357 lines
116 KiB
Plaintext
357 lines
116 KiB
Plaintext
|
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
||
|
#
|
||
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
||
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
||
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
||
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
||
|
# GNU General Public License (GPL), v2.
|
||
|
#
|
||
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
||
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
||
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
||
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
||
|
# list of third party owners and their respective copyrights.
|
||
|
#
|
||
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
||
|
# to the VRT Certified Rules License Agreement (v2.0).
|
||
|
#
|
||
|
#---------------------------
|
||
|
# INDICATOR-SHELLCODE RULES
|
||
|
#---------------------------
|
||
|
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"retaddress"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26789; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"hspt"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26788; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"retaddr"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25643; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"hspt"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25642; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"agent"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25641; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"retaddress"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25638; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"retaddr"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25637; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"return_address"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25635; rev:3;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic avoid_underscore_tolower encoder"; content:"|6A|"; content:"|6B 3C 24 09 60 03 0C 24 6A|"; within:9; distance:1; content:"|03 0C 24 6A 04|"; within:5; distance:1; classtype:shellcode-detect; sid:24114; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case javascript decoder"; flow:established,to_client; file_data; content:"%u5456%u3358%u5630%u3458%u5041%u4130%u4833%u3048%u3041%u4130%u4142%u4241%u4154%u5141%u4132%u3242%u4242%u4230%u5842%u3850%u4341"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; classtype:shellcode-detect; sid:23236; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic avoid_utf8_tolower javascript encoder"; flow:to_client,established; file_data; content:"%u3c6b%u0b24%u0360%u240c"; nocase; content:"%u0c03%u6a24"; within:12; distance:6; nocase; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:23217; rev:5;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Piecemeal exploit and shellcode construction"; flow:to_client,established; file_data; content:"xcode-(shellcode.length"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:url,labs.m86security.com/2012/01/web-hijacks-with-ajax/; classtype:shellcode-detect; sid:21265; rev:4;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic avoid_utf8_tolower encoder"; content:"|6A|"; content:"|6B 3C 24 0B 60 03 0C 24 6A|"; within:9; distance:1; content:"|03 0C 24 6A 04|"; within:5; distance:1; classtype:shellcode-detect; sid:20990; rev:4;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic single_static_bit encoder"; content:"|80 F9|"; content:"|74|"; within:1; distance:1; content:"|60 83 E9 01 74 06 B3 02 F6 F3 E2|"; within:11; distance:1; content:"|83 E0 01 6B 2F 02 09 E8 AA 61 83 ED FF 83 FD 08 75|"; within:17; distance:1; content:"|83 EF FF 31 ED|"; within:5; distance:1; classtype:shellcode-detect; sid:20989; rev:3;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_railgun_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_railgun_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_railgun_(memread|memwrite|api_multi|api)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20199; rev:3;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter networkpug_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|networkpug_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01networkpug_(start|stop)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20198; rev:3;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter espia_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|espia_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01espia_(video_get_dev_image|audio_get_dev_audio|image_get_dev_screen)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20197; rev:3;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter lanattacks_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|lanattacks_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01lanattacks_(start_dhcp|reset_dhcp|set_dhcp_option|stop_dhcp|dhcp_log|start_tftp|reset_tftp|add_tftp_file|stop_tftp)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20196; rev:3;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter priv_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|priv_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01priv_(elevate_getsystem|passwd_get_sam_hashes|fs_get_file_mace|fs_set_file_mace|fs_set_file_mace_from_file|fs_blank_file_mace|fs_blank_directory_mace)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20195; rev:3;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter sniffer_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|sniffer_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01sniffer_(interfaces|capture_start|capture_stop|capture_stats|capture_dump|capture_dump_read)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20194; rev:3;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter webcam_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|webcam_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01webcam_(list|start|get_frame|stop|audio_record)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20193; rev:3;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter incognito_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|incognito_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01incognito_(list_tokens|impersonate_token|add_user|add_group_user|add_localgroup_user|snarf_hashes)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20192; rev:3;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_registry_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_registry_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_registry_(load_key|unload_key|open_key|open_remote_key|create_key|delete_key|close_key|enum_key|set_value|query_value|delete_value|query_class|enum_value)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20190; rev:3;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_ui_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_ui_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_ui_(enable_keyboard|enable_mouse|get_idle_time|desktop_enum|desktop_get|desktop_set|desktop_screenshot|unlock_desktop|start_keyscan|stop_keyscan|get_keys)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20189; rev:3;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_eventlog_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_eventlog_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_eventlog_(open|numrecords|read|oldest|clear|close)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20187; rev:3;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_process_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_process_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_process_(thread_open|thread_create|thread_get_threads|image_load|image_get_proc_address|image_unload|image_get_images|memory_allocate|memory_free|memory_read|memory_write|memory_query|memory_protect|memory_lock|memory_unlock|attach|execute|kill|getpid|get_processes|close|wait|get_info|thread_suspend|thread_resume|thread_terminate|thread_query_regs|thread_set_regs|thread_close)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20186; rev:3;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_fs_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_fs_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_fs_(separator|search|file_expand_path|md5|sha1|delete_file|stat|ls|chdir|mkdir|getwd|delete_dir)/"; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20185; rev:3;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SHELLCODE Metasploit php meterpreter stub .php file upload"; flow:established,to_server; content:"|24|GLOBALS|5B 27|msgsock_type|27 5D| = |24|s_type|3B 0A|eval"; fast_pattern:only; metadata:service http; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20184; rev:4;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder unescaped"; content:"unescape"; content:"%ud9ee%u2474%u"; content:"%uf4e2"; distance:18; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17323; rev:4;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"INDICATOR-SHELLCODE x86 PoC CVE-2003-0605"; flow:established,to_server; content:"|05 00 06 01 00 00 00 00|11111111111111111111111111111111|00 00 00 00 00 00 00 00|"; fast_pattern:only; reference:cve,2003-0605; classtype:attempted-user; sid:15903; rev:5;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"RERERERERERERERERERERERERERERERER"; classtype:shellcode-detect; sid:12801; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"/shh//bi"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:12;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"/shh//bi"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:12;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|FF FF|KADM0.0A|00 00 FB 03|"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:12;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|FF FF|KADM0.0A|00 00 FB 03|"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:12;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:13;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:nessus,15015; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:14;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ecx NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; metadata:ruleset community; classtype:shellcode-detect; sid:1394; rev:17;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; reference:nessus,10607; classtype:shellcode-detect; sid:1327; rev:14;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:13;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:12;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:attempted-user; sid:694; rev:10;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:shellcode-detect; sid:693; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:692; rev:10;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:691; rev:9;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:652; rev:15;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; fast_pattern:only; metadata:ruleset community; classtype:system-call-detect; sid:650; rev:14;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; fast_pattern:only; metadata:ruleset community; classtype:system-call-detect; sid:649; rev:14;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Oracle sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:system-call-detect; sid:647; rev:15;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:646; rev:11;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:645; rev:11;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:644; rev:11;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:643; rev:13;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:642; rev:12;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:641; rev:12;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:640; rev:11;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:639; rev:11;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:638; rev:11;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt"; flow:established; content:"|FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 57|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30229; rev:1;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit windows/shell stage transfer attempt"; flow:established; content:"|0B 01 00 00|"; depth:4; content:"|D9 74 24 F4|"; within:4; distance:7; content:"|C9 B1 3D|"; within:3; distance:2; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30228; rev:1;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit windows/reverse_tcp stager transfer attempt"; flow:established; content:"|FC E8 86 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 57|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30227; rev:1;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit windows/meterpreter stage transfer attempt"; flow:established; content:"METERPRETER_USERNAME_PROXY"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30226; rev:1;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE possible /bin/sh shellcode transfer attempt"; flow:established; content:"Rh//shh/bin"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30225; rev:1;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit shellcode linux/x86/shell_reverse_tcp single stage transfer attempt"; flow:established; content:"|31 DB F7 E3 53 43 53 6A 02 89 E1 B0 66 CD 80 93 59 B0 3F CD 80 49 79 F9 68 C0 A8 1E 01 68 02 00 11 5C 89 E1 B0 66 50 51 53 B3 03 89 E1 CD 80 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 B0 0B CD 80|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30224; rev:1;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit shellcode linux/x86/shell stage transfer attempt"; flow:established; content:"|89 FB 6A 02 59 6A 3F 58 CD 80 49 79 F8 6A 0B 58 99 52 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 53 89 E1 CD 80|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30223; rev:1;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit shellcode linux/x86/meterpreter stage transfer attempt"; flow:established; content:"|6A 04 5A 89 E1 89 FB 6A 03 58 CD 80 57 B8 C0 00 00 00 BB 00 00 04 20 8B 4C 24 04 6A 07 5A 6A 32 5E 31 FF 89 FD 4F CD 80 3D 7F|"; fast_pattern:only; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30222; rev:1;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit linux/x86 reverse_tcp stager transfer attempt"; flow:established; content:"|31 DB F7 E3 53 43 53 6A 02 B0 66 89 E1 CD 80 97 5B 68|"; content:"|89 E1 6A 66 58 50 51 57 89 E1 43 CD 80 B2 07 B9 00 10 00 00 89 E3 C1 EB 0C C1 E3 0C B0 7D CD 80 5B 89 E1 99 B6 0C B0 03 CD 80 FF E1|"; within:44; distance:9; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30221; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_x64_meterpreter_reverse_https"; content:"|FC 48 83 E4 F0 E8 C8 00 00 00 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0|"; fast_pattern:only; classtype:shellcode-detect; sid:30480; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_x64_exec"; content:"|FC 48 83 E4 F0 E8 C0 00 00 00 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0|"; fast_pattern:only; classtype:shellcode-detect; sid:30479; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_speak_pwned"; content:"|66 81 E4 FC FF 31 F6 64 8B 76 30 8B 76 0C 8B 76 1C 56 66 BE AA 1A 5F 8B 6F 08 FF 37 8B 5D 3C 8B 5C 1D 78 01 EB 8B 4B 18 67 E3 EB 8B 7B 20 01 EF|"; fast_pattern:only; classtype:shellcode-detect; sid:30478; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_shell_bind_tcp_xpfw"; content:"|E8 56 00 00 00 53 55 56 57 8B 6C 24 18 8B 45 3C 8B 54 05 78 01 EA 8B 4A 18 8B 5A 20 01 EB E3 32 49 8B 34 8B 01 EE 31 FF FC 31 C0 AC 38 E0 74 07|"; fast_pattern:only; classtype:shellcode-detect; sid:30477; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_meterpreter_reverse_ord_tcp"; content:"|FC 31 DB 64 8B 43 30 8B 40 0C 8B 50 1C 8B 12 8B 72 20 AD AD 4E 03 06 3D 32 33 5F 32 75 EF 8B 6A 08 8B 45 3C 8B 4C 05 78 8B 4C 0D 1C 01 E9 8B 41|"; fast_pattern:only; classtype:shellcode-detect; sid:30476; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_meterpreter_find_tag"; content:"|FC 33 FF 64 8B 47 30 8B 40 0C 8B 58 1C 8B 1B 8B 73 20 AD AD 4E 03 06 3D 32 33 5F 32 75 EF 8B 6B 08 8B 45 3C 8B 4C 05 78 8B 4C 0D 1C 8B 5C 29 3C|"; fast_pattern:only; classtype:shellcode-detect; sid:30475; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_meterpreter_bind_tcp"; content:"|FC E8 86 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 57|"; fast_pattern:only; classtype:shellcode-detect; sid:30474; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_meterpreter_bind_nonx_tcp"; content:"|FC 6A EB 47 E8 F9 FF FF FF 60 31 DB 8B 7D 3C 8B 7C 3D 78 01 EF 8B 57 20 01 EA 8B 34 9A 01 EE 31 C0 99 AC C1 CA 0D 01 C2 84 C0 75 F6 43 66 39 CA|"; fast_pattern:only; classtype:shellcode-detect; sid:30473; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_messagebox"; content:"|D9 EB 9B D9 74 24 F4 31 D2 B2 77 31 C9 64 8B 71 30 8B 76 0C 8B 76 1C 8B 46 08 8B 7E 20 8B 36 38 4F 18 75 F3 59 01 D1 FF E1 60 8B 6C 24 24 8B 45|"; fast_pattern:only; classtype:shellcode-detect; sid:30472; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload windows_adduser"; content:"|FC E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61 7C 02 2C 20 C1 CF 0D 01 C7 E2 F0 52 