 || bugtraq,4474 1810 || EXPERIMENTAL MISC successful gobbles ssh exploit (GOBBLE) || bugtraq,5093 1811 || EXPERIMENTAL MISC successful gobbles ssh exploit (uname) || bugtraq,5093 1812 || EXPERIMENTAL MISC gobbles SSH exploit attempt || bugtraq,5093 (Thanks to Andreas Östling, who I also have to use cut&paste to give praise :P)
* updated sid:1233 - cleaned up flow to make it more obvious * updated sid:1735 - added flow * updated sid:1284 - cleaned up flow to make it more obvious * moved sid:1290 - moved to web-client.rules (and cleaned up while I was at it)
* moved sid:1284 - now in web-clients.rules (fixed msg whlie I was at it)
* updated sid:1233 - corrected uricontent * updated sid:1662 - corrected uricontent Thanks to Jesenne of SecurityFocus for these corrections.
* added the following signature: 1807 || WEB-MISC Transfer-Encoding\: chunked || cve,CAN-2002-0392 || bugtraq,5033 || cve,CAN-2002-0079 || bugtraq,4474 NOTE: This is a generic version of sid 1807 and 1618. This may false positive some, but for now, this is good enough.
* oops, delete repeated sigs from sync
* updated sid:1133 - no, don't need flow here. * updated sid:513 - no, don't need flow here.
* This is a massive change. Since I'm really busy ATM, this is what changed. * created imap.rules, nntp.rules, pop3.rules, other-ids.rules, web-client.rules, web-php.rules and moved signatures into those. * added the following signatures: 1793 || PORN fetish 1794 || PORN masturbation 1795 || PORN ejaculation 1796 || PORN virgin 1797 || PORN BDSM 1798 || PORN erotica 1799 || PORN fisting 1800 || VIRUS Klez Incoming
* added a few more things to my wishlist * added /cgi-bin-sdb/ to the cgi-bin directory content list. * updated sid:886 - updated classtype * updated sid:1182 - corrected CVE ref * updated sid:1587 - corrected CVE ref * added the following signatures: 1762 || WEB-CGI phf arbitrary command execution attempt || cve,CVE-1999-0067 || arachnids,128 || bugtraq,629 1763 || EXPERIMENTAL WEB-CGI Nortel Contivity cgiproc DOS attempt || cve,CVE-2000-0063 || cve,CVE-2000-0064 || bugtraq,938 1764 || EXPERIMENTAL WEB-CGI Nortel Contivity cgiproc DOS attempt || cve,CVE-2000-0063 || cve,CVE-2000-0064 || bugtraq,938 1765 || EXPERIMENTAL WEB-CGI Nortel Contivity cgiproc access || cve,CVE-2000-0063 || cve,CVE-2000-0064 || bugtraq,938 1766 || EXPERIMENTAL WEB-MISC search.dll directory listing attempt || cve,CAN-2000-0835 1767 || EXPERIMENTAL WEB-MISC search.dll access || cve,CAN-2000-0835 1768 || EXPERIMENTAL WEB-IIS header field buffer overflow attempt || bugtraq,4476 1769 || EXPERIMENTAL WEB-MISC .DS_Store access || url,www.macintouch.com/mosxreaderreports46.html 1770 || EXPERIMENTAL WEB-MISC .FBCIndex access || url,www.securiteam.com/securitynews/5LP0O005FS.html 1771 || EXPERIMENTAL MISC IPSec PGPNet connection attempt 1772 || EXPERIMENTAL WEB-IIS pbserver access || url,www.microsoft.com/technet/security/bulletin/ms00-094.asp 1773 || EXPERIMENTAL WEB-MISC php.exe access || url,www.securitytracker.com/alerts/2002/Jan/1003104.html 1774 || EXPERIMENTAL WEB-MISC bb_smilies.php access || url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html 1775 || MYSQL root login attempt 1776 || MYSQL show databases attempt 1777 || FTP EXPLOIT STAT * dos attempt || bugtraq,4482 1778 || FTP EXPLOIT STAT ? dos attempt || bugtraq,4482 1779 || FTP CWD .... attempt || bugtraq,4884
* updated sid:1047 - depth too small for content
woohoo. Biggest change we've made in a while. We've removed "flags:A+" in favor of "flow:established". Initial testing shows that this change is about a 200% speed increase. NOTE: I know that not all of the signatures have been converted. There are 144 signatures with flags left to be looked at. I'll commit them later today, but this the majority of them.
* enable HTTP_PORTS variable. The port that we check all of the web signatures against is set with the HTTP_PORTS variable. If you have web servers running on more than one port, you should enable the signatures like this: var HTTP_PORTS 80 include web-cgi.rules var HTTP_PORTS 8080 include web-cgi.rules
* removed spaces at the end of a ton of signatures. Since this isn't technically modifying the sig, I didn't bump the rev. Any decent parsing program shouldn't bitch at this. * corrected sid:1747 - corrected msg (said UDP in TCP sig) * corrected sid:1746 - corrected msg (said TCP in UDP sig) * corrected sid:1562 - SITE CHOWN sig should look for SITE CHOWN, not USER * added the following sigs: 1734 || EXPERIMENTAL FTP USER overflow attempt || bugtraq,4638 1735 || EXPERIMENTAL WEB-CLIENT XMLHttpRequest attempt 1736 || EXPERIMENTAL WEB-MISC squirrelmail spellcheck arbitrary command attemp || bugtraq,3952 1737 || EXPERIMENTAL WEB-MISC squirrelmail theme arbitrary command attempt || bugtraq,4385 1738 || EXPERIMENTAL WEB-MISC global.inc access || bugtraq,4612 1739 || EXPERIMENTAL WEB-PHP DNSTools administror authentication bypass attempt || bugtraq,4617 1740 || EXPERIMENTAL WEB-PHP DNSTools authentication bypass attempt || bugtraq,4617 1741 || EXPERIMENTAL WEB-PHP DNSTools access || bugtraq,4617 1742 || EXPERIMENTAL WEB-PHP Blahz-DNS dostuff.php modify user attempt || bugtraq,4618 1743 || EXPERIMENTAL WEB-PHP Blahz-DNS dostuff.php access || bugtraq,4618 1744 || EXPERIMENTAL WEB-MISC SecureSite authentication bypass attempt || bugtraq,4621 1745 || EXPERIMENTAL WEB-PHP Messagerie supp_membre.php access || bugtraq,4635 1746 || RPC UDP cachefsd request 1747 || RPC TCP cachefsd request 1748 || EXPERIMENTAL FTP command overflow attempt 1749 || EXPERIMENTAL WEB-IIS .NET trace.axd access 1750 || EXPERIMENTAL WEB-IIS users.xml access
* disable sid:1114 - webmasters suck, so this happens ever so often. it is not really that bad, so disable it.
