ale/snort2-docker
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
36eb702282
snort2-docker/docker/etc/rules/policy-social.rules

101 lines
24 KiB
Plaintext
Raw Normal View History

Adding Docker Container
2020-02-24 13:56:30 +00:00
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#---------------------
# POLICY-SOCIAL RULES
#---------------------
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-SOCIAL ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:541; rev:15;)
# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"POLICY-SOCIAL ICQ forced user addition"; flow:established,to_client; content:"Content-Type|3A| application/x-icq"; fast_pattern:only; content:"[ICQ User]"; metadata:ruleset community; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:13;)
# alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; metadata:ruleset community; classtype:policy-violation; sid:540; rev:17;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; metadata:ruleset community; classtype:policy-violation; sid:1986; rev:12;)
# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; metadata:ruleset community; classtype:policy-violation; sid:1988; rev:11;)
# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; metadata:ruleset community; classtype:policy-violation; sid:1989; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; metadata:ruleset community; classtype:policy-violation; sid:1990; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC nick change"; flow:to_server,established; dsize:<140; content:"NICK "; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:542; rev:20;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; nocase; content:" |3A|.DCC SEND"; distance:0; fast_pattern; nocase; metadata:ruleset community; classtype:policy-violation; sid:1639; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; nocase; content:" |3A|.DCC CHAT chat"; distance:0; fast_pattern; nocase; metadata:ruleset community; classtype:policy-violation; sid:1640; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC channel join"; flow:to_server,established; dsize:<140; content:"JOIN "; pcre:"/(&|#|\+|!)/R"; metadata:ruleset community; classtype:policy-violation; sid:1729; rev:15;)
# alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC message"; flow:established; dsize:<140; content:"PRIVMSG "; metadata:ruleset community; classtype:policy-violation; sid:1463; rev:15;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC dns request"; flow:to_server,established; content:"USERHOST "; metadata:ruleset community; classtype:policy-violation; sid:1789; rev:12;)
# alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"POLICY-SOCIAL IRC dns response"; flow:to_client,established; content:"|3A|"; content:" 302 "; content:"=+"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:1790; rev:11;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM successful logon"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2450; rev:9;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM voicechat"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2451; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2452; rev:9;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM conference invitation"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2453; rev:9;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM conference logon success"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2454; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2455; rev:8;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2456; rev:9;)
# alert tcp any any <> any 5101 (msg:"POLICY-SOCIAL Yahoo IM message"; flow:established; content:"YMSG"; depth:4; nocase; metadata:ruleset community; classtype:policy-violation; sid:2457; rev:7;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM successful chat join"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2458; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2459; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"POLICY-SOCIAL Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; metadata:ruleset community; classtype:policy-violation; sid:2460; rev:9;)
# alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM conference watch"; flow:to_client,established; content:"|0D 00 05 00|"; depth:4; metadata:ruleset community; classtype:policy-violation; sid:2461; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"POLICY-SOCIAL Yahoo Messenger File Transfer Initiation Request"; flow:established; content:"/notifyft"; depth:14; nocase; content:"Host|3A| filetransfer.msg.yahoo.com"; nocase; classtype:policy-violation; sid:3692; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo Messenger Message"; flow:established; content:"YMSG"; depth:4; content:"|00 06|"; depth:2; offset:10; classtype:policy-violation; sid:3691; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC channel notice"; flow:to_server,established; content:"NOTICE "; classtype:policy-violation; sid:6182; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"POLICY-SOCIAL jabber file transfer request"; flow:established,to_server; content:"xmlns="; nocase; content:"jabber.org/protocol"; distance:0; nocase; content:"file-transfer"; distance:0; nocase; reference:url,www.jabber.org/jeps/jep-0096.html; reference:url,www.xmpp.org; classtype:policy-violation; sid:6468; rev:5;)
# alert udp any 1025: -> any 1025: (msg:"POLICY-SOCIAL Microsoft Live chat video feed initiation"; content:"H|00 00 00 00 00 00 00 00 00|"; fast_pattern:only; dsize:10; reference:url,ml20rc.msnfanatic.com/vc_1_1/; classtype:policy-violation; sid:12457; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SOCIAL ebuddy.com login attempt"; flow:established,to_client; content:"Set-Cookie|3A| network="; nocase; http_header; content:"Domain=.ebuddy.com"; fast_pattern:only; metadata:service http; reference:url,www.ebuddy.com; classtype:policy-violation; sid:12611; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"POLICY-SOCIAL jabber traffic detected"; flow:established,to_server; content:"jabber|3A|client"; fast_pattern:only; reference:url,www.xmpp.org; classtype:policy-violation; sid:6467; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; metadata:ruleset community; classtype:policy-violation; sid:1991; rev:9;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo messenger http link transmission attempt"; flow:to_client,established; content:"YMSG"; depth:4; content:"|00 06|"; within:2; distance:6; content:"http|3A|//"; distance:0; pcre:"/http\x3A\x2F\x2F[^\s]/"; reference:url,en.wikipedia.org/wiki/Yahoo!_Messenger#Malware; classtype:trojan-activity; sid:15183; rev:5;)
# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"POLICY-SOCIAL Microsoft MSN messenger http link transmission attempt"; flow:to_client,established; content:"MSG"; depth:3; content:"http|3A|//"; distance:0; nocase; content:!"Post-URL|3A|http|3A 2F 2F|www.hotmail.com"; nocase; pcre:"/http\x3A\x2F\x2F[^\s]/i"; reference:url,en.wikipedia.org/wiki/MSN_Messenger#Malware; classtype:trojan-activity; sid:15184; rev:6;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"POLICY-SOCIAL QQ protocol detected - version 2006"; content:"|02 0E|5|00|"; depth:4; reference:url,www.qq.com; classtype:policy-violation; sid:15292; rev:4;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"POLICY-SOCIAL QQ protocol detected - version 2008"; content:"|02 12|Q|00|"; depth:4; reference:url,www.qq.com; classtype:policy-violation; sid:15293; rev:4;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-SOCIAL AIM server certificate for encrypted login"; flow:established,to_client; ssl_version:tls1.0; content:"0|16 06 03|U|04 03 13 0F|kdc.uas.aol.com"; fast_pattern:only; classtype:policy-violation; sid:15418; rev:5;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo encrypted login attempt"; flow:to_client,established; ssl_version:tls1.0; content:"login.yahoo.com"; fast_pattern:only; classtype:policy-violation; sid:15569; rev:7;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-SOCIAL AIM encrypted login attempt"; flow:to_client,established; ssl_version:tls1.0; content:"kdc.uas.aol.com"; fast_pattern:only; classtype:policy-violation; sid:15568; rev:6;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"POLICY-SOCIAL deny Gmail chat DNS request"; byte_test:1,!&,128,2; content:"|0B|chatenabled|04|mail|06|google|03|com"; fast_pattern:only; metadata:service dns; classtype:policy-violation; sid:16443; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Microsoft MSN Messenger web login attempt"; flow:established,to_server; content:"/gateway/gateway.dll"; fast_pattern; nocase; http_uri; content:"Action=open"; nocase; http_uri; content:"messenger.hotmail.com"; nocase; http_uri; metadata:service http; reference:url,webmessenger.msn.com; classtype:policy-violation; sid:16525; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Yahoo Messenger web client activity"; flow:established,to_server; content:"wmsgr.account"; fast_pattern; nocase; http_uri; content:"Host|3A| webmessenger.yahoo.com"; nocase; metadata:service http; reference:url,messenger.yahoo.com; classtype:policy-violation; sid:15560; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Microsoft MSN Messenger web client activity"; flow:established,to_server; content:"/session/"; nocase; http_uri; content:"webmessenger.msn.com"; fast_pattern; nocase; http_header; metadata:service http; reference:url,webmessenger.msn.com; classtype:policy-violation; sid:15577; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL AOL Aimexpress web client login"; flow:established,to_server; content:"/aim/startSession"; fast_pattern; nocase; http_uri; content:"clientName=gromit"; nocase; http_uri; metadata:service http; reference:url,www.aim.com/aimexpress.adp/; classtype:policy-violation; sid:15561; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Microsoft MSN Messenger web client