57|"; fast_pattern:only; classtype:shellcode-detect; sid:30471; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_x86_shell_reverse_tcp"; content:"|68 FF D8 FF 3C 6A 65 89 E6 F7 56 04 F6 16 68 0A 07 00 2B 66 68 11 5C 66 6A 02 89 E7 6A 02 31 C0 50 50 6A 02 6A 02 B0 E6 FF D6 6A 10 57 50 31 C0|"; fast_pattern:only; classtype:shellcode-detect; sid:30470; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_x86_shell_find_port"; content:"|31 DB F7 E3 53 89 E7 68 FF D8 FF 3C 6A 65 89 E6 F7 56 04 F6 16 57 B3 91 53 53 54 B7 54 53 50 58 40 50 6A 36 58 FF D6 66|"; fast_pattern:only; classtype:shellcode-detect; sid:30469; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_x86_shell_bind_tcp"; content:"|68 FF D8 FF 3C 6A 65 89 E6 F7 56 04 F6 16 31 C0 50 68 FF 02 11 5C 89 E7 6A 02 50 50 6A 02 6A 02 B0 E6 FF D6 6A 10 57 50 31 C0 B0 E8 FF D6 5B 50|"; fast_pattern:only; classtype:shellcode-detect; sid:30468; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_sparc_shell_reverse_tcp"; content:"|9C 2B A0 07 98 10 20 01 96 1A C0 0B 94 1A C0 0B 92 10 20 02 90 10 20 02 82 10 20 E6 91 D0 20 08 D0 23 BF F8 94 10 20 03 92 10 20 09 94 A2 A0 01|"; fast_pattern:only; classtype:shellcode-detect; sid:30467; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_sparc_shell_find_port"; content:"|9C 2B A0 07 90 1A 80 0A D0 23 BF E8 90 02 20 01 90 0A 2F FF 92 10 20 10 D0 3B BF F8 94 23 A0 04 92 23 A0 18 82 10 20 F3 91 D0 20 08 94 10 20 03|"; fast_pattern:only; classtype:shellcode-detect; sid:30466; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload solaris_sparc_shell_bind_tcp"; content:"|9C 2B A0 07 98 10 20 01 96 1A C0 0B 94 1A C0 0B 92 10 20 02 90 10 20 02 82 10 20 E6 91 D0 20 08 D0 23 BF F8 21 00 00 84 A0 14 21 5C E0 23 BF F0|"; fast_pattern:only; classtype:shellcode-detect; sid:30465; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload ruby_shell_reverse_tcp_ssl"; content:"|63 6F 64 65 20 3D 20 25 28 63 6D 56 78 64 57 6C 79 5A 53 41 6E 63 32 39 6A 61 32 56 30 4A 7A 74 79 5A 58 46 31 61 58 4A 6C 49 43 64 76 63 47 56|"; fast_pattern:only; classtype:shellcode-detect; sid:30464; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload ruby_shell_reverse_tcp"; content:"|63 6F 64 65 20 3D 20 25 28 63 6D 56 78 64 57 6C 79 5A 53 41 6E 63 32 39 6A 61 32 56 30 4A 7A 74 6A 50 56 52 44 55 46 4E 76 59 32 74 6C 64 43 35|"; fast_pattern:only; classtype:shellcode-detect; sid:30463; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload ruby_shell_bind_tcp"; content:"|63 6F 64 65 20 3D 20 25 28 63 6D 56 78 64 57 6C 79 5A 53 41 6E 63 32 39 6A 61 32 56 30 4A 7A 74 7A 50 56 52 44 55 46 4E 6C 63 6E 5A 6C 63 69 35|"; fast_pattern:only; classtype:shellcode-detect; sid:30462; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload python_shell_reverse_tcp_ssl"; content:"|65 78 65 63 28 27 61 57 31 77 62 33 4A 30 49 48 4E 76 59 32 74 6C 64 43 78 7A 64 57 4A 77 63 6D 39 6A 5A 58 4E 7A 4C 47 39 7A 4C 48 4E 7A 62 41|"; fast_pattern:only; classtype:shellcode-detect; sid:30461; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload python_meterpreter_bind_tcp"; content:"|69 6D 70 6F 72 74 20 62 61 73 65 36 34 3B 20 65 78 65 63 28 62 61 73 65 36 34 2E 62 36 34 64 65 63 6F 64 65 28 27 61 57 31 77 62 33 4A 30 49 48|"; fast_pattern:only; classtype:shellcode-detect; sid:30460; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_shell_findsock"; content:"|65 72 72 6F 72 5F 72 65 70 6F 72 74 69 6E 67 28 30 29 3B 0A 70 72 69 6E 74 28 22 3C 68 74 6D 6C 3E 3C 62 6F 64 79 3E 22 29 3B 0A 66 6C 75 73 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30459; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_reverse_php"; content:"|20 65 6C 73 65 20 69 66 20 28 73 75 62 73 74 72 28 24 63 2C 30 2C 34 29 20 3D 3D 20 27 71 75 69 74 27 20 7C 7C 20 73 75 62 73 74 72 28 24 63 2C|"; fast_pattern:only; classtype:shellcode-detect; sid:30458; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_reverse_perl"; content:"|62 61 73 65 36 34 5F 64 65 63 6F 64 65 28 27 63 47 56 79 62 43 41 74 54 55 6C 50 49 43 31 6C 49 43 63 6B 63 44 31 6D 62 33 4A 72 4F 32 56 34 61|"; fast_pattern:only; classtype:shellcode-detect; sid:30457; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_meterpreter_reverse_tcp"; content:"|69 66 20 28 21 69 73 73 65 74 28 24 47 4C 4F 42 41 4C 53 5B 27 63 68 61 6E 6E 65 6C 73 27 5D 29 29 20 7B 20 24 47 4C 4F 42 41 4C 53 5B 27 63 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30456; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_meterpreter_bind_tcp"; content:"|23 3C 3F 70 68 70 0A 0A 23 20 54 68 65 20 70 61 79 6C 6F 61 64 20 68 61 6E 64 6C 65 72 20 6F 76 65 72 77 72 69 74 65 73 20 74 68 69 73 20 77 69|"; fast_pattern:only; classtype:shellcode-detect; sid:30455; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_exec"; content:"|24 63 20 3D 20 62 61 73 65 36 34 5F 64 65 63 6F 64 65 28 22 4C 32 4A 70 62 69 39 7A 61 41 3D 3D 22 29 3B 20 40 73 65 74 5F 74 69 6D 65 5F 6C 69|"; fast_pattern:only; classtype:shellcode-detect; sid:30454; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_download_exec"; content:"|20 20 20 20 69 66 20 28 21 66 75 6E 63 74 69 6F 6E 5F 65 78 69 73 74 73 28 27 73 79 73 5F 67 65 74 5F 74 65 6D 70 5F 64 69 72 27 29 29 20 7B 0A|"; fast_pattern:only; classtype:shellcode-detect; sid:30453; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload php_bind_perl"; content:"|73 79 73 74 65 6D 28 62 61 73 65 36 34 5F 64 65 63 6F 64 65 28 27 63 47 56 79 62 43 41 74 54 55 6C 50 49 43 31 6C 49 43 63 6B 63 44 31 6D 62 33|"; fast_pattern:only; classtype:shellcode-detect; sid:30452; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_vforkshell_reverse_tcp"; content:"|31 C0 99 50 40 50 40 50 52 B0 61 CD 80 72 6D 89 C7 52 52 68 0A 07 00 2B 68 00 02 11 5C 89 E3 6A 10 53 57 52 B0 62 CD 80 72 52 31 DB 83 EB 01 