* cleaned up chat.rules info * moved all .cgi rules from web-misc to web-cgi * moved sid:609 - moved to web-misc * updated sid:1464 - no, oracle isn't usually thought of as a web server * updated sid:1423,1425,1497,1667,1500,1619,1519,1520,1521,1522,1523,1524,1525,1526,1527,1540,1554,1545,1546,1551,1552,1559,1560,1561,1563,1564,1567,1568,1603,1618,1626,1642,1643,1668,1669,1670,1671 - s/HOME_NET/HTTP_SERVERS
FYI, the oracle signatures are based on the signatures written by by Hank Leininger <hlein@progressive-comp.com> originally for Enterasys's Dragon IDS. * added sid to that didn't have em. * moved sid:614 - now in backdoor.rules * updated sid:1549 - corrected port * updated sid:1550 - corrected port * updated sid:336 - updated msg * updated sid:615 - updated msg * update sid:616 - updated msg * updated sid:620 - updated msg * updated sd:626 - corrected msg * updated sid:634 - updated msg * updated sid:631 - updated msg * updated sid:632 - updated msg * updated sid:1150 - corrected msg * updated sid:1183 - added CVE ref * updated sid:1196 - corrected msg Added the following signatures: 1666 || ATTACK RESPONSES index of /cgi-bin/ response 1667 || EXPERIMENTAL cross site scripting \(img src=javascript\) attempt 1668 || EXPERIMENTAL WEB-CGI /cgi-bin/ access 1669 || EXPERIMENTAL WEB-CGI /cgi-dos/ access 1670 || EXPERIMENTAL WEB-MISC /home/ftp access 1671 || EXPERIMENTAL WEB-MISC /home/www access 1672 || FTP CWD ~<NEWLINE> attempt || bugtraq,2601 || cve,CAN-2001-0421 1673 || ORACLE EXECUTE_SYSTEM attempt 1674 || ORACLE connect_data\(command=version\) attempt 1675 || ORACLE misparsed login response 1676 || ORACLE select union attempt 1677 || ORACLE select like '%' attempt 1678 || ORACLE select like \ 1679 || ORACLE describe attempt 1680 || ORACLE all_constraints access 1681 || ORACLE all_views access 1682 || ORACLE all_source access 1683 || ORACLE all_tables access 1684 || ORACLE all_tab_columns access 1685 || ORACLE all_tab_privs access 1686 || ORACLE dba_tablespace access 1687 || ORACLE dba_tables access 1688 || ORACLE user_tablespace access 1689 || ORACLE sys.all_users access 1690 || ORACLE grant attempt 1691 || ORACLE ALTER USER attempt 1692 || ORACLE drop table attempt 1693 || ORACLE create table attempt 1694 || ORACLE alter table attempt 1695 || ORACLE truncate table attempt 1696 || ORACLE create database attempt 1697 || ORACLE alter database attempt 1698 || ORACLE execute_system attempt 1699 || P2P Fastrack (kazaa/morpheus) traffic || url,www.kazaa.com 1700 || WEB-CGI imagemap.exe access || arachnids,412 || cve,CVE-1999-0951 1701 || WEB-CGI calendar-admin.pl access || bugtraq,1215 1702 || WEB-CGI Amaya templates sendtemp.pl access || cve,CAN-2001-0272 || bugtraq,2504 1703 || WEB-CGI auktion.cgi directory traversal attempt || cve,CAN-2001-0212 || bugtraq,2367 1704 || WEB-CGI cal_make.pl directory traversal attempt || bugtraq,2663 || cve,CVE-2001-0463 1705 || WEB-CGI echo.bat arbitrary command execution attempt 1706 || WEB-CGI echo.bat access 1707 || WEB-CGI hello.bat arbitrary command execution attempt 1708 || WEB-CGI hello.bat access 1709 || WEB-CGI ad.cgi access 1710 || WEB-CGI bbs_forum.cgi access 1711 || WEB-CGI bsguest.cgi access 1712 || WEB-CGI bslist.cgi access 1713 || WEB-CGI cgforum.cgi access 1714 || WEB-CGI newdesk access 1715 || WEB-CGI register.cgi access 1716 || WEB-CGI gbook.cgi access 1717 || WEB-CGI simplestguest.cgi access 1718 || WEB-CGI statusconfig.pl access 1719 || WEB-CGI talkback.cgi directory traversal attempt 1720 || WEB-CGI talkback.cgi access 1721 || WEB-CGI adcycle access 1722 || WEB-CGI MachineInfo access 1723 || WEB-CGI emumail.cgi NULL attempt 1724 || WEB-CGI emumail.cgi access 1725 || WEB-IIS +.htr code fragment attempt || cve,CVE-2000-0630 1726 || WEB-IIS doctodep.btr access 1727 || WEB-MISC SGI InfoSearch fname access || cve,CVE-2000-0207 || arachnids,290 || bugtraq,1031 1728 || FTP CWD ~<CR><NEWLINE> attempt || bugtraq,2601 || cve,CAN-2001-0421
