169 lines
34 KiB
Plaintext
169 lines
34 KiB
Plaintext
|
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
||
|
#
|
||
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
||
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
||
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
||
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
||
|
# GNU General Public License (GPL), v2.
|
||
|
#
|
||
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
||
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
||
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
||
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
||
|
# list of third party owners and their respective copyrights.
|
||
|
#
|
||
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
||
|
# to the VRT Certified Rules License Agreement (v2.0).
|
||
|
#
|
||
|
#---------------------
|
||
|
# PROTOCOL-ICMP RULES
|
||
|
#---------------------
|
||
|
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP invalid ICMPv6 header attempt"; dsize:32; content:"|3A 01 66 0D 66 0D 66 0D 66 0D 00 00 00 00 00 00|"; depth:16; content:"|80 00|"; within:2; content:"|DE AD BE EF|"; within:4; distance:2; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24305; rev:2;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 multicast neighbor delete attempt"; itype:132; icode:0; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24302; rev:2;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 MLD multicast listener query attempt"; itype:130; icode:0; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24301; rev:3;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 invalid router advertisement attempt"; itype:134; icode:0; content:"|00 00 00 05|"; isdataat:!1,relative; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24299; rev:2;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 0xdeadbeef ICMP ping attempt"; itype:128; icode:0; icmp_id:57005; icmp_seq:48879; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24298; rev:2;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 oversized ICMP ping attempt"; itype:128; icode:0; icmp_id:0; dsize:>1500; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24297; rev:2;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 router advertisement invalid prefix option attempt"; itype:134; icode:0; isdataat:36; content:"|03 04|"; offset:11; byte_test:4,>,0,10,relative,little; reference:bugtraq,65409; reference:cve,2014-0254; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-006; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24296; rev:7;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP suspicious IPv6 router advertisement attempt"; itype:134; icode:0; content:"|03 04 80|"; offset:11; content:"|11 11 11 11 04 04 04 04|"; within:8; distance:1; content:!"|00 00 00 00|"; within:4; reference:url,thc.org/thc-ipv6/; classtype:attempted-admin; sid:24295; rev:2;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 neighbor advertisement flood attempt"; itype:136; icode:0; detection_filter:track by_dst, count 500, seconds 1; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24294; rev:2;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 router advertisement flood attempt"; itype:134; icode:0; detection_filter:track by_dst, count 50, seconds 1; reference:bugtraq,65409; reference:cve,2014-0254; reference:cve,2014-2309; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-006; reference:url,www.thc.org/thc-ipv6/; classtype:attempted-dos; sid:23178; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ICMPv6 Echo Request"; icode:0; itype:128; classtype:misc-activity; sid:18474; rev:3;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ICMPv6 Echo Reply"; icode:0; itype:129; classtype:misc-activity; sid:18473; rev:3;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP record route rr denial of service attempt"; ipopts:rr; icode:0; itype:8; reference:bugtraq,870; reference:cve,1999-0986; reference:cve,1999-1339; reference:cve,2001-0752; classtype:attempted-dos; sid:8730; rev:6;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PATH MTU denial of service attempt"; itype:3; icode:4; byte_test:2,<,576,2; metadata:policy max-detect-ips drop; reference:bugtraq,13124; reference:cve,2004-1060; classtype:attempted-dos; sid:3626; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; fast_pattern:only; metadata:ruleset community; classtype:network-scan; sid:1918; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; metadata:ruleset community; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:13;)
|
||
|
# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; metadata:ruleset community; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:13;)
|
||
|
# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; metadata:ruleset community; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:13;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com"; depth:22; metadata:ruleset community; classtype:misc-activity; sid:1813; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; metadata:ruleset community; classtype:misc-activity; sid:484; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:483; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:482; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:481; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; metadata:ruleset community; classtype:misc-activity; sid:480; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:476; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:474; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:467; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; metadata:ruleset community; classtype:attempted-recon; sid:466; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; metadata:ruleset community; classtype:attempted-recon; sid:465; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 7 undefined code"; itype:7; metadata:ruleset community; reference:cve,1999-0454; classtype:misc-activity; sid:463; rev:14;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 7"; icode:0; itype:7; metadata:ruleset community; classtype:misc-activity; sid:462; rev:12;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 2 undefined code"; itype:2; metadata:ruleset community; classtype:misc-activity; sid:461; rev:12;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 2"; icode:0; itype:2; metadata:ruleset community; classtype:misc-activity; sid:460; rev:12;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 1 undefined code"; itype:1; metadata:ruleset community; classtype:misc-activity; sid:459; rev:12;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 1"; icode:0; itype:1; metadata:ruleset community; classtype:misc-activity; sid:458; rev:12;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Traceroute undefined code"; icode:>0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:457; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Traceroute"; icode:0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:456; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Request undefined code"; icode:>0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:454; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Request"; icode:0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:453; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Reply undefined code"; icode:>0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:452; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Reply"; icode:0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:451; rev:8;)
