CVS log for snort/rules/web-php.rules
CVS log for snort/rules/web-php.rules |
|
Help |
Up to [cvs] / snort / rulesRequest diff between arbitrary revisions
a bunch of new rules. go sourcefire.
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
tons of new rules, tons of rule updates. oracle & nntp xpat rules are the important ones
* dedup
more rules, more rule updates, and more preprocessor docs. yes, just like TBS, we can do 'more' too.
more rules, more rule updates, and more preprocessor docs. yes, just like TBS, we can do 'more' too.
more rules, more rule updates, and more preprocessor docs. yes, just like TBS, we can do 'more' too.
* massive sync
* massive sync
* sync sync sync
* tons of new rules * tons of new rule references * tons of new rule docs * initial documentation on preprocessor alerts (gen-sid.txt in doc/signatures) * new build of the manual
* sync ysnc ysnc sync ysnc ysnc sync ysnc ysnc sync ysnc ysnc
* new rules
* massive sync here too
* sync sync sync * go ruleteam go
* massive sync from head
* yet another sync, lets go forward in time, not backwards...
* massive rule updates (go ruleteam, go)
* Syncing changes for rules team
* lets try this *again*
* sync with sforge current
* updating 2.1.3 from sforge
* sync sync sync
* sync sync sync
* Added a ton of rules that include vulnerabilities in many high-profile security products, including Checkpoint & ISS gear (see below) * provided a single high-powered rule for detecting all of the evil virus emails * added even more docs. (Go Nigel) 2405 || WEB-PHP phptest.php access || bugtraq,9737 2406 || TELNET APC SmartSlot default admin account attempt || bugtraq,9681 2407 || WEB-MISC util.pl access || bugtraq,9748 2408 || WEB-MISC Invision Power Board search.pl access || bugtraq,9766 2409 || POP3 APOP USER overflow attempt || bugtraq,9794 2410 || WEB-PHP IGeneric Free Shopping Cart page.php access || bugtraq,9773 2411 || WEB-MISC Real Server DESCRIBE buffer overflow attempt || url,www.service.real.com/help/faq/security/rootexploit091103.html || bugtraq,8476 2412 || ATTACK-RESPONSES successful cross site scripting forced download attempt 2413 || EXPLOIT ISAKMP delete hash with empty hash attempt || bugtraq,9416 || bugtraq,CAN-2004-0164 2414 || EXPLOIT ISAKMP initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,CAN-2004-0164 2415 || EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,CAN-2004-0164 2416 || FTP invalid MDTM command attempt 2417 || FTP format string attempt 2418 || MISC MS Terminal Server no encryption session initiation attmept || url,www.microsoft.com/technet/security/bulletin/MS01-052.asp 2419 || MULTIMEDIA realplayer .ram playlist download attempt 2420 || MULTIMEDIA realplayer .rmp playlist download attempt 2421 || MULTIMEDIA realplayer .smi playlist download attempt 2422 || MULTIMEDIA realplayer .rt playlist download attempt 2423 || MULTIMEDIA realplayer .rp playlist download attempt 2424 || NNTP sendsys overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2425 || NNTP senduuname overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2426 || NNTP version overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2427 || NNTP checkgroups overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2428 || NNTP ihave overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2429 || NNTP sendme overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2430 || NNTP newgroup overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2431 || NNTP rmgroup overflow attempt || bugtraq,9382 || cve,CAN-2004-00045 2432 || NNTP article post without path attempt 2433 || WEB-CGI MDaemon form2raw.cgi overflow attempt || bugtraq,9317 2434 || WEB-CGI MDaemon form2raw.cgi access || bugtraq,9317 2435 || WEB-CLIENT Microsoft emf metafile access || bugtraq,9707 2436 || WEB-CLIENT Microsoft wmf metafile access || bugtraq,9707 2437 || WEB-CLIENT RealPlayer arbitrary javascript command attempt || bugtraq,8453 || bugtraq,9738 || cve,CAN-2003-0726 2438 || WEB-CLIENT RealPlayer playlist file URL overflow attempt || bugtraq,9579 2439 || WEB-CLIENT RealPlayer playlist http URL overflow attempt || bugtraq,9579 2440 || WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579 2441 || WEB-MISC NetObserve authentication bypass attempt || bugtraq,9319 2442 || WEB-MISC Quicktime User-Agent buffer overflow attempt || cve,CAN-2004-0169 2443 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html 2444 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html 2445 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html 2446 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html
* sync sync sync
* sync new rules downwards
* 44 new rules, 52 updates. see snort-sigs mailing list in a few days for the full details. The cool rules are: (For ISS buffer overflow detection!) NETBIOS SMB Session Setup AndX request username overflow attempt NETBIOS SMB Data Service Session Setup AndX request username overflow attempt NETBIOS SMB Session Setup AndX request unicode username overflow attempt NETBIOS SMB Data Service Session Setup AndX request unicode username overflow attempt (For FW1 ISAKMP buffer overflow detection!) EXPLOIT ISAKMP first payload certificate request length overflow attempt EXPLOIT ISAKMP second payload certificate request length overflow attempt EXPLOIT ISAKMP third payload certificate request length overflow attempt EXPLOIT ISAKMP forth payload certificate request length overflow attempt EXPLOIT ISAKMP fifth payload certificate request length overflow attempt
* Bringing RC1 up to 2.1.1
* sync sync sync, sync sync sync, sync your rules
* bunch o bunch o updates
* 2.1.1-RC1
Everybody, get on the floor, lets dance Don't fight your feelings, give yourself a chance Sync sync sync, sync sync sync, sync your RULES, sync your RULES Feel free to sing along, K.C. and Sunshine Band style
* add flow or stateless where appropriate
* a bunch of rule changes, including a ton of new rules. go PCRE. stable sync will happen later tonight. 2259 || SMTP EXPN overflow attempt || cve,CAN-2002-1337 || bugtraq,6991 || cve,CAN-2003-0161 || bugtraq,7230 || cve,CAN-2003-0161 2260 || SMTP VRFY overflow attempt || cve,CAN-2002-1337 || bugtraq,6991 || cve,CAN-2003-0161 || bugtraq,7230 || cve,CAN-2003-0161 2261 || SMTP SEND FROM sendmail prescan too many addresses overflow || cve,CAN-2002-1337 || bugtraq,6991 2262 || SMTP SEND FROM sendmail prescan too long addresses overflow || cve,CAN-2003-0161 || bugtraq,7230 2263 || SMTP SAML FROM sendmail prescan too many addresses overflow || cve,CAN-2002-1337 || bugtraq,6991 2264 || SMTP SAML FROM sendmail prescan too long addresses overflow || cve,CAN-2003-0161 || bugtraq,7230 2265 || SMTP SOML FROM sendmail prescan too many addresses overflow || cve,CAN-2002-1337 || bugtraq,6991 2266 || SMTP SOML FROM sendmail prescan too long addresses overflow || cve,CAN-2003-0161 || bugtraq,7230 2267 || SMTP MAIL FROM sendmail prescan too many addresses overflow || cve,CAN-2002-1337 || bugtraq,6991 2268 || SMTP MAIL FROM sendmail prescan too long addresses overflow || cve,CAN-2003-0161 || bugtraq,7230 2269 || SMTP RCPT TO sendmail prescan too many addresses overflow || cve,CAN-2002-1337 || bugtraq,6991 2270 || SMTP RCPT TO sendmail prescan too long addresses overflow || cve,CAN-2003-0161 || bugtraq,7230 2271 || BACKDOOR FsSniffer connection attempt || nessus,11854 2272 || FTP LIST integer overflow attempt || bugtraq,8875 || cve,CAN-2003-0854 || cve,CAN-2003-0853 2273 || IMAP login brute force attempt 2274 || POP3 login brute force attempt 2275 || SMTP AUTH LOGON brute force attempt 2276 || WEB-MISC oracle portal demo access || nessus,11918 2277 || WEB-MISC PeopleSoft PeopleBooks psdoccgi access || bugtraq,9037 || bugtraq,9038 || cve,CAN-2003-0626 || cve,CAN-2003-0627 2278 || WEB-MISC negative Content-Length attempt || bugtraq,9098 2279 || WEB-PHP UpdateClasses.php access || bugtraq,9057 2280 || WEB-PHP Title.php access || bugtraq,9057 2281 || WEB-PHP Setup.php access || bugtraq,9057 2282 || WEB-PHP GlobalFunctions.php access || bugtraq,9057 2283 || WEB-PHP DatabaseFunctions.php access || bugtraq,9057 2284 || WEB-PHP rolis guestbook arbitrary command execution attempt || bugtraq,9057 2285 || WEB-PHP rolis guestbook access || bugtraq,9057 2286 || WEB-PHP friends.php access || bugtraq,9088 2287 || WEB-PHP Advanced Poll admin_comment.php access || bugtraq,8890 2288 || WEB-PHP Advanced Poll admin_edit.php access || bugtraq,8890 2289 || WEB-PHP Advanced Poll admin_embed.php access || bugtraq,8890 2290 || WEB-PHP Advanced Poll admin_help.php access || bugtraq,8890 2291 || WEB-PHP Advanced Poll admin_license.php access || bugtraq,8890 2292 || WEB-PHP Advanced Poll admin_logout.php access || bugtraq,8890 2293 || WEB-PHP Advanced Poll admin_password.php access || bugtraq,8890 2294 || WEB-PHP Advanced Poll admin_preview.php access || bugtraq,8890 2295 || WEB-PHP Advanced Poll admin_settings.php access || bugtraq,8890 2296 || WEB-PHP Advanced Poll admin_stats.php access || bugtraq,8890 2297 || WEB-PHP Advanced Poll admin_templates_misc.php access || bugtraq,8890 2298 || WEB-PHP Advanced Poll admin_templates.php access || bugtraq,8890 2299 || WEB-PHP Advanced Poll admin_tpl_misc_new.php access || bugtraq,8890 2300 || WEB-PHP Advanced Poll admin_tpl_new.php access || bugtraq,8890 2301 || WEB-PHP Advanced Poll booth.php access || bugtraq,8890 2302 || WEB-PHP Advanced Poll poll_ssi.php access || bugtraq,8890 2303 || WEB-PHP Advanced Poll popup.php access || bugtraq,8890 2304 || WEB-PHP files.inc.php access || bugtraq,8910 2305 || WEB-PHP chatbox.php access || bugtraq,8930 2306 || WEB-PHP gallery arbitrary command execution attempt || bugtraq,8814 || nessus,11876 2307 || WEB-PHP PayPal Storefront arbitrary command execution attempt || bugtraq,8791 || nessus,11873 2308 || NETBIOS SMB DCERPC Workstation Service unicode bind attempt 2309 || NETBIOS SMB DCERPC Workstation Service bind attempt 2310 || NETBIOS SMB DCERPC Workstation Service unicode bind attempt microsoft-ds 2311 || NETBIOS SMB DCERPC Workstation Service bind attempt microsoft-ds 2312 || SHELLCODE x86 0x71FB7BAB NOOP 2313 || SHELLCODE x86 0x71FB7BAB NOOP unicode 2314 || SHELLCODE x86 0x90 NOOP unicode 2315 || NETBIOS DCERPC Workstation Service bind attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.asp || bugtraq,9011 || cve,CAN-2003-0812 2316 || NETBIOS DCERPC Workstation Service direct service access attempt || url,www.microsoft.com/technet/security/bulletin/MS03-049.asp || bugtraq,9011 || cve,CAN-2003-0812
* major sync from CURRENT. lots of changes too many to list. but its all good and stuff.