I'd like to dedicate this commit to Don "Beetle" Bailey, who I carpool with every day. Its a great thing because this allows me a chance to catch up on email, update signatures, and get away from annoying questions about why ACID won't install. The ride in the mustang is usually very enjoyable just as long as trees are not involved. That, and it gives Don and I a chance to rant about our wives. ;) * moved sid:499 - moved to icmp.rules * updated sid:540 - s/info/chat/ * updated sid:541 - s/info/chat/ * updated sid:542 - s/info/chat/ * updated sid:573 - added CVE ref * updated sid:821 - added CVE ref * updated sid:857 - added CVE ref * updated sid:889 - added URL ref * updated sid:890 - added URL ref * updated sid:953 - updated msgs * updated sid:974 - corrected content, made it uricontent as well * updated sid:993 - corrected content (/iisadmin sometimes isn't in scripts) * updated sid:999 - corrected msg * updated sid:1031 - updated msg (less overlapping names) * updated sid:1123 - made content uricontent * updated sid:1145 - corrected MSG * updated sid:1158 - updated content checks (not look for usage, just access) * updated sid:1193 - corrected content checks, they were completely wrong * updated sid:1222 - moved to correct .rules (web.cgi) * updated sid:1463 - s/info/chat/ * disabled the following signatures: sid:1073 We should not for specific vulnerabilities in "/scripts/samples/" unless you *really* want to. we have enough port 80 sigs, lets try and keep em to a minimum to stay secure, yet still catch badguys. sid:999 Why look for bdir.htr in that specific place only when it can show up elsewhere? * added the following signatures: 1638 || EXPERIMENTAL SCAN SSH Version map attempt 1639 || CHAT IRC DCC file transfer request 1640 || CHAT IRC DCC chat request 1641 || EXPERIMENTAL DOS DB2 dos attempt 1642 || EXPERIMENTAL WEB-CGI document.d2w access || bugtraq:2017 || cve,CAN-2000-1110 1643 || EXPERIMENTAL WEB-CGI db2www access || cve,CVE-2000-0677 1644 || WEB-CGI test-cgi attempt || arachnids,218 || cve,CVE-1999-0070 1645 || WEB-CGI testcgi access 1646 || WEB-CGI test.cgi access 1647 || WEB-CGI faxsurvey attempt (full path) || bugtraq,2056 || cve,CVE-1999-0262 1648 || WEB-CGI perl.exe command attempt || arachnids,219 || url,www.cert.org/advisor ies/CA-1996-11.html || cve,CAN-1999-0509 1649 || WEB-CGI perl command attempt || arachnids,219 || url,www.cert.org/advisories/CA-1996-11.html || cve,CAN-1999-0509 1650 || WEB-CGI tst.bat access || bugtraq,770 || cve,CAN-1999-0885 1651 || WEB-CGI enivorn.pl access 1652 || WEB-CGI campus attempt 1653 || WEB-CGI campus access 1654 || WEB-CGI cart32.exe access 1655 || WEB-CGI pfdispaly.cgi arbitrary command execution attempt 1656 || WEB-CGI pfdispaly.cgi access 1657 || WEB-CGI pagelog.cgi directory traversal attempt || bugtraq,1864 || cve,CAN-2000-0940 1658 || WEB-CGI pagelog.cgi access || bugtraq,1864 || cve,CAN-2000-0940 1659 || WEB-COLDFUSION sendmail.cfm access 1660 || WEB-IIS trace.axd access 1661 || WEB-IIS cmd32.exe access 1662 || WEB-MISC /~ftp access 1663 || WEB-MISC *%0a.pl access 1664 || WEB-MISC mkplog.exe access 1665 || WEB-MISC mkilog.exe access
* updated sid:1284 - corrected flow direction, changed from looking at uri * updated sid:1290 - corrected flow direction Thanks chris
* updated sid:559 - removed newlines * moved following sigs to their final resting place: sid:1447 sid:1501 sid:1502 sid:1503 sid:1505 sid:1506 sid:1507 sid:1508 sid:1509 sid:1510 sid:1511 sid:1512 sid:1513 sid:1514 sid:1515 sid:1516 sid:1517 sid:1536 sid:1537 sid:1538 sid:1539 sid:1542 sid:1543 sid:1547 sid:1548 sid:1553 sid:1554 sid:1555 sid:1556 sid:1557 sid:1565 sid:1566 sid:1569 sid:1570 sid:1590 sid:1591 sid:1592 sid:1593 sid:1594 sid:1595 sid:1597 sid:1598 sid:1599 sid:1600 sid:1601 sid:1602 sid:1606 sid:1617 * updated sid:1243 - added bugtraq ref * updated sid:1079 - added bugtraq ref * updated sid:1225 - updated MSG * updated sid:1227 - updated MSG * added the following sigs: 1627 || BAD TRAFFIC Unassigned/Reserved IP protocol 1628 || WEB-CGI FormHandler.cgi directory traversal attempt attempt || cve,CAN-1999-1050 1629 || EXPERIMENTAL MISC SecureNetPro traffic
* disabled sid:1121 - duplicate of 844
* disabled sid:1619 - duplicate of 987
* disabled sid:855 - sig looking for a site specific vulnerability on a site
that isn't vulnerable anymore
* updated sid:834 - added URL ref
* updated sid:836 - added CVE ref
* updated sid:832 - added CVE ref
* added the following signatures:
1620 || BAD TRAFFIC Non-Standard IP protocol
1621 || EXPERIMENTAL FTP EXPLOIT CMD overflow
1622 || EXPERIMENTAL FTP RNFR ././ attempt
1623 || EXPERIMENTAL FTP invalid MODE
1624 || EXPERIMENTAL FTP large PWD command
1625 || EXPERIMENTAL FTP large SYST command
