snort2-docker/docker/etc/rules/protocol-services.rules

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-------------------------
# PROTOCOL-SERVICES RULES
#-------------------------

# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin guest"; flow:to_server,established; content:"guest|00|guest|00|"; fast_pattern:only; classtype:attempted-user; sid:20602; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin nobody"; flow:to_server,established; content:"nobody|00|nobody|00|"; fast_pattern:only; classtype:attempted-user; sid:20601; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; metadata:ruleset community; classtype:attempted-admin; sid:2114; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; metadata:ruleset community; classtype:attempted-admin; sid:2113; rev:6;)
# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"|01|rlogind|3A| Permission denied."; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:611; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:609; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:608; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:607; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:606; rev:10;)
# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"login incorrect"; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:605; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,458; reference:cve,1999-0113; classtype:attempted-admin; sid:604; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:603; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:602; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:601; rev:10;)
# alert tcp any any -> $HOME_NET [3260,860] (msg:"PROTOCOL-SERVICES  Linux iscsi_add_notunderstood_response request buffer overflow attempt"; flow:to_server,established; content:"TargetName="; fast_pattern:only; isdataat:94; content:!"="; depth:64; offset:30; pcre:"/[\w\x2e\x2b\x3a\x2d@_]{64,}\x3d[\w\x2e\x2b\x3a\x2d@_]+\x00/"; reference:cve,2013-2850; reference:url,seclists.org/oss-sec/2013/q2/448; classtype:attempted-user; sid:31590; rev:1;)
# alert tcp any any -> $HOME_NET [3260,860] (msg:"PROTOCOL-SERVICES  Linux iscsi_add_notunderstood_response request buffer overflow attempt"; flow:to_server,established; content:"TargetName="; fast_pattern:only; content:"|00|"; offset:30; isdataat:64,relative; content:!"="; within:64; pcre:"/[\w\x2e\x2b\x3a\x2d@_]{64,}\x3d[\w\x2e\x2b\x3a\x2d@_]+?\x00/R"; reference:cve,2013-2850; reference:url,seclists.org/oss-sec/2013/q2/448; classtype:attempted-user; sid:31589; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES Cisco Prime Lan Management rsh command execution attempt"; flow:to_server,established; content:"|00|casuser|00|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00casuser\x00/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57221; reference:cve,2012-6392; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms; classtype:attempted-admin; sid:25535; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh root"; flow:to_server,established; content:"|00|root|00|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i"; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-admin; sid:610; rev:15;)
Adding Docker Container 2020-02-24 13:56:30 +00:00			`# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.`
			`#`
			`# This file contains (i) proprietary rules that were created, tested and certified by`
			`# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT`
			`# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by`
			`# Sourcefire and other third parties (the "GPL Rules") that are distributed under the`
			`# GNU General Public License (GPL), v2.`
			`#`
			`# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created`
			`# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are`
			`# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by`
			`# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a`
			`# list of third party owners and their respective copyrights.`
			`#`
			`# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer`
			`# to the VRT Certified Rules License Agreement (v2.0).`
			`#`
			`#-------------------------`
			`# PROTOCOL-SERVICES RULES`
			`#-------------------------`

			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin guest"; flow:to_server,established; content:"guest\|00\|guest\|00\|"; fast_pattern:only; classtype:attempted-user; sid:20602; rev:3;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin nobody"; flow:to_server,established; content:"nobody\|00\|nobody\|00\|"; fast_pattern:only; classtype:attempted-user; sid:20601; rev:3;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec password overflow attempt"; flow:to_server,established; content:"\|00\|"; content:"\|00\|"; distance:33; content:"\|00\|"; distance:0; metadata:ruleset community; classtype:attempted-admin; sid:2114; rev:6;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec username overflow attempt"; flow:to_server,established; content:"\|00\|"; offset:9; content:"\|00\|"; distance:0; content:"\|00\|"; distance:0; metadata:ruleset community; classtype:attempted-admin; sid:2113; rev:6;)`
			`# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"\|01\|rlogind\|3A\| Permission denied."; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:611; rev:13;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh froot"; flow:to_server,established; content:"-froot\|00\|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:609; rev:10;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh echo + +"; flow:to_server,established; content:"echo \|22\|+ +\|22\|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:608; rev:10;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh bin"; flow:to_server,established; content:"bin\|00\|bin\|00\|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:607; rev:10;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin root"; flow:to_server,established; content:"root\|00\|root\|00\|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:606; rev:10;)`
			`# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"login incorrect"; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:605; rev:12;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt"; flow:to_server,established; content:"-froot\|00\|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,458; reference:cve,1999-0113; classtype:attempted-admin; sid:604; rev:13;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin echo++"; flow:to_server,established; content:"echo \|22\| + + \|22\|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:603; rev:10;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin bin"; flow:to_server,established; content:"bin\|00\|bin\|00\|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:602; rev:10;)`
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin LinuxNIS"; flow:to_server,established; content:"\|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A\|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:601; rev:10;)`
			`# alert tcp any any -> $HOME_NET [3260,860] (msg:"PROTOCOL-SERVICES Linux iscsi_add_notunderstood_response request buffer overflow attempt"; flow:to_server,established; content:"TargetName="; fast_pattern:only; isdataat:94; content:!"="; depth:64; offset:30; pcre:"/[\w\x2e\x2b\x3a\x2d@_]{64,}\x3d[\w\x2e\x2b\x3a\x2d@_]+\x00/"; reference:cve,2013-2850; reference:url,seclists.org/oss-sec/2013/q2/448; classtype:attempted-user; sid:31590; rev:1;)`
			`# alert tcp any any -> $HOME_NET [3260,860] (msg:"PROTOCOL-SERVICES Linux iscsi_add_notunderstood_response request buffer overflow attempt"; flow:to_server,established; content:"TargetName="; fast_pattern:only; content:"\|00\|"; offset:30; isdataat:64,relative; content:!"="; within:64; pcre:"/[\w\x2e\x2b\x3a\x2d@_]{64,}\x3d[\w\x2e\x2b\x3a\x2d@_]+?\x00/R"; reference:cve,2013-2850; reference:url,seclists.org/oss-sec/2013/q2/448; classtype:attempted-user; sid:31589; rev:1;)`
			# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES Cisco Prime Lan Management rsh command execution attempt"; flow:to_server,established; content:"\|00\|casuser\|00\|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00casuser\x00/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57221; reference:cve,2012-6392; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms; classtype:attempted-admin; sid:25535; rev:8;)
			`# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh root"; flow:to_server,established; content:"\|00\|root\|00\|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i"; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-admin; sid:610; rev:15;)`