snort2-docker/docker/etc/rules/os-solaris.rules

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#------------------
# OS-SOLARIS RULES
#------------------

# alert udp $EXTERNAL_NET 513 -> $HOME_NET 513 (msg:"OS-SOLARIS Oracle Solaris in.rwhod hostname denial of service attempt"; flow:to_server; content:"|01 01 00 00|"; depth:4; isdataat:40,relative; content:!"|00|"; within:32; distance:8; reference:bugtraq,13401; reference:cve,2004-1351; classtype:attempted-dos; sid:20725; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"OS-SOLARIS Oracle Solaris username overflow authentication bypass attempt"; flow:to_server,established; content:"c c c c c c c c c"; metadata:service telnet; reference:cve,2001-0797; classtype:attempted-admin; sid:13613; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris printd arbitrary file deletion vulnerability"; flow:to_server,established; content:"|0A|U"; content:"../.."; fast_pattern:only; content:"|0A|"; reference:bugtraq,14510; reference:cve,2005-4797; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; classtype:misc-attack; sid:12080; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris lpd unlink file attempt"; flow:to_server,established; flowbits:isset,lp.controlfile; content:"|02|"; depth:1; content:"dfA"; nocase; pcre:"/^\x02\d+ dfA/smi"; metadata:service printer; reference:bugtraq,14510; reference:cve,2005-4797; classtype:misc-attack; sid:10418; rev:7;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"OS-SOLARIS Oracle Solaris login environment variable authentication bypass attempt"; flow:to_server,established; content:"|FF FA|"; rawbytes; content:"USER|01|-f"; distance:0; rawbytes; metadata:service telnet; reference:bugtraq,22512; reference:cve,2007-0882; classtype:attempted-admin; sid:10136; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris LPD overflow attempt"; flow:to_server,established; content:"|02|//////////"; depth:11; dsize:>1000; reference:bugtraq,3274; reference:cve,2001-1583; classtype:attempted-admin; sid:3527; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"OS-SOLARIS Oracle Solaris npls x86 overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; metadata:ruleset community; reference:bugtraq,2319; reference:cve,1999-1588; classtype:attempted-admin; sid:300; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:267; rev:13;)
# alert udp $EXTERNAL_NET 67 -> $HOME_NET 68 (msg:"OS-SOLARIS Oracle Solaris DHCP Client Arbitrary Code Execution attempt"; flow:to_server; content:"|63 82 53 63|"; content:"|35 01 05|"; distance:0; fast_pattern; content:"|0F|"; distance:0; content:"|20|"; within:100; metadata:policy max-detect-ips drop, service dhcp; reference:bugtraq,14687; reference:cve,2005-2870; classtype:attempted-user; sid:17433; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris printd Daemon Arbitrary File Deletion attempt"; flow:to_server,established; flowbits:isset,lp.controlfile; content:"|0A 55|"; content:"|2F|"; distance:0; metadata:policy max-detect-ips drop, service printer; reference:bugtraq,14510; reference:cve,2005-4797; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; classtype:misc-attack; sid:17353; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris lpd control file upload attempt"; flow:to_server,established; flowbits:isset,lp.cascade; content:"|02|"; depth:1; content:"cfA"; nocase; pcre:"/^\x02\d+ cfA/smi"; flowbits:set,lp.controlfile; metadata:policy max-detect-ips drop, service printer; classtype:misc-attack; sid:4144; rev:12;)
# alert udp $EXTERNAL_NET 177 -> $HOME_NET any (msg:"OS-SOLARIS XMDCP double-free attempt"; flow:to_client; content:"|00 1C|"; depth:2; offset:17; reference:cve,2004-0368; classtype:attempted-admin; sid:37511; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"OS-SOLARIS XMDCP double-free attempt"; flow:to_server,established; content:"|00 01 00 07|"; depth:4; content:!"