1626 || EXPERIMENTAL WEB-IIS /StoreCSVS/InstantOrder.asmx request
* updated sid:803 - added hsx.cgi to MSG * updated sid:857 - updated classtype * updated sid:884 - updated classtype * updated sid:1468 - corrected content * updated sid:1107 - added CVE refs * updated sid:1141 - added CVE refs * updated sid:1165 - removed attempt content from access sig and created attempt sig (see below) * updated sid:1207 - updated classtype * added the following signatures: 1590 || EXPERIMENTAL WEB-CGI faqmanager.cgi attempt || bugtraq,3810 1591 || EXPERIMENTAL WEB-CGI faqmanager.cgi access || bugtraq,3810 1592 || EXPERIMENTAL WEB-CGI /fcgi-bin/echo.exe access 1593 || EXPERIMENTAL WEB-CGI FormHandler.cgi attempt 1594 || EXPERIMENTAL WEB-CGI FormHandler.cgi access 1595 || EXPERIMENTAL WEB-CGI htimage.exe access || cve,CAN-2000-0122 1596 || EXPERIMENTAL FTP CWD ~root attempt 1597 || EXPERIMENTAL WEB-CGI guestbook.cgi access || cve,CVE-1999-0237 1598 || EXPERIMENTAL WEB-CGI Home Free search.cgi attempt || bugtraq,921 || cve,CAN-2000-0054 1599 || EXPERIMENTAL WEB-CGI search.cgi access || bugtraq,921 || cve,CAN-2000-0054 1600 || EXPERIMENTAL WEB-CGI htsearch arbitrary configuration file attempt || cve,CVE-2000-0208 1601 || EXPERIMENTAL WEB-CGI htsearch attempt || cve,CVE-2000-0208 1602 || EXPERIMENTAL WEB-CGI htsearch access || cve,CVE-2000-0208 1603 || EXPERIMENTAL WEB-MISC DELETE attempt 1604 || EXPERIMENTAL WEB-MISC iChat directory traversal attempt || cve,CAN-1999-0897 1605 || EXPERIMENTAL MISC iParty DOS attempt || cve,CAN-1999-1566 1606 || EXPERIMENTAL WEB-CGI icat access || cve,CAN-1999-1069 1607 || WEB-CGI HyperSeek hsx.cgi access || cve,CAN-2001-0253 || bugtraq,2314 1608 || WEB-CGI htmlscript attempt || cve,CVE-1999-0264 || bugtraq,2001 1609 || WEB-CGI faxsurvey attempt || bugtraq,2056 || cve,CVE-1999-0262 1610 || WEB-CGI formmail attempt || arachnids,226 || cve,CVE-1999-0172 || bugtraq,1187 1611 || WEB-MISC eXtropia webstore access || cve,CVE-2000-1005 || bugtraq,1774 1612 || WEB-MISC ftp.pl attempt || bugtraq,1471 || cve,CAN-2000-0674 1613 || WEB-MISC handler attempt || cve,CVE-1999-0148 || arachnids,235 || bugtraq,380 1614 || WEB-MISC novell groupwise gwweb.exe attempt || cve,CAN-1999-1006 || bugtraq,879 1615 || WEB-MISC htgrep attempt || cve,CAN-2000-0832
* updated sid:577 - added CVE ref * updated sid:1264 - added CVE ref * updated sid:817 - corrected name * updated sid:1466 - corrected classtype * updated sid:1467 - corrected classtype * updated sid:908 - added CVE ref * updated sid:1080 - corrected sig to reflect reality * updated sid:1162 - added CVE ref * updated sid:1182 - corrected classtype * updated sid:1187 - corrected MSG to reflect reality * updated sid:1206 - added CVE ref * updated sid:1219 - added CVE ref * updated sid:1589 - corrected MSg to reflect reality * added the following signatures: 1536 || EXPERIMENTAL WEB-CGI calendar_admin.pl attempt || cve,CVE-2000-0432 1537 || EXPERIMENTAL WEB-CGI calendar_admin.pl access || cve,CVE-2000-0432 1538 || EXPERIMENTAL NNTP AUTHINFO USER overflow attempt || cve,CAN-2000-0341 1539 || EXPERIMENTAL WEB-CGI /cgi-bin/ls access || bugtraq,936 || cve,CAN-2000-0079 1540 || EXPERIMENTAL WEB-COLDFUSION ?Mode=debug attempt 1541 || EXPERIMENTAL FINGER version queary 1542 || EXPERIMENTAL WEB-CGI cgimail access || cve,CVE-2000-0726 1543 || EXPERIMENTAL WEB-CGI cgiwrap access || cve,CVE-2001-0987 || cve,CVE-2000-0431 || cve,CVE-1999-1530 1544 || EXPERIMENTAL WEB-MISC Cisco Catalyst command execution attempt || cve,CAN-2000-0945 1545 || EXPERIMENTAL DOS cisco attempt 1546 || EXPERIMENTAL WEB-MISC cisco /%% DOS attempt 1547 || EXPERIMENTAL WEB-CGI csSearch.cgi attempt || bugtraq,4368 1548 || EXPERIMENTAL WEB-CGI csSearch.cgi access || bugtraq,4368 1549 || EXPERIMENTAL SMTP HELO overflow attempt || cve,CAN-2000-0042 1550 || EXPERIMENTAL SMTP ETRN overflow attempt || cve,CAN-2000-0490 1551 || EXPERIMENTAL WEB-MISC /CVS/Entries access 1552 || EXPERIMENTAL WEB-MISC cvsweb version access || cve,CAN-2000-0670 1553 || EXPERIMENTAL WEB-CGI /cart/cart.cgi access || cve,CVE-2000-0252 1554 || EXPERIMENTAL WEB-CGI dbman db.cgi access || cve,CVE-2000-0381 1555 || EXPERIMENTAL WEB-CGI DCShop access || cve,CAN-2001-0821 1556 || EXPERIMENTAL WEB-CGI DCShop orders.txt access || cve,CAN-2001-0821 1557 || EXPERIMENTAL WEB-CGI DCShop auth_user_file.txt access || cve,CAN-2001-0821 1558 || EXPERIMENTAL WEB-MISC Delegate whois overflow attempt || cve,CVE-2000-0165 1559 || EXPERIMENTAL WEB-MISC /doc/packages access 1560 || EXPERIMENTAL WEB-MISC /doc/ access || bugtraq,318 || cve,CVE-1999-0678 1561 || EXPERIMENTAL WEB-MISC ?open access 1562 || EXPERIMENTAL FTP SITE CHOWN overflow attempt || cve,CAN-2000-0479 1563 || EXPERIMENTAL WEB-MISC login.htm attempt || cve,CAN-1999-1533 1564 || EXPERIMENTAL WEB-MISC login.htm access || cve,CAN-1999-1533 1565 || EXPERIMENTAL WEB-CGI eshop.pl attempt || cve,CAN-2001-1014 1566 || EXPERIMENTAL WEB-CGI eshop.pl access || cve,CAN-2001-1014 1567 || EXPERIMENTAL WEB-MISC /exchange/root.asp attempt 1568 || EXPERIMENTAL WEB-MISC /exchange/root.asp access 1569 || EXPERIMENTAL WEB-CGI loadpage.cgi attempt 1570 || EXPERIMENTAL WEB-CGI loadpage.cgi access 1571 || WEB-CGI dcforum.cgi directory traversal attempt || cve,CAN-2001-0436 1572 || WEB-CGI commerce.cgi attempt || cve,CAN-2001-0210 || bugtraq,2361 1573 || WEB-CGI cgiforum.pl attempt || cve,CVE-2000-1171 || bugtraq,1963 1574 || WEB-CGI directorypro.cgi attempt || cve,CAN-2001-0780 1575 || WEB-MISC Domino mab.nsf access 1576 || WEB-MISC Domino cersvr.nsf access 1577 || WEB-MISC Domino setup.nsf access 1578 || WEB-MISC Domino statrep.nsf access 1579 || WEB-MISC Domino webadmin.nsf access 1580 || WEB-MISC Domino events4.nsf access 1581 || WEB-MISC Domino ntsync4.nsf access 1582 || WEB-MISC Domino collect4.nsf access 1583 || WEB-MISC Domino mailw46.nsf access 1584 || WEB-MISC Domino bookmark.nsf access 1585 || WEB-MISC Domino agentrunner.nsf access 1586 || WEB-MISC Domino mail.box access 1587 || WEB-MISC cgitest.exe access || arachnids,265 || bugtraq,3885 || cve,CVE-2000-1171 1588 || WEB-MISC SalesLogix Eviewer access || cve,CAN-2000-0289 || bugtraq,1089 1589 || WEB-MISC musicat empower attempt
* updated sid:1406 - added CVE ref * updated sid:975 - made sig look more like reality * updated sid:1110 - cleaned up ref * updated sid:1172 - added CVE ref * updated sid:1181 - added CVE ref * updated sid:1185 - made sig look for access of the CVE, not attempting to use it. (added sig looking for attempt as well... see below) * added the following signatures: 1497 || EXPERIMENTAL cross site scripting attempt 1498 || EXPERIMENTAL WEB-MISC PIX firewall manager directory traversal attempt 1499 || EXPERIMENTAL WEB-MISC SiteScope Service access 1500 || EXPERIMENTAL WEB-MISC ExAir access || cve,CVE-1999-0449 1501 || EXPERIMENTAL WEB-CGI a1stats a1disp3.cgi attempt || cve,CAN-2001-0561 1502 || EXPERIMENTAL WEB-CGI a1stats a1disp3.cgi access || cve,CAN-2001-0561 1503 || EXPERIMENTAL WEB-CGI admentor admin.asp access || url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html || bugtraq,4152 1504 || EXPERIMENTAL MISC AFS access 1505 || EXPERIMENTAL WEB-CGI alchemy http server PRN attempt || cve,CAN-2001-0871 1506 || EXPERIMENTAL WEB-CGI alchemy http server NUL attempt || cve,CAN-2001-0871 1507 || EXPERIMENTAL WEB-CGI alibaba.pl attempt || cve,CAN-1999-0885 1508 || EXPERIMENTAL WEB-CGI alibaba.pl access || cve,CAN-1999-0885 1509 || EXPERIMENTAL WEB-CGI AltaVista Intranet Search config attempt || cve,CVE-2000-0039 1510 || EXPERIMENTAL WEB-CGI test.bat attempt || cve,CVE-1999-0947 1511 || EXPERIMENTAL WEB-CGI test.bat access || cve,CVE-1999-0947 1512 || EXPERIMENTAL WEB-CGI input.bat attempt || cve,CVE-1999-0947 1513 || EXPERIMENTAL WEB-CGI input.bat access || cve,CVE-1999-0947 1514 || EXPERIMENTAL WEB-CGI input2.bat attempt || cve,CVE-1999-0947 1515 || EXPERIMENTAL WEB-CGI input2.bat access || cve,CVE-1999-0947 1516 || EXPERIMENTAL WEB-CGI /ssi/envout.bat attempt || cve,CVE-1999-0947 1517 || EXPERIMENTAL WEB-CGI /ssi/envout.bat access || cve,CVE-1999-0947 1518 || EXPERIMENTAL WEB-MISC nstelemetry.adp access 1519 || EXPERIMENTAL WEB-MISC apache ?M=A directory list attempt || cve,CAN-2001-0731 1520 || EXPERIMENTAL WEB-MISC server-info access 1521 || EXPERIMENTAL WEB-MISC server-status access 1522 || EXPERIMENTAL WEB-MISC ans.pl attempt || bugtraq,4149 || bugtraq,4147 1523 || EXPERIMENTAL WEB-MISC ans.pl access || bugtraq,4149 || bugtraq,4147 1524 || EXPERIMENTAL WEB-MISC Axis Storpoint CD attempt || cve,CAN-2000-0191 1525 || EXPERIMENTAL WEB-MISC Axis Storpoint CD access || cve,CAN-2000-0191 1526 || EXPERIMENTAL WEB-MISC basilix sendmail.inc access 1527 || EXPERIMENTAL WEB-MISC basilix mysql.class access 1528 || EXPERIMENTAL WEB-MISC BBoard access || cve,CAN-2000-0629 1529 || EXPERIMENTAL FTP EXPLOIT SITE CHOWN overflow || cve,CAN-2001-0065 1530 || EXPERIMENTAL FTP format string attempt 1531 || WEB-CGI bb-hist.sh attempt || bugtraq,142 || cve,CAN-1999-1462 1532 || WEB-CGI bb-hostscv.sh attempt || cve,CVE-2000-0638 1533 || WEB-CGI bb-hostscv.sh access || cve,CVE-2000-0638 1534 || WEB-CGI agora.cgi attempt || bugtraq,3976 || cve,CAN-2001-1199 1535 || WEB-MISC bizdbsearch access || bugtraq,1104 || cve,CAN-2000-0287
