snort2-docker/docker/etc/rules/protocol-finger.rules

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-----------------------
# PROTOCOL-FINGER RULES
#-----------------------

# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; metadata:ruleset community; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:3151; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER version query"; flow:to_server,established; content:"version"; metadata:ruleset community; classtype:attempted-recon; sid:1541; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER . query"; flow:to_server,established; content:"."; metadata:ruleset community; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER 0 query"; flow:to_server,established; content:"0"; metadata:ruleset community; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cybercop query"; flow:to_server,established; content:"|0A|     "; depth:10; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER redirection attempt"; flow:to_server,established; content:"@"; metadata:ruleset community; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER bomb attempt"; flow:to_server,established; content:"@@"; metadata:ruleset community; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; metadata:ruleset community; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; metadata:ruleset community; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER null request"; flow:to_server,established; content:"|00|"; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:324; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER root query"; flow:to_server,established; content:"root"; metadata:ruleset community; classtype:attempted-recon; sid:323; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER search query"; flow:to_server,established; content:"search"; metadata:ruleset community; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; metadata:ruleset community; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; metadata:ruleset community; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:15;)
Adding Docker Container 2020-02-24 13:56:30 +00:00			`# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.`
			`#`
			`# This file contains (i) proprietary rules that were created, tested and certified by`
			`# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT`
			`# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by`
			`# Sourcefire and other third parties (the "GPL Rules") that are distributed under the`
			`# GNU General Public License (GPL), v2.`
			`#`
			`# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created`
			`# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are`
			`# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by`
			`# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a`
			`# list of third party owners and their respective copyrights.`
			`#`
			`# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer`
			`# to the VRT Certified Rules License Agreement (v2.0).`
			`#`
			`#-----------------------`
			`# PROTOCOL-FINGER RULES`
			`#-----------------------`

			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; metadata:ruleset community; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:3151; rev:8;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER version query"; flow:to_server,established; content:"version"; metadata:ruleset community; classtype:attempted-recon; sid:1541; rev:9;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER . query"; flow:to_server,established; content:"."; metadata:ruleset community; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:14;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER 0 query"; flow:to_server,established; content:"0"; metadata:ruleset community; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:14;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cybercop query"; flow:to_server,established; content:"\|0A\| "; depth:10; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:16;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER redirection attempt"; flow:to_server,established; content:"@"; metadata:ruleset community; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:15;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER bomb attempt"; flow:to_server,established; content:"@@"; metadata:ruleset community; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:14;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command pipe execution attempt"; flow:to_server,established; content:"\|7C\|"; metadata:ruleset community; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:14;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command execution attempt"; flow:to_server,established; content:"\|3B\|"; metadata:ruleset community; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:15;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER null request"; flow:to_server,established; content:"\|00\|"; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:324; rev:12;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER root query"; flow:to_server,established; content:"root"; metadata:ruleset community; classtype:attempted-recon; sid:323; rev:11;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER search query"; flow:to_server,established; content:"search"; metadata:ruleset community; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:16;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; metadata:ruleset community; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:10;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; metadata:ruleset community; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:15;)`