|00 00|"; within:2; distance:5; reference:cve,2004-0368; classtype:attempted-admin; sid:39936; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [111,32768:] (msg:"OS-SOLARIS Solaris RPC XDR overflow code execution attempt"; flow:to_server,established; content:"|80 00 04 E8|"; depth:4; content:"|00 00 00 00 00 00 00 02 00 01|"; within:10; distance:4; content:"|00 00 55 DE|"; within:4; distance:10; byte_jump:4,0,relative,post_offset 8; isdataat:288,relative; reference:cve,2017-3623; reference:url,seclists.org/dailydave/2016/q4/15; classtype:attempted-admin; sid:42226; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-SOLARIS Solaris dtappgather local privilege escalation attempt"; flow:to_server,established; file_data; content:"|68 FF 83 2A CF 8D 85 94 EB FF FF 50 8D 85 94 EB FF FF 50 E8 E1 F3 FF FF 83 C4 0C 8B 45 08 3D 01 00 00 00 0F 85 20 00 00 00 6A 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,packetstormsecurity.com/files/142120/Solaris-x86-SPARC-EXTREMEPARR-dtappgather-Privilege-Escalation.html; classtype:attempted-admin; sid:42254; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-SOLARIS Solaris dtappgather local privilege escalation attempt"; flow:to_client,established; file_data; content:"|68 FF 83 2A CF 8D 85 94 EB FF FF 50 8D 85 94 EB FF FF 50 E8 E1 F3 FF FF 83 C4 0C 8B 45 08 3D 01 00 00 00 0F 85 20 00 00 00 6A 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,packetstormsecurity.com/files/142120/Solaris-x86-SPARC-EXTREMEPARR-dtappgather-Privilege-Escalation.html; classtype:attempted-admin; sid:42253; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"|5C|63|5C|300|5C|120|5C|260|5C|33|5C|350|5C|41|5C|0|5C|0|5C|0|5C|350|5C|0|5C|0|5C|0|5C|0|5C|137|5C|213|5C|307|5C|5|5C|44|5C|0|5C|0|5C|0|5C|120|5C|203|5C|307|5C|157|5C|127|5C|63|5C|300|5C|260|5C|13|5C|350|5C|6|5C|0|5C|0|5C|0|5C|63|5C|300|5C|120|5C|120|5C|260|5C|1|5C|232|5C|0|5C|0|5C|0|5C|0|5C|47|5C|0|5C|303"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42283; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"|5C|63|5C|300|5C|353|5C|6|5C|137|5C|210|5C|107|5C|6|5C|353|5C|55|5C|350|5C|365|5C|377|5C|377|5C|377|5C|232|5C|172|5C|121|5C|114|5C|37|5C|47|5C|5|5C|303|5C|63|5C|322|5C|130|5C|215|5C|170|5C|24|5C|122|5C|127|5C|120|5C|253|5C|222|5C|253|5C|210|5C|102|5C|10|5C|260|5C|73|5C|350|5C|342|5C|377|5C|377|5C|377|5C|63|5C|300|5C|120|5C|260|5C|1|5C|350|5C|330|5C|377|5C|377|5C|377|5C|350|5C|333|5C|377|5C|377|5C|377|5C|57|5C|142|5C|151|5C|156|5C|57|5C|153|5C|163|5C|150|5C|"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42282; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"|5C|100|5C|0|5C|0|5C|2|5C|220|5C|20|5C|0|5C|0|5C|202|5C|20|5C|40|5C|33|5C|221|5C|320|5C|40|5C|10|5C|220|5C|3|5C|340|5C|176|5C|222|5C|3|5C|340|5C|54|5C|202|5C|20|5C|40|5C|13|5C|221|5C|320|5C|40|5C|10|5C|220|5C|20|5C|0|5C|0|5C|202|5C|20|5C|40|5C|1|5C|221|5C|320|5C|40|5C|10|5C|0|5C|2"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42281; rev:1;)
Adding Docker Container 2020-02-24 13:56:30 +00:00			`# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.`
			`#`
			`# This file contains (i) proprietary rules that were created, tested and certified by`
			`# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT`
			`# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by`
			`# Sourcefire and other third parties (the "GPL Rules") that are distributed under the`
			`# GNU General Public License (GPL), v2.`
			`#`
			`# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created`
			`# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are`
			`# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by`
			`# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a`
			`# list of third party owners and their respective copyrights.`