* updated CVE & Bugtraq entires for a ton of sigs * updated BUGTRAQ_URL_HEAD to point to the new site * added the following signatures: 1464 || ATTACK RESPONSES oracle one hour install 1465 || WEB-CGI auktion.cgi access || cve,CAN-2001-0212 || bugtraq,2367 1466 || WEB-CGI cgiforum.pl access || cve,CVE-2000-1171 || bugtraq,1963 1467 || WEB-CGI directorypro.cgi access || cve,CAN-2001-0780 1468 || WEB-CGI Web Shopper shopper.cgi attempt || bugtraq,1776 || cve,CVE-2000-0922 1469 || WEB-CGI Web Shopper shopper.cgi access || bugtraq,1776 || cve,CVE-2000-0922 1470 || WEB-CGI listrec.pl access || cve,CAN-2001-0997 1471 || WEB-CGI mailnews.cgi access || cve,CAN-2001-0271 1472 || WEB-CGI book.cgi access || bugtraq,3178 || cve,CVE-2001-1114 1473 || WEB-CGI newsdesk.cgi access || cve,CAN-2001-0232 1474 || WEB-CGI cal_make.pl access || bugtraq,2663 || cve,CVE-2001-0463 1475 || WEB-CGI mailit.pl access 1476 || WEB-CGI sdbsearch.cgi access || cve,CAN-2001-1130 1477 || WEB-CGI swc attempt 1478 || WEB-CGI swc access 1479 || WEB-CGI ttawebtop.cgi attempt || bugtraq,2890 || cve,CVE-2001-0805 1480 || WEB-CGI ttawebtop.cgi access || bugtraq,2890 || cve,CVE-2001-0805 1481 || WEB-CGI upload.cgi access 1482 || WEB-CGI view_source access 1483 || WEB-CGI ustorekeeper.pl access 1484 || WEB-IIS /isapi/tstisapi.dll access || bugtraq,2381 || cve,CAN-2001-0302 1485 || WEB-IIS mkilog.exe access 1486 || WEB-IIS ctss.idc access 1487 || WEB-IIS /iisadmpwd/aexp2.htr access 1488 || WEB-MISC store.cgi attempt || cve,CAN-2001-0305 || bugtraq,2385 1489 || WEB-MISC /~nobody access 1490 || WEB-MISC phorum /support/common.php attempt 1491 || WEB-MISC phorum /support/common.php access 1492 || WEB-MISC RBS ISP /newuser attempt 1493 || WEB-MISC RBS ISP /newuser access 1494 || WEB-MISC SIX webboard generate.cgi attempt || bugtraq,3175 || cve,CAN-2001-1115 1495 || WEB-MISC SIX webboard generate.cgi access || bugtraq,3175 || cve,CAN-2001-1115 1496 || WEB-MISC spin_client.cgi access
* Forgot to commit sid:1433 and sid:1434
* Added the following signatures: 1428 || EXPERIMENTAL audio galaxy keepalive 1429 || EXPERIMENTAL poll.gotomypc.com access || url,www.gotomypc.com/help2.tmpl 1430 || EXPERIMENTAL TELNET solaris memory mismanagement exploit attempt 1431 || EXPERIMENTAL BAD TRAFFIC syn to multicast address 1432 || INFO GNUTella GET 1433 || WEB-MISC .history access 1434 || WEB-MISC .bash_history access 1435 || DNS named authors attempt || arachnids,480 1436 || MULTIMEDIA Quicktime User Agent access 1437 || MULTIMEDIA Windows Media audio download 1438 || MULTIMEDIA Windows Media Video download 1439 || MULTIMEDIA Shoutcast playlist redirection 1440 || MULTIMEDIA Icecast playlist redirection 1441 || TFTP GET nc.exe 1442 || TFTP GET shadow 1443 || TFTP GET passwd 1444 || TFTP Get 1445 || FTP file_id.diz access 1446 || SMTP vrfy root * Massive flow updates. I hope nobody is using these signatures with 1.8.*
* moved a bunch of experimental rules to their final resting place * regenerated sid-msg.map
* updated sid:105 - added url ref * updated sid:104 - added url ref * updated sid:1072 - added CVE ref, added bugtraq ref * updated sid:1117 - added url ref
* updated sid:1149 - corrected bid (thanks cmg)
* added a few more things to doc/RULES.todo * updated sid:103 - added url ref * updated sid:260 - added url ref * updated sid:967 - added url ref * updated sid:975 - added url ref * updated sid:1256 - added url ref * updated sid:275 - added CVE ref & 2 url refs * updated sid:271 - cleaned msg * removed 90% of the depth/offsets from the 1433 signatures re CMG's request * added sid:1405 - WEB-CGI AHG search.cgi access * added sid:1406 - WEB-CGI agora.cgi access * added sid:1407 - WEB-MISC smssend.php access * added sid:1408 - EXPERIMENTAL MSDTC DoS sig * added sid:1409 - EXPERIMENTAL SNMP community string overflow (from andrewb) * added sid:1410 - WEB-CGI dcboard.cgi access