|
||
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:450; rev:11;)
|
||
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; metadata:ruleset community; classtype:misc-activity; sid:449; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Source Quench undefined code"; icode:>0; itype:4; metadata:ruleset community; classtype:misc-activity; sid:448; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SKIP undefined code"; icode:>0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:446; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SKIP"; icode:0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:445; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Router Selection"; icode:0; itype:10; metadata:ruleset community; classtype:misc-activity; sid:443; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Router Advertisement"; icode:0; itype:9; metadata:ruleset community; classtype:misc-activity; sid:441; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:440; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Reserved for Security Type 19"; icode:0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:439; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect undefined code"; icode:>3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:438; rev:13;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect for TOS and Network"; icode:2; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:437; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect for TOS and Host"; icode:3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:436; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris undefined code!"; icode:>3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:433; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:432; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; metadata:ruleset community; classtype:misc-activity; sid:431; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; metadata:ruleset community; classtype:misc-activity; sid:430; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Reserved"; icode:0; itype:40; metadata:ruleset community; classtype:misc-activity; sid:429; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem undefined Code"; icode:>2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:428; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; metadata:ruleset community; classtype:misc-activity; sid:427; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; metadata:ruleset community; classtype:misc-activity; sid:426; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem Bad Length"; icode:2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:425; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:424; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Request"; icode:0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:423; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:422; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Reply"; icode:0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:421; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:420; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Host Redirect"; icode:0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:419; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Information Request undefined code"; icode:>0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:418; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Information Request"; icode:0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:417; rev:8;)
|
||
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Information Reply undefined code"; icode:>0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:416; rev:10;)
|
||
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Information Reply"; icode:0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:415; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:414; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 Where-Are-You"; icode:0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:413; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:412; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 I-Am-Here"; icode:0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:411; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:410; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Echo Reply undefined code"; icode:>0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:409; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Echo Reply"; icode:0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:408; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:407; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; metadata:ruleset community; classtype:misc-activity; sid:406; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; metadata:ruleset community; classtype:misc-activity; sid:405; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:403; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable"; icode:0; itype:3; metadata:ruleset community; classtype:misc-activity; sid:401; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; metadata:ruleset community; classtype:misc-activity; sid:400; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable"; icode:1; itype:3; metadata:ruleset community; classtype:misc-activity; sid:399; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; metadata:ruleset community; classtype:misc-activity; sid:398; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; metadata:ruleset community; classtype:misc-activity; sid:397; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; reference:cve,2015-7759; classtype:misc-activity; sid:396; rev:12;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; metadata:ruleset community; classtype:misc-activity; sid:395; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; metadata:ruleset community; classtype:misc-activity; sid:394; rev:9;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:393; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Datagram Conversion Error"; icode:0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:392; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Alternate Host Address undefined code"; icode:>0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:391; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Alternate Host Address"; icode:0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:390; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask Request undefined code"; icode:>0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:389; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask Request"; icode:0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:388; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask Reply undefined code"; icode:>0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:387; rev:10;)