			`#`
			`# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer`
			`# to the VRT Certified Rules License Agreement (v2.0).`
			`#`
			`#------------------`
			`# OS-SOLARIS RULES`
			`#------------------`

			`# alert udp $EXTERNAL_NET 513 -> $HOME_NET 513 (msg:"OS-SOLARIS Oracle Solaris in.rwhod hostname denial of service attempt"; flow:to_server; content:"\|01 01 00 00\|"; depth:4; isdataat:40,relative; content:!"\|00\|"; within:32; distance:8; reference:bugtraq,13401; reference:cve,2004-1351; classtype:attempted-dos; sid:20725; rev:3;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"OS-SOLARIS Oracle Solaris username overflow authentication bypass attempt"; flow:to_server,established; content:"c c c c c c c c c"; metadata:service telnet; reference:cve,2001-0797; classtype:attempted-admin; sid:13613; rev:6;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris printd arbitrary file deletion vulnerability"; flow:to_server,established; content:"\|0A\|U"; content:"../.."; fast_pattern:only; content:"\|0A\|"; reference:bugtraq,14510; reference:cve,2005-4797; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; classtype:misc-attack; sid:12080; rev:9;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris lpd unlink file attempt"; flow:to_server,established; flowbits:isset,lp.controlfile; content:"\|02\|"; depth:1; content:"dfA"; nocase; pcre:"/^\x02\d+ dfA/smi"; metadata:service printer; reference:bugtraq,14510; reference:cve,2005-4797; classtype:misc-attack; sid:10418; rev:7;)`
			`# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"OS-SOLARIS Oracle Solaris login environment variable authentication bypass attempt"; flow:to_server,established; content:"\|FF FA\|"; rawbytes; content:"USER\|01\|-f"; distance:0; rawbytes; metadata:service telnet; reference:bugtraq,22512; reference:cve,2007-0882; classtype:attempted-admin; sid:10136; rev:10;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris LPD overflow attempt"; flow:to_server,established; content:"\|02\|//////////"; depth:11; dsize:>1000; reference:bugtraq,3274; reference:cve,2001-1583; classtype:attempted-admin; sid:3527; rev:12;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"OS-SOLARIS Oracle Solaris npls x86 overflow"; flow:to_server,established; content:"\|EB 23\|^3\|C0 88\|F\|FA 89\|F\|F5 89\|6"; metadata:ruleset community; reference:bugtraq,2319; reference:cve,1999-1588; classtype:attempted-admin; sid:300; rev:13;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"\|90 1A C0 0F 90 02\| \|08 92 02\| \|0F D0 23 BF F8\|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:267; rev:13;)`
			`# alert udp $EXTERNAL_NET 67 -> $HOME_NET 68 (msg:"OS-SOLARIS Oracle Solaris DHCP Client Arbitrary Code Execution attempt"; flow:to_server; content:"\|63 82 53 63\|"; content:"\|35 01 05\|"; distance:0; fast_pattern; content:"\|0F\|"; distance:0; content:"\|20\|"; within:100; metadata:policy max-detect-ips drop, service dhcp; reference:bugtraq,14687; reference:cve,2005-2870; classtype:attempted-user; sid:17433; rev:13;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris printd Daemon Arbitrary File Deletion attempt"; flow:to_server,established; flowbits:isset,lp.controlfile; content:"\|0A 55\|"; content:"\|2F\|"; distance:0; metadata:policy max-detect-ips drop, service printer; reference:bugtraq,14510; reference:cve,2005-4797; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; classtype:misc-attack; sid:17353; rev:12;)`
			`alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris lpd control file upload attempt"; flow:to_server,established; flowbits:isset,lp.cascade; content:"\|02\|"; depth:1; content:"cfA"; nocase; pcre:"/^\x02\d+ cfA/smi"; flowbits:set,lp.controlfile; metadata:policy max-detect-ips drop, service printer; classtype:misc-attack; sid:4144; rev:12;)`