login"; flow:established,to_server; content:"login.srf"; nocase; http_uri; content:"ru=http|3A|/webmessenger.msn.com"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,webmessenger.msn.com; classtype:policy-violation; sid:15576; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL webshots desktop traffic"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"WebshotsNetClient"; fast_pattern:only; pcre:"/User-Agent\x3A[^\n\r]+WebshotsNetClient/smiH"; metadata:service http; reference:url,www.webshots.com; classtype:misc-activity; sid:6408; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 706 (msg:"POLICY-SOCIAL silc client outbound connection"; flow:to_server,established; content:"SILC"; pcre:"/SILC\x2d\d\x2e\d/smi"; reference:url,silcnet.org/docs/draft-riikonen-silc-spec-08.txt; classtype:policy-violation; sid:7031; rev:4;)
# alert tcp $EXTERNAL_NET 706 -> $HOME_NET any (msg:"POLICY-SOCIAL silc server response"; flow:to_client,established; content:"SILC"; pcre:"/SILC\x2d\d\x2e\d/smi"; content:"silc-server"; distance:0; reference:url,silcnet.org/docs/draft-riikonen-silc-spec-08.txt; classtype:policy-violation; sid:7030; rev:4;)
# alert tcp $EXTERNAL_NET 25999 -> $HOME_NET any (msg:"POLICY-SOCIAL Xfire login successful"; flow:established,to_client; content:"|82|"; depth:1; offset:2; content:"userid"; depth:6; offset:6; reference:url,www.fryx.ch/xfire/protocol.html; classtype:policy-violation; sid:8484; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25999 (msg:"POLICY-SOCIAL Xfire session initiated"; flow:established,to_server; content:"UA01"; depth:4; reference:url,www.fryx.ch/xfire/protocol.html; classtype:policy-violation; sid:8482; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25999 (msg:"POLICY-SOCIAL Xfire login attempted"; flow:established,to_server; content:"|01|"; depth:1; offset:2; content:"name"; depth:4; offset:6; reference:url,www.fryx.ch/xfire/protocol.html; classtype:policy-violation; sid:8483; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Google Webmail client chat applet"; flow:established,to_server; content:"POST"; nocase; content:"/mail/channel/bind"; fast_pattern:only; metadata:service http; classtype:policy-violation; sid:12391; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo Webmail client chat applet"; flow:established,to_server; content:"<Ymsg Command="; fast_pattern:only; classtype:policy-violation; sid:12390; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL AIM Express usage"; flow:to_server,established; content:"Host|3A| aimexpress.aol.com"; fast_pattern:only; metadata:service http; reference:url,www.aim.com/aimexpress.adp; classtype:policy-violation; sid:12686; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SOCIAL Habbo chat client successful login"; flow:to_client,established; file_data; content:"document.habboLoggedIn = true"; fast_pattern:only; metadata:service http; reference:url,www.habbo.com; classtype:policy-violation; sid:13863; rev:7;)
# alert tcp $EXTERNAL_NET 38101 -> $HOME_NET any (msg:"POLICY-SOCIAL Habbo chat client avatar control"; flow:to_client,established; content:"/flatctrl useradmin/"; fast_pattern:only; reference:url,www.habbo.com; classtype:policy-violation; sid:13861; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL XBOX avatar retrieval request"; flow:to_server,established; content:"/avatar/"; http_uri; content:"User-Agent|3A| Xbox Live Client/"; http_header; content:"Host|3A|avatar.xboxlive.com|0D 0A|"; fast_pattern:only; metadata:service http; classtype:policy-violation; sid:15172; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL XBOX Netflix client activity"; flow:to_server,established; content:"User-Agent|3A| NETFLIX360|0D 0A|"; fast_pattern:only; metadata:service http; classtype:policy-violation; sid:15170; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL XBOX Marketplace http request"; flow:to_server,established; content:"/global"; http_uri; content:"/marketplace"; http_uri; content:"User-Agent|3A| Xbox Live Client/"; fast_pattern:only; metadata:service http; classtype:policy-violation; sid:15171; rev:6;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 88 (msg:"POLICY-SOCIAL XBOX Live Kerberos authentication request"; flow:to_server; content:"Xbox Version="; fast_pattern:only; content:"PASSPORT.NET"; metadata:service kerberos; reference:url,attack.mitre.org/techniques/T1097; classtype:policy-violation; sid:15169; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Google Chat web client connection"; flow:established,to_server; content:"/talkgadget/popout"; nocase; http_uri; metadata:service http; classtype:policy-violation; sid:12303; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Yahoo Messenger web client connection"; flow:established,to_server; content:"/BootStrapper.swf"; nocase; http_uri; metadata:service http; classtype:policy-violation; sid:12305; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Habbo chat client item information download"; flow:to_server,established; content:"/gamedata/external?id=external_"; nocase; http_uri; metadata:service http; reference:url,www.habbo.com; classtype:policy-violation; sid:13862; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-SOCIAL Namazu incoming namazu.cgi access"; flow:to_server,established; content:"/namazu.cgi?"; nocase; http_uri; content:"query="; distance:0; nocase; http_uri; content:"submit=Search"; http_uri; metadata:service http; reference:url,www.namazu.org/doc/manual.html; classtype:web-application-activity; sid:5706; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL AOL Instant Messenger web client connection"; flow:established,to_server; content:"HostCheck.aspx"; fast_pattern; nocase; http_uri; content:"aimexpress.aol.com"; http_uri; pcre:"/Cookie\x3A.