* updated sid:209 - added arachnids ref * updated sid:216 - added arachnids ref * updated sid:1321 - added RFC ref, added microsoft kb ref * updated sid:303 - changed CVE CAN to CVE CVE. * updated sid:314 - changed CVE CAN to CVE CVE. * updated sid:1246 - added microsoft bulletin ref * updated sid:1248 - added microsoft bulletin ref * disabled sid:1049 - redundant sig (/../../../)
* updated sid:526 - added CERT url ref * updated sid:567 - added mail-abus.org url ref * updated sid:615 - added undernet.org/proxyscan url ref * updated sid:1080 - added CVE ref
* disabled sid:984,985,992,1004,1005,1028,1031,1032,1033,1034,1035,1036,1037,1043 - don't need multiple flaws from stuff in samples. everything sample is bad. * added sid:1400 - /scripts/samples * added sid:1401 - /msadc/samples * added sid:1402 - /iissamples * updated sid:1088 - added CVE ref * disabled sid:1094 - dup of sid:1088 * updated sid:1159 - added CVE ref, added 4 bugtraq refs * disabled sid:1389, - viewcode.jse * added sid:1403 - /viewcode (generic viewcode sig) * added sid:1404 - /showcode (generic viewcode sig)
* updated sid:320 - cleaned MSG, added 2 SANS url ref * updated sid:321 - cleaned MSG * updated sid:322 - cleaned MSG * updated sid:324 - cleaned MSG * disabled sid:325 - duplicate of sid:332 * updated sid:326 - added CVE ref, cleaned MSG * updated sid:327 - added CVE ref, cleaned MSG * updated sid:328 - added CVE ref * disabled sid:329 - disabled in favor of less specific sid:330 * updated sid:330 - cleaned MSG * updated sid:331 - made content more readable * updated sid:332 - added arachnids ref, added CVE ref, cleaned MSG * updated sid:333 - cleaned MSG * updated sid:1377 - added classtype * updated sid:1378 - added classtype * updated sid:807 - added CVE ref, added bugtraq ref * updated sid:1166 - added CVE ref, added bugtraq ref * updated sid:1175 - added bugtraq ref, corrected CVE ref
* regened sid-msg.map * moved frontpage to be after web-iis * updated sid:1398 - added classtype * added sid:1399 - EXPERIMENTAL PHP-Nuke remote file include attempt * moved sid:612 - Belongs in rpc.rules instead of rservices.rules * updated sid:601 - s/rsh/rlogin/ * updated sid:602 - s/rsh/rlogin/ * updated sid:603 - s/rsh/rlogin/ * updated sid:604 - s/rsh/rlogin/ * updated sid:605 - s/rsh/rlogin/ * updated sid:606 - s/rsh/rlogin/ * updated sid:607 - s/rlogin/rsh/ * updated sid:608 - s/rlogin/rsh/ * updated sid:609 - s/rlogin/rsh/ * updated sid:610 - s/rlogin/rsh/ * updated sid:611 - s/rlogin/rsh/ * disabled sid:617 - wtf does this look for? nobody knows, lets turn it off * updated sid:976 - added url REFs. Removed & from content * updated sid:1042 - added bugtraq REF * disabled sid:1045 - generic sig when we have a tight sig * updated sid:1201 - added depth
* updated sid:1104 - cleaned MSG (name space colision) * updated sid:1087 - cleaned MSG (name space colision)
* updated sid:216 - added a bit more information to the MSG. * removed sid:280 - duplicate sig. * updated sid:314 - synced msg with sid:303. Corrected CVE ref. * updated sid:303 - corrected CVE ref. * updated sid:333 - corrected CVE ref. * updated sid:1003 - corrected spelling in MSG. * updated sid:1171 - added URL ref. Added a bit more info in MSG. * updated sid:1139 - added URL ref. Added a bit more info in MSG. * updated sid:1104 - added URL ref. * updated sid:1087 - added URL ref.
* updated sid:1385 - added bid:3727
* added sid:1391 - WEB-MISC Phorecast remote code execution attempt * added sid:1392 - WEB-CGI lastlines.cgi access * massive updates to policy.rules from ryan@securityfocus
* more todo
* added viewcode.jse signature
* updated sid:1385 (' is not the same as ")
* added UPNP, mod-plsql, and ms-sql raiserror signatures
* Added more stuff to the TODO list * moved sid:144 to ftp.rules since thats where it belongs * updated sid:303,1240 (added flags) * commited a ton of updates to sql.rules and ftp.rules (see diffs for full info) from Ryan @ SecurityFocus. (You rock yo) * added a bit of info as to why local.rules exists to local.rules
* a zillion updates from ryan@securityfocus. * extra long stat exploit * cleaned up the wu-ftp sigs to make them less false negative.
fixed - 1250, 1199, 979, 1109, 978, 995 Thanks to Ryan from Securityfocus for the updates. He rocks.