* Major add/commit of 2.1 feature set... Will do a tag and then remove the "moved" files
* added sid:2123 - ATTACK-RESPONSES Microsoft cmd.exe banner * added sid:2124 - BACKDOOR Remote PC Access connection attempt * added sid:2125 - FTP CWD C:\\ * added sid:2126 - MISC Microsoft PPTP Start Control Request buffer overflow attempt * added sid:2127 - WEB-CGI ikonboard.cgi access * added sid:2128 - WEB-CGI swsrv.cgi access * added sid:2129 - WEB-IIS nsiislog.dll access * added sid:2130 - WEB-IIS IISProtect siteadmin.asp access * added sid:2131 - WEB-IIS IISProtect access * added sid:2132 - WEB-IIS Synchrologic Email Accelerator userid list access attempt * added sid:2133 - WEB-IIS MS BizTalk server access * added sid:2134 - WEB-IIS register.asp access * added sid:2135 - WEB-MISC philboard.mdb access * added sid:2136 - WEB-MISC philboard_admin.asp authentication bypass attempt * added sid:2137 - WEB-MISC philboard_admin.asp access * added sid:2138 - WEB-MISC logicworks.ini access * added sid:2139 - WEB-MISC /*.shtml access * added sid:2140 - WEB-PHP p-news.php access * added sid:2141 - WEB-PHP shoutbox.php directory traversal attempt * added sid:2142 - WEB-PHP shoutbox.php access * added sid:2143 - WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt * added sid:2144 - WEB-PHP b2 cafelog gm-2-b2.php access * added sid:2145 - WEB-PHP TextPortal admin.php default password (admin) attempt * added sid:2146 - WEB-PHP TextPortal admin.php default password (12345) attempt * added sid:2147 - WEB-PHP BLNews objects.inc.php4 remote command execution attempt * added sid:2148 - WEB-PHP BLNews objects.inc.php4 access * added sid:2149 - WEB-PHP Turba status.php access * added sid:2150 - WEB-PHP ttCMS header.php remote command execution attempt * added sid:2151 - WEB-PHP ttCMS header.php access * added sid:2152 - WEB-PHP test.php access * added sid:2153 - WEB-PHP autohtml.php directory traversal attempt * added sid:2154 - WEB-PHP autohtml.php access * added sid:2155 - WEB-PHP ttforum remote command execution attempt * added sid:2156 - WEB-MISC mod_gzip_status access * added sid:2157 - WEB-IIS IISProtect GlobalAdmin.asp access * added sid:2158 - MISC BGP invalid length * added sid:2159 - MISC BGP invalid type (0) * added sid:2160 - VIRUS OUTBOUND .exe file attachment * added sid:2161 - VIRUS OUTBOUND .doc file attachment * added sid:2162 - VIRUS OUTBOUND .hta file attachment * added sid:2163 - VIRUS OUTBOUND .chm file attachment * added sid:2164 - VIRUS OUTBOUND .reg file attachment * added sid:2165 - VIRUS OUTBOUND .ini file attachment * added sid:2166 - VIRUS OUTBOUND .bat file attachment * added sid:2167 - VIRUS OUTBOUND .diz file attachment * added sid:2168 - VIRUS OUTBOUND .cpp file attachment * added sid:2169 - VIRUS OUTBOUND .dll file attachment * added sid:2170 - VIRUS OUTBOUND .vxd file attachment * added sid:2171 - VIRUS OUTBOUND .sys file attachment * added sid:2172 - VIRUS OUTBOUND .com file attachment * added sid:2173 - VIRUS OUTBOUND .hsq file attachment * added sid:2174 - NETBIOS SMB winreg access * added sid:2175 - NETBIOS SMB winreg access (unicode) * added sid:2176 - NETBIOS SMB Startup Folder access attempt * added sid:2177 - NETBIOS SMB Startup Folder access attempt (unicode)
* major push of rules. see snort-sigs email for all the changes.
