snort2-docker/docker/etc/rules/pua-p2p.rules

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#---------------
# PUA-P2P RULES
#---------------

# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; metadata:ruleset community; classtype:policy-violation; sid:1432; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; metadata:ruleset community; classtype:policy-violation; sid:556; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; metadata:ruleset community; classtype:policy-violation; sid:557; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent announce request"; flow:to_server,established; content:"/announce"; content:"info_hash="; content:"peer_id="; content:"event="; metadata:ruleset community, service http; classtype:policy-violation; sid:2180; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; metadata:ruleset community; classtype:policy-violation; sid:2181; rev:8;)
# alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"PUA-P2P eDonkey server response"; flow:established,to_client; content:"Server|3A| eMule"; fast_pattern:only; metadata:ruleset community; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:9;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"PUA-P2P Manolito Search Query"; flow:to_server; content:"|01 02 00 14|"; depth:4; offset:16; metadata:ruleset community; reference:url,openlito.sourceforge.net; reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"PUA-P2P AOL Instant Messenger file receive attempt"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; distance:0; byte_test:2,=,2,-25,relative; classtype:policy-violation; sid:3681; rev:6;)
# alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any (msg:"PUA-P2P AOL Instant Messenger file send attempt"; flow:to_client,established; content:"*|02|"; depth:2; content:"|00 04 00 07|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; distance:0; byte_test:2,=,2,-25,relative; classtype:policy-violation; sid:3680; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Skype client setup get newest version attempt"; flow:to_server,established; content:"/ui/"; http_uri; content:"/getnewestversion"; http_uri; content:"Host|3A| ui.skype.com"; fast_pattern:only; metadata:service http; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5694; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Skype client start up get latest version attempt"; flow:to_server,established; content:"/ui/"; http_uri; content:"/getlatestversion?ver="; http_uri; content:"Host|3A| ui.skype.com"; fast_pattern:only; metadata:service http; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5693; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PUA-P2P Skype client login"; flow:to_client,established; flowbits:isset,skype.login; dsize:5; content:"|17 03 01 00|"; depth:4; classtype:policy-violation; sid:5999; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P Skype client login startup"; flow:to_server,established; dsize:5; content:"|16 03 01 00|"; depth:4; flowbits:set,skype.login; classtype:policy-violation; sid:5998; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"PUA-P2P Outbound Joltid PeerEnabler traffic detected"; flow:established,to_server; content:"User-Agent|3A| PeerEnabler"; nocase; content:"joltid"; within:20; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453078786; reference:url,www.joltid.com; classtype:policy-violation; sid:12691; rev:5;)
# alert udp $HOME_NET any <> $EXTERNAL_NET any (msg:"PUA-P2P Bittorrent uTP peer request"; content:"info_hash"; content:"get_peers"; fast_pattern:only; reference:url,www.bittorrent.org/beps/bep_0000.html; classtype:policy-violation; sid:16282; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent scrape request"; flow:established,to_server; content:"GET"; depth:4; content:"/scrape"; distance:1; content:"info_hash="; offset:4; reference:url,www.bittorrent.org/beps/bep_0000.html; classtype:policy-violation; sid:16281; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Skype client successful install"; flow:to_server,established; content:"/ui/"; http_uri; content:"/installed"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5692; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 16800:17000 (msg:"PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected"; flow:to_server,established; content:"|04 00 07 00|"; depth:4; content:"TVANTS SHARE"; depth:12; offset:8; flowbits:set,tvant.session; classtype:policy-violation; sid:12210; rev:4;)
alert tcp $EXTERNAL_NET 16800:17000 -> $HOME_NET any (msg:"PUA-P2P P2PTv TVAnts TCP connection traffic detected"; flow:to_client,established; content:"|04 00|"; depth:2; pcre:"/[\x01\x02\x03\x04\x05\x06\x07]\x00.{4}\x43\x00/R"; flowbits:set,tvant.session; classtype:policy-violation; sid:12211; rev:5;)