|
||
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Address Mask Reply"; icode:0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:386; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP traceroute"; itype:8; ttl:1; metadata:ruleset community; classtype:attempted-recon; sid:385; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:382; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Oracle Solaris"; dsize:8; itype:8; metadata:ruleset community; classtype:misc-activity; sid:381; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Seer Windows"; itype:8; content:"|88 04| "; depth:32; metadata:ruleset community; classtype:misc-activity; sid:380; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:379; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:378; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:377; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:376; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; metadata:ruleset community; classtype:misc-activity; sid:375; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:374; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:373; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:372; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:371; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:370; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:369; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:368; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Unix"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:366; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING undefined code"; icode:>0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:365; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IRDP router selection"; itype:10; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IRDP router advertisement"; itype:9; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ath"; itype:8; content:"+++ath"; fast_pattern:only; metadata:ruleset community; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:13;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:251; rev:11;)
|
||
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP TFN server response"; icmp_id:123; itype:0; content:"shell bound"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:238; rev:14;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:236; rev:13;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:229; rev:12;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:228; rev:11;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:227; rev:13;)
|
||
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:226; rev:13;)
|
||
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:225; rev:13;)
|
||
|
# alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht server spoof"; icmp_id:666; itype:0; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:224; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:222; rev:10;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TFN Probe"; icmp_id:678; itype:8; content:"1234"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:221; rev:12;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Truncated ICMPv6 denial of service attempt"; content:"|60|"; depth:1; isdataat:!40,relative; reference:cve,2013-3182; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-064; classtype:denial-of-service; sid:27611; rev:1;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Truncated ICMPv6 denial of service attempt"; content:"|60 58 58 58 58 58 58 58|"; fast_pattern:only; reference:cve,2013-3182; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-064; classtype:denial-of-service; sid:27610; rev:1;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 0xfacebabe ICMP ping attempt"; itype:128; icode:0; icmp_id:64206; icmp_seq:47806; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:28292; rev:1;)
|
||
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual Microsoft Windows 7 Ping detected"; icode:0; itype:8; dsize:>32; content:"abcdefghijklmnopqrstuvwabcdefghi"; depth:32; metadata:ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29457; rev:1;)
|
||
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual PING detected"; icode:0; itype:8; fragbits:!M; content:!"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; content:!"0123456789abcdefghijklmnopqrstuv"; depth:32; content:!"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; depth:36; content:!"WANG2"; content:!"cacti-monitoring-system"; depth:65; content:!"SolarWinds"; depth:72; metadata:ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29456; rev:2;)
|
||
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual Microsoft Windows Ping detected"; icode:0; itype:8; dsize:>32; content:"0123456789abcdefghijklmnopqrstuv"; depth:32; metadata:ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29455; rev:1;)
|
||
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual L3retriever Ping detected"; icode:0; itype:8; dsize:>32; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; metadata:ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29454; rev:1;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP FreeBSD rtsold dname_labeldec stack buffer overflow attempt"; itype:134; content:"|1F|"; depth:1; offset:12; content:"|00 00|"; within:2; distance:1; byte_test:1,>,0x80,-3,relative; reference:bugtraq,70694; reference:cve,2014-3954; classtype:attempted-admin; sid:32369; rev:3;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPv6 multicast neighbor add attempt"; itype:135; icode:0; metadata:policy max-detect-ips drop; reference:url,thc.org/thc-ipv6/; classtype:misc-activity; sid:24303; rev:6;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:404; rev:14;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP destination unreachable port unreachable packet detected"; icode:3; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:402; rev:16;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Route Information stack buffer overflow attempt "; itype:134; icode:0; content:"|18|"; depth:1; offset:12; byte_test:1,>,3,0,relative; reference:cve,2010-0241; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-009; classtype:attempted-admin; sid:18249; rev:5;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Microsoft Windows Ipv6pHandleRouterAdvertisement Prefix Information stack buffer overflow attempt "; itype:134; icode:0; content:"|03|"; depth:1; offset:12; byte_test:1,>,4,0,relative; metadata:policy max-detect-ips drop; reference:cve,2010-0239; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-009; classtype:attempted-admin; sid:16405; rev:6;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt"; icode:0; itype:>160; reference:cve,2014-7142; reference:url,squid-cache.org/Advisories/SQUID-2014_4.txt; classtype:attempted-dos; sid:36651; rev:1;)
|
||
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Squid Pinger IPv6 denial of service attempt"; icode:0; itype:11<>127; reference:cve,2014-7142; reference:url,squid-cache.org/Advisories/SQUID-2014_4.txt; classtype:attempted-dos; sid:36650; rev:1;)
|