43|"; fast_pattern:only; classtype:shellcode-detect; sid:30451; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_vforkshell_bind_tcp"; content:"|31 C0 99 50 40 50 40 50 52 B0 61 CD 80 0F 82 7E 00 00 00 89 C6 52 52 52 68 00 02 11 5C 89 E3 6A 10 53 56 52 B0 68 CD 80 72 67 52 56 52 B0 6A CD|"; fast_pattern:only; classtype:shellcode-detect; sid:30450; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_shell_find_port"; content:"|50 6A 5A 58 CD 80 FF 4F F0 79 F6 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 54 54 53 50 B0 3B CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30449; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_isight_reverse_tcp"; content:"|31 C0 99 50 40 50 40 50 52 B0 61 CD 80 72 6C 89 C7 52 52 68 0A 07 00 2B 68 00 02 11 5C 89 E3 6A 10 53 57 52 B0 62 CD 80 72 51 89 E5 83 EC 08 31|"; fast_pattern:only; classtype:shellcode-detect; sid:30448; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_isight_bind_tcp"; content:"|31 C0 99 50 40 50 40 50 52 B0 61 CD 80 0F 82 7D 00 00 00 89 C6 52 52 52 68 00 02 11 5C 89 E3 6A 10 53 56 52 B0 68 CD 80 72 66 52 56 52 B0 6A CD|"; fast_pattern:only; classtype:shellcode-detect; sid:30447; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x86_exec"; content:"|31 C0 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 5B 50 50 53 B0 3B 50 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30446; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_shell_reverse_tcp"; content:"|B8 61 00 00 02 6A 02 5F 6A 01 5E 48 31 D2 0F 05 49 89 C4 48 89 C7 B8 62 00 00 02 48 31 F6 56 48 BE 00 02 11 5C 0A 07 00 2B 56 48 89 E6 6A 10 5A|"; fast_pattern:only; classtype:shellcode-detect; sid:30445; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_shell_find_tag"; content:"|48 31 FF 57 48 89 E6 6A 04 5A 48 8D 4A FE 4D 31 C0 4D 31 C9 48 FF CF 48 FF C7 B8 1D 00 00 02 0F 05 81 3C 24 4E 45 4D 4F 75 ED 48 31 C9 B8 1D 00|"; fast_pattern:only; classtype:shellcode-detect; sid:30444; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_say"; content:"|48 31 C0 B8 3B 00 00 02 E8 14 00 00 00 2F 75 73 72 2F 62 69 6E 2F 73 61 79 00 48 65 6C 6C 6F 21 00 48 8B 3C 24 4C 8D 57 0D 48 31 D2 52 41 52 57|"; fast_pattern:only; classtype:shellcode-detect; sid:30443; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_exec"; content:"|48 31 D2 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 5F 52 57 48 89 E6 48 C7 C0 3B 00 00 02 0F 05|"; fast_pattern:only; classtype:shellcode-detect; sid:30442; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_dupandexecve_reverse_tcp"; content:"|B8 61 00 00 02 6A 02 5F 6A 01 5E 48 31 D2 0F 05 49 89 C5 48 89 C7 B8 62 00 00 02 48 31 F6 56 48 BE 00 02 11 5C 0A 07 00 2B 56 48 89 E6 6A 10 5A|"; fast_pattern:only; classtype:shellcode-detect; sid:30441; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_x64_dupandexecve_bind_tcp"; content:"|B8 61 00 00 02 6A 02 5F 6A 01 5E 48 31 D2 0F 05 48 89 C7 B8 68 00 00 02 48 31 F6 56 BE 00 02 11 5C 56 48 89 E6 6A 10 5A 0F 05 B8 6A 00 00 02 48|"; fast_pattern:only; classtype:shellcode-detect; sid:30440; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_ppc_shell_reverse_tcp"; content:"|38 60 00 02 38 80 00 01 38 A0 00 06 38 00 00 61 44 00 00 02 7C 00 02 78 7C 7E 1B 78 48 00 00 0D 00 02 11 5C 0A 07 00 2B 7C 88 02 A6 38 A0 00 10|"; fast_pattern:only; classtype:shellcode-detect; sid:30439; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_ppc_shell_find_tag"; content:"|3B A0 0F FF 3B C0 0F FF 37 9D F0 02 7F DC F0 51 41 80 FF F0 38 1D F0 67 7F C3 F3 78 38 81 EF F8 38 A0 0F FF 38 DD F0 81 44 FF FF 02 7C C6 32 79|"; fast_pattern:only; classtype:shellcode-detect; sid:30438; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_ppc_shell_bind_tcp"; content:"|38 60 00 02 38 80 00 01 38 A0 00 06 38 00 00 61 44 00 00 02 7C 00 02 78 7C 7E 1B 78 48 00 00 0D 00 02 11 5C 00 00 00 00 7C 88 02 A6 38 A0 00 10|"; fast_pattern:only; classtype:shellcode-detect; sid:30437; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_armle_vibrate"; content:"|20 08 A0 E1 04 F0 1F E5 74 F9 9E 31 44 44 EA 03|"; fast_pattern:only; classtype:shellcode-detect; sid:30436; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_armle_shell_reverse_tcp"; content:"|02 00 A0 E3 01 10 A0 E3 06 20 A0 E3 61 C0 A0 E3 80 00 00 EF 00 A0 A0 E1 01 00 00 EB 00 02 11 5C 0A 07 00 2B 0A 00 A0 E1 0E 10 A0 E1 10 20 A0 E3|"; fast_pattern:only; classtype:shellcode-detect; sid:30435; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload osx_armle_shell_bind_tcp"; content:"|02 00 A0 E3 01 10 A0 E3 06 20 A0 E3 61 C0 A0 E3 80 00 00 EF 00 A0 A0 E1 01 00 00 EB 00 02 11 5C 00 00 00 00 0A 00 A0 E1 0E 10 A0 E1 10 20 A0 E3|"; fast_pattern:only; classtype:shellcode-detect; sid:30434; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload nodejs_shell_bind_tcp"; content:"|20 28 66 75 6E 63 74 69 6F 6E 28 29 7B 20 76 61 72 20 72 65 71 75 69 72 65 20 3D 20 67 6C 6F 62 61 6C 2E 72 65 71 75 69 72 65 20 7C 7C 20 67 6C|"; fast_pattern:only; classtype:shellcode-detect; sid:30433; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload netware_shell_reverse_tcp"; content:"|EB 41 57 51 31 FF 8B 54 BD 00 85 D2 74 24 31 F6 8B 5A 08 8A 03 84 C0 74 0D 43 0F B6 0B C1 CE 0D 01 CE FE C8 EB EF 3B 74 24 0C 74 11 8B 12 85 D2|"; fast_pattern:only; classtype:shellcode-detect; sid:30432; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_reverse_tcp2"; content:"|31 DB 53 43 53 6A 02 6A 66 58 89 E1 CD 80 93 59 B0 3F CD 80 49 79 F9 5B 5A 68 0A 07 00 2B 66 68 11 5C 43 66 53 89 E1 B0 66 50 51 53 89 E1 43 CD|"; fast_pattern:only; classtype:shellcode-detect; sid:30431; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_reverse_tcp"; content:"|31 DB F7 E3 53 43 53 6A 02 89 E1 B0 66 CD 80 93 59 B0 3F CD 80 49 79 F9 68 0A 07 00 2B 68 02 00 11 5C 89 E1 B0 66 