* MASSIVE sync of rules This is the first major sync of rules since I started working for Sourcefire. Many of these updates are a direct result of my employment at Sourcefire. We have time and resources to test and document rules extensively. Many people have contributed to these updates. Too many to mention here. You should continue to see awesome updates, rewrites and new rules as Sourcefire is dedicating serious resources to the Snort project. Even if you don't buy an appliance from Sourcefire, you should send an email to info@sourcefire.com to let them know how much you appreciate their dedication to making snort awesome.
* merge merge merge merge merge. Happy with the merge?
* wee. new rules. check snort-sigs in a bit for the changes
* updated sid:107 - corrected bad content checks * updated sid:159 - corrected client/server pair * updated sid:195 - corrected client/server pair * updated sid:1929 - (trust me, it changed between 1,2 and 3) * updated sid:524 - removed invalid references * updated sid:238 - corrected client/server pair * updated sid:1257 - added additional ports that can be targetted * updated sid:306 - added reference * updated sid:1919 - added references * updated sid:1734 - added references * updated sid:361 - added distance to limit false positives * updated sid:362 - removed RETR content check (can be used with STOR as well) * updated sid:1377 - added distance to limit false positives * updated sid:1378 - added distance to limit false positives * re-enabled sid:1748 - should be on by default * updated sid:1844 - use byte_test instead of distance * updated sid:1845 - use byte_test instead of distance * updated sid:1903 - remove additional un-needed content * updated sid:1755 - use within * disabled sid:293 - replaced with other sids * disabled sid:295 - replaced with other sids * disabled sid:296 - replaced with other sids * disabled sid:297 - replaced with other sids * disabled sid:298 - replaced with other sids * disabled sid:299 - replaced with other sids * updated sid:489 - added within * updated sid:1866 - added references * disabled sid:570 - replaced with other sids * disabled sid:571 - replaced with other sids * updated sid:664 - updated MSG to be more clear * updated sid:1289 - added offsets * updated sid:1441 - added offsets * updated sid:1442 - added offsets * updated sid:1443 - added offsets * updated sid:519 - added offsets * updated sid:1149 - updated MSG to be more clear * disabled sid:1287 - too false positive to be on by default * updated sid:1069 - updated MSG to be more clear * updated sid:1519 - updated MSG to be correct, update content to be correct * updated sid:1809 - use HTTP_PORTS instead of 80 * updated sid:1826 - correct uricontent * disabled sid:1171 - too false positive to be on by default * deleted sid:874 - very bad rule * deleted sid:318 - replaced by sid:1939 and sid:1940 * deleted sid:319 - replaced by sid:1939 and sid:1940 * reordered rpc.rules to be a bit more clear * reordered dns.rules to be a bit more clear * added pop2.rules * disaabled asn1_decode, as it shouldn't be on by default * added the following rules: 1929 || BACKDOOR TCPDUMP/PCAP trojan traffic || url,hlug.fscker.com 1930 || IMAP auth overflow attempt || cve,CVE-1999-0005 1931 || WEB-CGI rpc-nlog.pl access || cve,CAN-1999-1278 1932 || WEB-CGI rpc-smb.pl access || cve,CAN-1999-1278 1933 || WEB-CGI cart.cgi access 1934 || POP2 FOLD overflow attempt || cve,CVE-1999-0920 || bugtraq,283 1935 || POP2 FOLD arbitrary file attempt 1936 || POP3 AUTH overflow attempt 1937 || POP3 LIST overflow attempt || cve,CAN-2000-0096 || bugtraq,948 1938 || POP3 XTND overflow attempt 1939 || MISC bootp hardware address lenght overflow || cve,CAN-1999-0798 1940 || MISC bootp invalid hardware type || cve,CAN-1999-0798 1941 || TFTP filename overflow attempt || bugtraq,5328 || cve,CAN-2002-0813 1942 || FTP RMDIR overflow attempt 1943 || WEB-MISC /Carello/add.exe access || bugtraq,1245 || cve,CVE-2000-0396 1944 || WEB-MISC /ecscripts/ecware.exe access 1945 || WEB-IIS unicode directory traversal attempt || cve,CVE-2000-0884 1946 || WEB-MISC answerbook2 admin attempt 1947 || WEB-MISC answerbook2 arbitrary command execution attempt 1948 || DNS zone transfer UDP || arachnids,212 || cve,CAN-1999-0532 1949 || RPC portmap SET attempt TCP 111 1950 || RPC portmap SET attempt UDP 111 1951 || RPC mountd TCP mount request 1952 || RPC mountd UDP export request 1953 || RPC AMD TCP pid request 1954 || RPC AMD UDP pid request 1955 || RPC AMD TCP version request 1956 || RPC AMD UDP version request 1957 || RPC sadmind UDP PING || bugtraq,866 1958 || RPC sadmind TCP PING || bugtraq,866 1959 || RPC portmap request NFS UDP 1960 || RPC portmap request NFS TCP 1961 || RPC portmap request RQUOTA UDP 1962 || RPC portmap request RQUOTA TCP 1963 || RPC RQUOTA UDP getquota overflow attempt || bugtraq,864 || cve,CVE-1999-0974 1964 || RPC tooltalk UDP overflow attempt 1965 || RPC tooltalk TCP overflow attempt 1966 || MISC GlobalSunTech Access Point Information Discolsure attempt || bugtraq,6100 1967 || WEB-PHP phpbb quick-reply.php arbitrary command attempt || bugtraq,6173 1968 || WEB-PHP phpbb quick-reply.php access || bugtraq,6173 1969 || WEB-MISC ion-p access || bugtraq,6091 1970 || WEB-IIS MDAC Content-Type overflow attempt 1971 || FTP SITE EXEC format string attempt 1972 || FTP PASS overflow attempt || cve,CAN-2002-0126 || cve,CAN-2000-1035 1973 || FTP MKD overflow attempt || bugtraq,612 || cve,CAN-1999-0911 1974 || FTP REST overflow attempt || cve,CAN-2001-0826 1975 || FTP DELE overflow attempt || cve,CAN-2001-0826 1976 || FTP RMD overflow attempt || cve,CAN-2001-0826 1977 || WEB-MISC xp_regwrite attempt 1978 || WEB-MISC xp_regdeletekey attempt 1979 || WEB-MISC perl post attempt || nessus,11158 || bugtraq,5520
* major sync from current (look ma, no experimental.rules) * added pop2.rules * regen sid-msg.map
* moved to proper .rules file from experimental.rules: 1605,1504,1890,1891,1638,1822,1823,1824,1825,1868,1869,1870,1875,1876,1877, 1878,1840,1841,1817,1818,1814,1826,1820,1827,1828,1829,1830,1831,1835,1839, 1847,1848,1849,1850,1851,1852,1857,1859,1860,1861,1862,1863,1871,1872,1873, 1874,1881,1815,1816,1834 * updated sid:1337,1338 - correced content, don't include the full path
* large update of signatures. CVS disconnected during the last commit, so this is a recommit
* This is a massive change. Since I'm really busy ATM, this is what changed. * created imap.rules, nntp.rules, pop3.rules, other-ids.rules, web-client.rules, web-php.rules and moved signatures into those. * added the following signatures: 1793 || PORN fetish 1794 || PORN masturbation 1795 || PORN ejaculation 1796 || PORN virgin 1797 || PORN BDSM 1798 || PORN erotica 1799 || PORN fisting 1800 || VIRUS Klez Incoming
| snort-team@sourcefire.com |