alert udp $HOME_NET 16800:17000 -> $EXTERNAL_NET any (msg:"PUA-P2P P2PTv TVAnt udp traffic detected"; content:"|04 00|"; depth:2; pcre:"/[\x05\x06\x07]\x00.{6}[SD]S/R"; flowbits:set,tvant.session; classtype:policy-violation; sid:12209; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-P2P Ruckus P2P encrypted authentication connection"; flow:to_server,established; content:"|00 00|"; content:"www.ruckus.com"; within:14; distance:7; classtype:policy-violation; sid:12427; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Ruckus P2P client activity"; flow:to_server,established; content:"User-Agent|3A| Ruckus/"; fast_pattern:only; metadata:service http; classtype:policy-violation; sid:12425; rev:7;)
# alert udp $HOME_NET 5353 -> 224.0.0.251 5353 (msg:"PUA-P2P Ruckus P2P broadcast domain probe"; flow:to_server; content:"ruckus|04|_tcp|05|local"; fast_pattern:only; classtype:policy-violation; sid:12426; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Vuze BitTorrent client outbound connection"; flow:to_server,established; content:"User-Agent|3A| Azureus"; fast_pattern:only; http_header; metadata:service http; reference:url,www.vuze.com; classtype:policy-violation; sid:29357; rev:1;)
Adding Docker Container 2020-02-24 13:56:30 +00:00			`# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.`
			`#`
			`# This file contains (i) proprietary rules that were created, tested and certified by`
			`# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT`
			`# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by`
			`# Sourcefire and other third parties (the "GPL Rules") that are distributed under the`
			`# GNU General Public License (GPL), v2.`
			`#`
			`# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created`
			`# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are`
			`# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by`
			`# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a`
			`# list of third party owners and their respective copyrights.`
			`#`
			`# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer`
			`# to the VRT Certified Rules License Agreement (v2.0).`
			`#`
			`#---------------`
			`# PUA-P2P RULES`
			`#---------------`

			`# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; metadata:ruleset community; classtype:policy-violation; sid:1432; rev:11;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; metadata:ruleset community; classtype:policy-violation; sid:556; rev:10;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; metadata:ruleset community; classtype:policy-violation; sid:557; rev:11;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent announce request"; flow:to_server,established; content:"/announce"; content:"info_hash="; content:"peer_id="; content:"event="; metadata:ruleset community, service http; classtype:policy-violation; sid:2180; rev:10;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent transfer"; flow:to_server,established; content:"\|13\|BitTorrent protocol"; depth:20; metadata:ruleset community; classtype:policy-violation; sid:2181; rev:8;)`
			`# alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"PUA-P2P eDonkey server response"; flow:established,to_client; content:"Server\|3A\| eMule"; fast_pattern:only; metadata:ruleset community; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:9;)`
			`# alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"PUA-P2P Manolito Search Query"; flow:to_server; content:"\|01 02 00 14\|"; depth:4; offset:16; metadata:ruleset community; reference:url,openlito.sourceforge.net; reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:9;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"PUA-P2P AOL Instant Messenger file receive attempt"; flow:to_server,established; content:"*\|02\|"; depth:2; content:"\|00 04 00 06\|"; within:8; distance:4; content:"\|09\|F\|13\|CL\|7F 11 D1 82 22\|DEST\|00\|"; distance:0; byte_test:2,=,2,-25,relative; classtype:policy-violation; sid:3681; rev:6;)`