			`# alert udp $EXTERNAL_NET 177 -> $HOME_NET any (msg:"OS-SOLARIS XMDCP double-free attempt"; flow:to_client; content:"\|00 1C\|"; depth:2; offset:17; reference:cve,2004-0368; classtype:attempted-admin; sid:37511; rev:1;)`
			`# alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"OS-SOLARIS XMDCP double-free attempt"; flow:to_server,established; content:"\|00 01 00 07\|"; depth:4; content:!"\|00 00\|"; within:2; distance:5; reference:cve,2004-0368; classtype:attempted-admin; sid:39936; rev:1;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET [111,32768:] (msg:"OS-SOLARIS Solaris RPC XDR overflow code execution attempt"; flow:to_server,established; content:"\|80 00 04 E8\|"; depth:4; content:"\|00 00 00 00 00 00 00 02 00 01\|"; within:10; distance:4; content:"\|00 00 55 DE\|"; within:4; distance:10; byte_jump:4,0,relative,post_offset 8; isdataat:288,relative; reference:cve,2017-3623; reference:url,seclists.org/dailydave/2016/q4/15; classtype:attempted-admin; sid:42226; rev:2;)`
			alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-SOLARIS Solaris dtappgather local privilege escalation attempt"; flow:to_server,established; file_data; content:"\|68 FF 83 2A CF 8D 85 94 EB FF FF 50 8D 85 94 EB FF FF 50 E8 E1 F3 FF FF 83 C4 0C 8B 45 08 3D 01 00 00 00 0F 85 20 00 00 00 6A 02\|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,packetstormsecurity.com/files/142120/Solaris-x86-SPARC-EXTREMEPARR-dtappgather-Privilege-Escalation.html; classtype:attempted-admin; sid:42254; rev:2;)
			alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-SOLARIS Solaris dtappgather local privilege escalation attempt"; flow:to_client,established; file_data; content:"\|68 FF 83 2A CF 8D 85 94 EB FF FF 50 8D 85 94 EB FF FF 50 E8 E1 F3 FF FF 83 C4 0C 8B 45 08 3D 01 00 00 00 0F 85 20 00 00 00 6A 02\|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,packetstormsecurity.com/files/142120/Solaris-x86-SPARC-EXTREMEPARR-dtappgather-Privilege-Escalation.html; classtype:attempted-admin; sid:42253; rev:2;)
			# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"\|5C\|63\|5C\|300\|5C\|120\|5C\|260\|5C\|33\|5C\|350\|5C\|41\|5C\|0\|5C\|0\|5C\|0\|5C\|350\|5C\|0\|5C\|0\|5C\|0\|5C\|0\|5C\|137\|5C\|213\|5C\|307\|5C\|5\|5C\|44\|5C\|0\|5C\|0\|5C\|0\|5C\|120\|5C\|203\|5C\|307\|5C\|157\|5C\|127\|5C\|63\|5C\|300\|5C\|260\|5C\|13\|5C\|350\|5C\|6\|5C\|0\|5C\|0\|5C\|0\|5C\|63\|5C\|300\|5C\|120\|5C\|120\|5C\|260\|5C\|1\|5C\|232\|5C\|0\|5C\|0\|5C\|0\|5C\|0\|5C\|47\|5C\|0\|5C\|303"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42283; rev:1;)
			# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"\|5C\|63\|5C\|300\|5C\|353\|5C\|6\|5C\|137\|5C\|210\|5C\|107\|5C\|6\|5C\|353\|5C\|55\|5C\|350\|5C\|365\|5C\|377\|5C\|377\|5C\|377\|5C\|232\|5C\|172\|5C\|121\|5C\|114\|5C\|37\|5C\|47\|5C\|5\|5C\|303\|5C\|63\|5C\|322\|5C\|130\|5C\|215\|5C\|170\|5C\|24\|5C\|122\|5C\|127\|5C\|120\|5C\|253\|5C\|222\|5C\|253\|5C\|210\|5C\|102\|5C\|10\|5C\|260\|5C\|73\|5C\|350\|5C\|342\|5C\|377\|5C\|377\|5C\|377\|5C\|63\|5C\|300\|5C\|120\|5C\|260\|5C\|1\|5C\|350\|5C\|330\|5C\|377\|5C\|377\|5C\|377\|5C\|350\|5C\|333\|5C\|377\|5C\|377\|5C\|377\|5C\|57\|5C\|142\|5C\|151\|5C\|156\|5C\|57\|5C\|153\|5C\|163\|5C\|150\|5C\|"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42282; rev:1;)
			# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"\|5C\|100\|5C\|0\|5C\|0\|5C\|2\|5C\|220\|5C\|20\|5C\|0\|5C\|0\|5C\|202\|5C\|20\|5C\|40\|5C\|33\|5C\|221\|5C\|320\|5C\|40\|5C\|10\|5C\|220\|5C\|3\|5C\|340\|5C\|176\|5C\|222\|5C\|3\|5C\|340\|5C\|54\|5C\|202\|5C\|20\|5C\|40\|5C\|13\|5C\|221\|5C\|320\|5C\|40\|5C\|10\|5C\|220\|5C\|20\|5C\|0\|5C\|0\|5C\|202\|5C\|20\|5C\|40\|5C\|1\|5C\|221\|5C\|320\|5C\|40\|5C\|10\|5C\|0\|5C\|2"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42281; rev:1;)