50 51 53 B3 03 89 E1 CD 80 52|"; fast_pattern:only; classtype:shellcode-detect; sid:30430; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_find_port"; content:"|75 F1 5B 6A 02 59 B0 3F CD 80 49 79 F9 50 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 53 89 E1 99 B0 0B CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30429; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_bind_tcp_random_port"; content:"|31 DB F7 E3 B0 66 43 52 53 6A 02 89 E1 CD 80 52 50 89 E1 B0 66 B3 04 CD 80 B0 66 43 CD 80 59 93 6A 3F 58 CD 80 49 79 F8 B0 0B 68 2F 2F 73 68 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30428; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_bind_tcp"; content:"|31 DB F7 E3 53 43 53 6A 02 89 E1 B0 66 CD 80 5B 5E 52 68 02 00 11 5C 6A 10 51 50 89 E1 6A 66 58 CD 80 89 41 04 B3 04 B0 66 CD 80 43 B0 66 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30427; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_shell_bind_ipv6_tcp"; content:"|31 DB 53 43 53 6A 0A 89 E1 6A 66 58 CD 80 96 99 52 52 52 52 52 52 66 68 11 5C 66 68 0A 00 89 E1 6A 1C 51 56 89 E1 43 6A 66 58 CD 80 B0 66 B3 04|"; fast_pattern:only; classtype:shellcode-detect; sid:30426; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_reverse_tcp"; content:"|31 DB F7 E3 53 43 53 6A 02 B0 66 89 E1 CD 80 97 5B 68 0A 07 00 2B 68 02 00 11 5C 89 E1 6A 66 58 50 51 57 89 E1 43 CD 80 B2 07 B9 00 10 00 00 89|"; fast_pattern:only; classtype:shellcode-detect; sid:30425; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_reverse_nonx_tcp"; content:"|31 DB 53 43 53 6A 02 6A 66 58 89 E1 CD 80 97 5B 68 0A 07 00 2B 66 68 11 5C 66 53 89 E1 6A 66 58 50 51 57 89 E1 43 CD 80 5B 99 B6 0C B0 03 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30424; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_reverse_ipv6_tcp"; content:"|31 DB 53 43 53 6A 0A 89 E1 6A 66 58 CD 80 96 99 68 00 00 00 00 68 0A 07 00 2B 68 00 00 5E FE 68 00 00 00 00 68 FE 80 00 00 52 66 68 11 5C 66 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30423; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_find_tag"; content:"|31 DB 53 89 E6 6A 40 B7 0A 53 56 53 89 E1 86 FB 66 FF 01 6A 66 58 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30422; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_bind_tcp"; content:"|6A 7D 58 99 B2 07 B9 00 10 00 00 89 E3 66 81 E3 00 F0 CD 80 31 DB F7 E3 53 43 53 6A 02 89 E1 B0 66 CD 80 5B 5E 52 68 02 00 11 5C 6A 10 51 50 89|"; fast_pattern:only; classtype:shellcode-detect; sid:30421; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_bind_nonx_tcp"; content:"|31 DB 53 43 53 6A 02 6A 66 58 99 89 E1 CD 80 96 43 52 66 68 11 5C 66 53 89 E1 6A 66 58 50 51 56 89 E1 CD 80 B0 66 D1 E3 CD 80 52 52 56 43 89 E1|"; fast_pattern:only; classtype:shellcode-detect; sid:30420; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_meterpreter_bind_ipv6_tcp"; content:"|6A 7D 58 99 B2 07 B9 00 10 00 00 89 E3 66 81 E3 00 F0 CD 80 31 DB F7 E3 11 5C 53 6A 0A 89 E1 B0 66 CD 80 43 52 52 52 52 52 52 68 0A 00 BF BF 89|"; fast_pattern:only; classtype:shellcode-detect; sid:30419; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_exec"; content:"|6A 0B 58 99 52 66 68 2D 63 89 E7 68 2F 73 68 00 68 2F 62 69 6E 89 E3 52 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 57 53 89 E1 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30418; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_chmod"; content:"|99 6A 0F 58 52 E8 0C 00 00 00 2F 65 74 63 2F 73 68 61 64 6F 77 00 5B 68 B6 01 00 00 59 CD 80 6A 01 58 CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30417; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x86_adduser"; content:"|31 C9 89 CB 6A 46 58 CD 80 6A 05 58 31 C9 51 68 73 73 77 64 68 2F 2F 70 61 68 2F 65 74 63 89 E3 41 B5 04 CD 80 93 E8 28 00 00 00 6D 65 74 61 73|"; fast_pattern:only; classtype:shellcode-detect; sid:30416; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_shell_reverse_tcp"; content:"|6A 29 58 99 6A 02 5F 6A 01 5E 0F 05 48 97 48 B9 02 00 11 5C 0A 07 00 2B 51 48 89 E6 6A 10 5A 6A 2A 58 0F 05 6A 03 5E 48 FF CE 6A 21 58 0F 05 75|"; fast_pattern:only; classtype:shellcode-detect; sid:30415; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_shell_find_port"; content:"|48 31 FF 48 31 DB B3 14 48 29 DC 48 8D 14 24 48 8D 74 24 04 6A 34 58 0F 05 48 FF C7 66 81 7E 02|"; fast_pattern:only; classtype:shellcode-detect; sid:30414; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_shell_bind_tcp_random_port"; content:"|48 31 F6 48 F7 E6 FF C6 6A 02 5F B0 29 0F 05 52 5E 50 5F B0 32 0F 05 B0 2B 0F 05 57 5E 48 97 FF CE B0 21 0F 05 75 F8 52 48 BF 2F 2F 62 69 6E 2F|"; fast_pattern:only; classtype:shellcode-detect; sid:30413; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_shell_bind_tcp"; content:"|6A 29 58 99 6A 02 5F 6A 01 5E 0F 05 48 97 52 C7 04 24 02 00 11 5C 48 89 E6 6A 10 5A 6A 31 58 0F 05 6A 32 58 0F 05 48 31 F6 6A 2B 58 0F 05 48 97|"; fast_pattern:only; classtype:shellcode-detect; sid:30412; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_x64_exec"; content:"|6A 3B 58 99 48 BB 2F 62 69 6E 2F 73 68 00 53 48 89 E7 68 2D 63 00 00 48 89 E6 52 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 56 57 48 89 E6 0F 05|"; fast_pattern:only; classtype:shellcode-detect; sid:30411; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_ppc_shell_find_port"; content:"|7F FF FA 78 3B A0 01 FF 97 E1 FF FC 7C 3C 0B 78 3B 7D FE 11 97 61 FF FC 7C 3A 0B 78 97 41 FF FC 97 81 FF FC 97 E1 FF FC 3B FF 01 FF 3B FF FE 02|"; fast_pattern:only; classtype:shellcode-detect; sid:30410; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_ppc_shell_bind_tcp"; content:"|7F FF FA 78 3B A0 01 FF 3B 9D FE 02 3B 7D FE 03 97 E1 FF FC 97 81 FF FC 97 61 FF FC 7C 24 0B 78 38 7D FE 02 38 1D FE 67 44 