			`# alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any (msg:"PUA-P2P AOL Instant Messenger file send attempt"; flow:to_client,established; content:"*\|02\|"; depth:2; content:"\|00 04 00 07\|"; within:8; distance:4; content:"\|09\|F\|13\|CL\|7F 11 D1 82 22\|DEST\|00\|"; distance:0; byte_test:2,=,2,-25,relative; classtype:policy-violation; sid:3680; rev:7;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Skype client setup get newest version attempt"; flow:to_server,established; content:"/ui/"; http_uri; content:"/getnewestversion"; http_uri; content:"Host\|3A\| ui.skype.com"; fast_pattern:only; metadata:service http; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5694; rev:11;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Skype client start up get latest version attempt"; flow:to_server,established; content:"/ui/"; http_uri; content:"/getlatestversion?ver="; http_uri; content:"Host\|3A\| ui.skype.com"; fast_pattern:only; metadata:service http; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5693; rev:10;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PUA-P2P Skype client login"; flow:to_client,established; flowbits:isset,skype.login; dsize:5; content:"\|17 03 01 00\|"; depth:4; classtype:policy-violation; sid:5999; rev:7;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P Skype client login startup"; flow:to_server,established; dsize:5; content:"\|16 03 01 00\|"; depth:4; flowbits:set,skype.login; classtype:policy-violation; sid:5998; rev:7;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"PUA-P2P Outbound Joltid PeerEnabler traffic detected"; flow:established,to_server; content:"User-Agent\|3A\| PeerEnabler"; nocase; content:"joltid"; within:20; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453078786; reference:url,www.joltid.com; classtype:policy-violation; sid:12691; rev:5;)`
			`# alert udp $HOME_NET any <> $EXTERNAL_NET any (msg:"PUA-P2P Bittorrent uTP peer request"; content:"info_hash"; content:"get_peers"; fast_pattern:only; reference:url,www.bittorrent.org/beps/bep_0000.html; classtype:policy-violation; sid:16282; rev:4;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent scrape request"; flow:established,to_server; content:"GET"; depth:4; content:"/scrape"; distance:1; content:"info_hash="; offset:4; reference:url,www.bittorrent.org/beps/bep_0000.html; classtype:policy-violation; sid:16281; rev:3;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Skype client successful install"; flow:to_server,established; content:"/ui/"; http_uri; content:"/installed"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5692; rev:12;)`
			`alert tcp $HOME_NET any -> $EXTERNAL_NET 16800:17000 (msg:"PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected"; flow:to_server,established; content:"\|04 00 07 00\|"; depth:4; content:"TVANTS SHARE"; depth:12; offset:8; flowbits:set,tvant.session; classtype:policy-violation; sid:12210; rev:4;)`
			`alert tcp $EXTERNAL_NET 16800:17000 -> $HOME_NET any (msg:"PUA-P2P P2PTv TVAnts TCP connection traffic detected"; flow:to_client,established; content:"\|04 00\|"; depth:2; pcre:"/[\x01\x02\x03\x04\x05\x06\x07]\x00.{4}\x43\x00/R"; flowbits:set,tvant.session; classtype:policy-violation; sid:12211; rev:5;)`
			`alert udp $HOME_NET 16800:17000 -> $EXTERNAL_NET any (msg:"PUA-P2P P2PTv TVAnt udp traffic detected"; content:"\|04 00\|"; depth:2; pcre:"/[\x05\x06\x07]\x00.{6}[SD]S/R"; flowbits:set,tvant.session; classtype:policy-violation; sid:12209; rev:6;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-P2P Ruckus P2P encrypted authentication connection"; flow:to_server,established; content:"\|00 00\|"; content:"www.ruckus.com"; within:14; distance:7; classtype:policy-violation; sid:12427; rev:4;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Ruckus P2P client activity"; flow:to_server,established; content:"User-Agent\|3A\| Ruckus/"; fast_pattern:only; metadata:service http; classtype:policy-violation; sid:12425; rev:7;)`
			`# alert udp $HOME_NET 5353 -> 224.0.0.251 5353 (msg:"PUA-P2P Ruckus P2P broadcast domain probe"; flow:to_server; content:"ruckus\|04\|_tcp\|05\|local"; fast_pattern:only; classtype:policy-violation; sid:12426; rev:5;)`
			`# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Vuze BitTorrent client outbound connection"; flow:to_server,established; content:"User-Agent\|3A\| Azureus"; fast_pattern:only; http_header; metadata:service http; reference:url,www.vuze.com; classtype:policy-violation; sid:29357; rev:1;)`