*s_sq=aolsnssignin/si"; metadata:service http; classtype:policy-violation; sid:12304; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Microsoft Messenger web client connection"; flow:established,to_server; content:"mainui.aspx"; fast_pattern; nocase; http_uri; content:"webmessenger"; nocase; metadata:service http; classtype:policy-violation; sid:12306; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Namazu outbound namazu.cgi access"; flow:to_server,established; content:"/namazu.cgi?"; nocase; http_uri; content:"query="; distance:0; nocase; http_uri; content:"submit=Search"; http_uri; metadata:service http; reference:url,www.namazu.org/doc/manual.html; classtype:web-application-activity; sid:5707; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-SOCIAL Gizmo VOIP client start-up version check"; flow:established,to_server; content:"/dll/app?"; fast_pattern; nocase; http_uri; content:"class=DLL"; nocase; http_uri; content:"ApplicationID"; nocase; http_uri; content:"Gizmo"; nocase; http_uri; metadata:service http; reference:url,www.gizmoproject.com; classtype:policy-violation; sid:6406; rev:7;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-SOCIAL Apple Messages service server request attempt"; flow:to_client,established; ssl_state:server_hello; content:"|2A|.ess.apple.com"; fast_pattern:only; metadata:service ssl; reference:url,www.apple.com/osx/apps/all.html#messages; classtype:policy-violation; sid:23991; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"POLICY-SOCIAL Apple Messages client side certificate request attempt"; flow:to_client,established; ssl_state:server_hello; content:"albert.apple.com"; fast_pattern:only; metadata:service ssl; reference:url,www.apple.com/osx/apps/all.html#messages; classtype:policy-violation; sid:23990; rev:1;)
# alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"POLICY-SOCIAL IRC G-line active"; flow:to_client,established; content:"ERROR :Closing Link:"; fast_pattern:only; content:"g-line"; nocase; metadata:service irc; reference:url,en.wikipedia.org/wiki/G-line#G-line; classtype:policy-violation; sid:25478; rev:3;)
# alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"POLICY-SOCIAL IRC K-line active"; flow:to_client,established; content:"ERROR :Closing Link:"; fast_pattern:only; content:"k-line"; nocase; metadata:service irc; reference:url,en.wikipedia.org/wiki/G-line#G-line; classtype:policy-violation; sid:25479; rev:3;)
alert tcp $EXTERNAL_NET [1863,3283,5060,5190,5220,5222,5269,5297,5298,5353,5678] -> $HOME_NET any (msg:"POLICY-SOCIAL multiple chat protocols link to local file attempt"; flow:to_client,established; content:"file:|2F 2F 5C 5C|"; fast_pattern:only; reference:cve,2013-6486; classtype:attempted-user; sid:28090; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [1863,3283,5060,5190,5220,5222,5269,5297,5298,5353,5678] (msg:"POLICY-SOCIAL multiple chat protocols link to local file attempt"; flow:to_server,established; content:"file:|2F 2F 5C 5C|"; fast_pattern:only; reference:cve,2013-6486; classtype:attempted-user; sid:28089; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SOCIAL Pidgin MXIT emoticon integer overflow attempt"; flow:to_client,established; content:"Content-Disposition|3A 20|attachment|3B 20|filename|3D|"; fast_pattern:22,20; http_header; content:".mxf"; within:7; distance:3; http_header; file_data; content:"MXF"; depth:3; content:"|FF|"; within:2; distance:5; content:"|7D|"; within:10; distance:7; content:"PNG"; within:4; distance:4; metadata:service http; reference:cve,2013-6489; classtype:attempted-user; sid:28088; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SOCIAL AIM GoChat URL access attempt"; flow:to_client,established; file_data; content:"aim|3A|GoChat?"; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22146; reference:cve,2007-0021; reference:url,projects.info-pull.com/moab/MOAB-20-01-2007.html; classtype:misc-attack; sid:10116; rev:11;)
# alert tcp $EXTERNAL_NET [6666:7000,50000] -> $HOME_NET any (msg:"POLICY-SOCIAL IRC server connection"; flow:to_client,established; dsize:<140; content:"NOTICE AUTH |3A 2A 2A 2A| Looking up your hostname..."; fast_pattern:only; metadata:service irc; classtype:policy-violation; sid:39995; rev:1;)
Reference in New Issue Copy Permalink