FF FF 02 7C 7A 1B 78|"; fast_pattern:only; classtype:shellcode-detect; sid:30409; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_ppc64_shell_find_port"; content:"|7F FF FA 78 3B A0 01 FF 97 E1 FF FC 7C 3C 0B 78 3B 7D FE 11 97 61 FF FC 7C 3A 0B 78 FB 41 FF F9 FB 81 FF F9 FB E1 FF F9 3B FF 01 FF 3B FF FE 02|"; fast_pattern:only; classtype:shellcode-detect; sid:30408; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_ppc64_shell_bind_tcp"; content:"|7F FF FA 78 3B A0 01 FF 3B 9D FE 02 3B 7D FE 03 FB E1 FF F9 FB 81 FF F9 FB 61 FF F9 7C 24 0B 78 38 7D FE 02 38 1D FE 67 44 FF FF 02 7C 7A 1B 78|"; fast_pattern:only; classtype:shellcode-detect; sid:30407; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsle_shell_reverse_tcp"; content:"|FA FF 0F 24 27 78 E0 01 FD FF E4 21 FD FF E5 21 FF FF 06 28 57 10 02 24 0C 01 01 01 FF FF A2 AF FF FF A4 8F FD FF 0F 34 27 78 E0 01 E2 FF AF AF|"; fast_pattern:only; classtype:shellcode-detect; sid:30406; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsle_shell_bind_tcp"; content:"|E0 FF BD 27 FD FF 0E 24 27 20 C0 01 27 28 C0 01 FF FF 06 28 57 10 02 24 0C 01 01 01 FF FF 50 30 EF FF 0E 24 27 70 C0 01 11 5C 0D 24 04 68 CD 01|"; fast_pattern:only; classtype:shellcode-detect; sid:30405; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsle_reboot"; content:"|21 43 06 3C DC FE C6 34 12 28 05 3C 69 19 A5 34 E1 FE 04 3C AD DE 84 34 F8 0F 02 24 0C 01 01 01|"; fast_pattern:only; classtype:shellcode-detect; sid:30404; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsbe_shell_reverse_tcp"; content:"|24 0F FF FA 01 E0 78 27 21 E4 FF FD 21 E5 FF FD 28 06 FF FF 24 02 10 57 01 01 01 0C AF A2 FF FF 8F A4 FF FF 34 0F FF FD 01 E0 78 27 AF AF FF E0|"; fast_pattern:only; classtype:shellcode-detect; sid:30403; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_mipsbe_shell_bind_tcp"; content:"|27 BD FF E0 24 0E FF FD 01 C0 20 27 01 C0 28 27 28 06 FF FF 24 02 10 57 01 01 01 0C 30 50 FF FF 24 0E FF EF 01 C0 70 27 24 0D FF FD 01 A0 68 27|"; fast_pattern:only; classtype:shellcode-detect; sid:30402; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_armle_shell_reverse_tcp"; content:"|02 00 A0 E3 01 10 A0 E3 05 20 81 E2 8C 70 A0 E3 8D 70 87 E2 00 00 00 EF 00 60 A0 E1 84 10 8F E2 10 20 A0 E3 8D 70 A0 E3 8E 70 87 E2 00 00 00 EF|"; fast_pattern:only; classtype:shellcode-detect; sid:30401; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_armle_shell_bind_tcp"; content:"|02 00 A0 E3 01 10 A0 E3 06 20 A0 E3 01 70 A0 E3 07 74 A0 E1 19 70 87 E2 00 00 00 EF 00 60 A0 E1 A4 10 8F E2 10 20 A0 E3 01 70 A0 E3 07 74 A0 E1|"; fast_pattern:only; classtype:shellcode-detect; sid:30400; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_armle_exec"; content:"|01 30 8F E2 13 FF 2F E1 78 46 0A 30 01 90 01 A9 92 1A 0B 27 01 DF 2F 62 69 6E 2F 73 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30399; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload linux_armle_adduser"; content:"|05 50 45 E0 01 50 8F E2 15 FF 2F E1 78 46 5C 30 FF 21 FF 31 FF 31 FF 31 45 31 DC 22 C8 32 05 27 01 DF 80 46 41 46 08 1C 79 46 18 31 C0 46 28 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30398; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload java_shell_reverse_tcp"; content:"|24 00 00 18 00 00 00 6D 65 74 61 73 70 6C 6F 69 74 2F 50 61 79 6C 6F 61 64 2E 63 6C 61 73 73 95 59 09 7C 14 E5 15 7F EF DB 63 66 27 43 12 06 16|"; fast_pattern:only; classtype:shellcode-detect; sid:30397; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload java_jsp_shell_bind_tcp"; content:"|67 65 74 52 75 6E 74 69 6D 65 28 29 2E 65 78 65 63 28 20 22 63 6D 64 2E 65 78 65 22 20 29 3B 0A 20 20 20 20 28 20 6E 65 77 20 53 74 72 65 61 6D|"; fast_pattern:only; classtype:shellcode-detect; sid:30396; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload firefox_shell_bind_tcp"; content:"|73 68 2E 69 6E 69 74 57 69 74 68 50 61 74 68 28 22 43 3A 5C 5C 57 69 6E 64 6F 77 73 5C 5C 53 79 73 74 65 6D 33 32 5C 5C 77 73 63 72 69 70 74 2E|"; fast_pattern:only; classtype:shellcode-detect; sid:30395; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload firefox_exec"; content:"|73 68 2E 69 6E 69 74 57 69 74 68 50 61 74 68 28 22 43 3A 5C 5C 57 69 6E 64 6F 77 73 5C 5C 53 79 73 74 65 6D 33 32 5C 5C 63 6D 64 2E 65 78 65 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30394; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_ruby"; content:"|5C 22 34 34 34 34 5C 22 29 3B 77 68 69 6C 65 28 63 6D 64 3D 63 2E 67 65 74 73 29 3B 49 4F 2E 70 6F 70 65 6E 28 63 6D 64 2C 5C 22 72 5C 22 29 7B|"; fast_pattern:only; classtype:shellcode-detect; sid:30393; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_powershell"; content:"|70 6F 77 65 72 73 68 65 6C 6C 20 2D 77 20 68 69 64 64 65 6E 20 2D 6E 6F 70 20 2D 63 20 66 75 6E 63 74 69 6F 6E 20 52 53 43 7B 69 66 20 28 24 63|"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1086; classtype:shellcode-detect; sid:30392; rev:2;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_reverse_perl"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 22 24 70 3D 66 6F 72 6B 3B 65 78 69 74 2C 69 66 28 24 70 29 3B 24 63 3D 6E 65 77 20 49 4F 3A 3A 53 6F 63|"; fast_pattern:only; classtype:shellcode-detect; sid:30391; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_download_exec_vbs"; content:"|2E 65 78 65 22 2C 32 3A 43 72 65 61 74 65 4F 62 6A 65 63 74 28 22 57 53 63 72 69 70 74 2E 53 68 65 6C 6C 22 29 2E 52 75 6E 20 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30390; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_bind_ruby"; content:"|72 75 62 79 20 2D 72 73 6F 63 6B 65 74 20 2D 65 20 22 73 3D 54 43 50 53 65 72 76 65 72 2E 6E 65 77 28 5C 22 34 34 34 34 5C 22 29 3B 77 68 69 