* added .jsp sig for JRun. Need references, defcon-labs hasnt put the advisory on their site yet. no CVE/BIDs * added Chris Green's wu-ftpd file completion sigs. (Chris, you rock)
* update to sigs MSG & classtype (re ryan russell)
added chris green's sadmind worm access signature
* more FAQ foo (from Erek Adams) * updated SID:307,308, removed SID:1063 (re cmg)
* added Zeno (did much of the leg work for web-attacks.rules) to the CREDITS * fixed a speeling error for sid:1257 * increased the filler signature lenght. * moved sid:1113 to the end of the web-misc.rules (lets be less generic if possible)
* oops. forgot the trailing ; after bumping the rev.
* add a classification to those rules without. (used misc-activity as the default)
* Added copyright notices so that the Intrusion.com people might take our intellectual property a bit more seriously
* added our first patch of porn signatures * added suspecious-login classification * updated classifications on a crapload of rules * make barnyard defaults in the config file actually be what we say is the default
* regen sid-msg.map * added sendmessage.cgi * updated a number of WEB-MISC rules to be uricontent compliant when sane.
* regen sid-msg.map * move more BAD TRAFFIC sigs into bad-traffic.rules * remove duplicate .eml signatures * add txt2html attempt signatures * add store.cgi attempt & access signatures
* Added SID/REV to those signatures that needed it. * Added txt2html signatures
* Added new classifications * added yppasswdd signatures * removed arachNIDS from a site to go look for rules. Why tell people about a service that is down? * added a few more web-misc rules
* fix carbo.dll signature & move it into WEB-MISC where it belongs. (Just cause something runs on IIS doesn't mean it is IIS's fault.)
* Added descriptions to many of the .rules files. (More to come soon) * cleaned up a few any any rules * cleaned up the name of a few rules * Created attack-responces.rules (for generic responces of known attacks) * Created bad-traffic.rules (for signatures that shouldn't happen on a 'good' network) * normalized a few msgs. * changed order telnet.rules to speed up the exploit signatures * added sml3com access signature (need to write an overflow attempt sig, but don't have a 3com router to test it. any takers?)
* actually COMMIT the changes I make. Caught by Robert Hughes
* added readme.eml autoload atttempt signature (credit : Farm9) * added TFTP GET Admin.dll signature (credit : Farm9) * added /_vti_bin/ signature * added CERT references to all NIMDA specific signatures
* added /scripts/ /msdac/ /_mem_bin/ signatures * added readme.eml download signature
* corrected CVE references * regen sid-msg.map
* : inside of "" should not need to be \
* added aix pdnsd overflow sig * added aix long basic authorization string (This may trigger on long posts as well. It hasn't on my network yet, but it might elsewhere)
* cleaned up a huge amount of dup rules Thanks to Jimmy Staggs for pointing out the duplicates
* bunch of duplicate flags * duplicate SIDs generated. Please use the new sid-add in contrib Caught by Mike Baptiste <mike@baptistefamily.net>
* corrected SIDs on a few rules * added HP Openview Manager DOS sig
Make "/~root" "/~root/" to previent /~rootie/ from causing false positives
* Added CVE & Bugtraq references to a few zillion rules. * Fixed sid:1048 (caught by John Berkers)
* add IDMEF Setup IFDEF (thanks Joey @ Silicon Defense) * add sid-ref maps for signatures marty added * add PHPLIB signatures (bugtraq 3079)
* Added SID->reference maps (sid-ref.map) * Added BIDs to a few zillion rules. Thanks to the guys at SF for the data
* A couple of broken rules that Marty caught
lets put the whisker splice attack rules last. (rather see the attack they are doing, than just that they are doing an attack.)
* added CISCO IOS HTTP Configuration Attempt (bugtraq,2936) signature
* added a bunch of signatures * added better 'output' of broken rules in sp_pattern_match.c
* added support for SID and REV. * added sid-msg.map (maps SID to MSG) SID is a unique ID for each rule. REV is the rule revision.
Added the following rules: * DOS JOLT attack * DOS Land attack * DOS Teardrop attack * DOS UDP bomb attack * DOS IGMP attack (two rules) * MISC Tiny Fragments * MISC IP Reserved bit set * MISC TCP port 0 traffic * MISC UDP port 0 traffic * MISC data in TCP SYN packet * MISC same SRC/DST * MISC loopback traffic (127.0.0.0/8) * SMTP RCPT overflow * WEB-CGI hyperseek directory traversal attempt * WEB-MISC netscape enterprise server DOS (REVLOG /) * WEB-MISC netscape enterprise server directory listing (INDEX /) * WEB-MISC iPlanet DOS attempt * WEB-MISC WebPALS attempt (two rules) * WEB-MISC ROADS attempt
* Yes RFP, we like you too.
* Added sgi_espd RPC query (SGI Advisory 20010501-01-P) * Mentioned that virus rules are NOT being maintained * Added iPlanet GETPROPERTIES attempt rule (See eEye advisory)
* Changed default $HOME_NET to any (watch as marty changes it right back :P) * Added classifications to almost every rule NOTE: We are currently using IDMEF's classifications. This may change soon. This is an extremely SIMPLE and well defined set of rule classifications and priorities. It is completely changeable. Read sp_priority and classification.conf for more information.
* made almost all URL rules use uricontent * fixed a few borked rules
---------------------------------------------------------------------- Added: * ntpdx overflow attempt (from arachnids) Modified: * Lotus Domino Directory Traversal - Added better content matching * added uricontent for 5 rules. More coming soon Modified Files: exploit.rules web-misc.rules ----------------------------------------------------------------------
----------------------------------------------------------------------
Modified Files:
web-misc.rules
* added weblogic view source
* added tomcat directory traversal
* added tomcat view source
----------------------------------------------------------------------
added virus.rules & sql.rules. cleaned up rules to be less false possitive. removed a few duplicate rules.
Added x11.rules, x11.rules, and virus.rules
* Disabled reseerved bits scan detection, false positives for ECN traffic aren't detectable with the current code and I'm seeing a lot of noise out there about this... * committed the new rules set from Forster/Caswell
| snort-team@sourcefire.com |