6C|"; fast_pattern:only; classtype:shellcode-detect; sid:30389; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_bind_perl_ipv6"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 22 77 68 69 6C 65 28 24 63 3D 6E 65 77 20 49 4F 3A 3A 53 6F 63 6B 65 74 3A 3A 49 4E 45 54 36 28 4C 6F 63|"; fast_pattern:only; classtype:shellcode-detect; sid:30388; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_bind_perl"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 22 77 68 69 6C 65 28 24 63 3D 6E 65 77 20 49 4F 3A 3A 53 6F 63 6B 65 74 3A 3A 49 4E 45 54 28 4C 6F 63 61|"; fast_pattern:only; classtype:shellcode-detect; sid:30387; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_windows_adduser"; content:"|63 6D 64 2E 65 78 65 20 2F 63 20 6E 65 74 20 75 73 65 72 20 6D 65 74 61 73 70 6C 6F 69 74 20 4D 65 74 61 73 70 6C 6F 69 74 24 31 20 2F 41 44 44|"; fast_pattern:only; classtype:shellcode-detect; sid:30386; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_zsh"; content:"|20 34 34 34 34 3B 77 68 69 6C 65 20 72 65 61 64 20 2D 72 20 63 6D 64 20 3C 26 24 52 45 50 4C 59 3B 64 6F 20 65 76 61 6C 20 24 7B 63 6D 64 7D 20|"; fast_pattern:only; classtype:shellcode-detect; sid:30385; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_ruby_ssl"; content:"|72 75 62 79 20 2D 72 73 6F 63 6B 65 74 20 2D 72 6F 70 65 6E 73 73 6C 20 2D 65 20 27 65 78 69 74 20 69 66 20 66 6F 72 6B 3B 63 3D 4F 70 65 6E 53|"; fast_pattern:only; classtype:shellcode-detect; sid:30384; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_ruby"; content:"|72 75 62 79 20 2D 72 73 6F 63 6B 65 74 20 2D 65 20 27 65 78 69 74 20 69 66 20 66 6F 72 6B 3B 63 3D 54 43 50 53 6F 63 6B 65 74 2E 6E 65 77 28 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30383; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_python"; content:"|70 79 74 68 6F 6E 20 2D 63 20 22 65 78 65 63 28 27 61 57 31 77 62 33 4A 30 49 48 4E 76 59 32 74|"; fast_pattern:only; classtype:shellcode-detect; sid:30382; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_php_ssl"; content:"|6F 29 3B 24 6F 3D 69 6D 70 6C 6F 64 65 28 22 5C 6E 22 2C 24 6F 29 3B 24 6F 2E 3D 22 5C 6E 22 3B 66 70 75 74 73 28 24 73 2C 24 6F 29 3B 7D 27 26|"; fast_pattern:only; classtype:shellcode-detect; sid:30381; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl_ssl"; content:"|70 65 72 6C 20 2D 65 20 27 75 73 65 20 49 4F 3A 3A 53 6F 63 6B 65 74 3A 3A 53 53 4C 3B 24 70 3D 66 6F 72 6B 3B 65 78 69 74 2C 69 66 28 24 70 29|"; fast_pattern:only; classtype:shellcode-detect; sid:30380; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 27 24 70 3D 66 6F 72 6B 3B 65 78 69 74 2C 69 66 28 24 70 29 3B 66 6F 72 65 61 63 68 20 6D 79 20 24 6B 65|"; fast_pattern:only; classtype:shellcode-detect; sid:30379; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_openssl"; content:"|3A 34 34 34 34 7C 77 68 69 6C 65 20 3A 20 3B 20 64 6F 20 73 68 20 26 26 20 62 72 65 61 6B 3B 20 64 6F 6E 65 20 32 3E 26 31 7C 6F 70 65 6E 73 73|"; fast_pattern:only; classtype:shellcode-detect; sid:30378; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_lua"; content:"|6C 75 61 20 2D 65 20 22 6C 6F 63 61 6C 20 73 3D 72 65 71 75 69 72 65 28 27 73 6F 63 6B 65 74 27 29 3B 6C 6F 63 61 6C 20 74 3D 61 73 73 65 72 74|"; fast_pattern:only; classtype:shellcode-detect; sid:30377; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_awk"; content:"|2F 34 34 34 34 22 3B 66 6F 72 28 3B 73 7C 26 67 65 74 6C 69 6E 65 20 63 3B 63 6C 6F 73 65 28 63 29 29 77 68 69 6C 65 28 63 7C 67 65 74 6C 69 6E|"; fast_pattern:only; classtype:shellcode-detect; sid:30376; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse"; content:"|20 34 34 34 34 7C 77 68 69 6C 65 20 3A 20 3B 20 64 6F 20 73 68 20 26 26 20 62 72 65 61 6B 3B 20 64 6F 6E 65 20 32 3E 26 31 7C 74 65 6C 6E 65 74|"; fast_pattern:only; classtype:shellcode-detect; sid:30375; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_zsh"; content:"|7A 6D 6F 64 6C 6F 61 64 20 7A 73 68 2F 6E 65 74 2F 74 63 70 3B 7A 74 63 70 20 2D 6C 20 34 34 34 34 3B 7A 74 63 70 20 2D 61 20 24 52 45 50 4C 59|"; fast_pattern:only; classtype:shellcode-detect; sid:30374; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_ruby"; content:"|72 75 62 79 20 2D 72 73 6F 63 6B 65 74 20 2D 65 20 27 65 78 69 74 20 69 66 20 66 6F 72 6B 3B 73 3D 54 43 50 53 65 72 76 65 72 2E 6E 65 77 28 22|"; fast_pattern:only; classtype:shellcode-detect; sid:30373; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_perl_ipv6"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 27 24 70 3D 66 6F 72 6B 28 29 3B 65 78 69 74 2C 69 66 24 70 3B 24 63 3D 6E 65 77 20 49 4F 3A 3A 53 6F 63|"; fast_pattern:only; classtype:shellcode-detect; sid:30372; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_perl"; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 27 24 70 3D 66 6F 72 6B 28 29 3B 65 78 69 74 2C 69 66 24 70 3B 66 6F 72 65 61 63 68 20 6D 79 20 24 6B 65|"; fast_pattern:only; classtype:shellcode-detect; sid:30371; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_nodejs"; content:"|6E 6F 64 65 20 2D 65 20 27 65 76 61 6C 28 22 5C 78 32 30 5C 78 32 38 5C 78 36 36 5C 78 37 35 5C 78 36 65 5C 78 36 33 5C 78 37 34 5C 78 36 39 5C|"; fast_pattern:only; classtype:shellcode-detect; sid:30370; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_netcat_gaping_ipv6"; content:"|6E 63 20 2D 36 20 2D 6C 70 20 34 34 34 34 20 2D 65 20 2F 62 69 6E 2F 73 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30369; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_netcat_gaping"; content:"|6E 63 20 2D 6C 20 2D 70 20 34 34 34 34 20 2D 65 20 2F 62 69 6E 2F 73 68|"; fast_pattern:only; classtype:shellcode-detect; sid:30368; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_netcat"; content:"|20 28 6E 63 20 2D 6C 20 2D 70 20 34 34 34 34 20 7C 7C 6E 63 20 2D 6C 20 34 34 34 34 29 30 3C 2F 74 6D 70 2F|"; fast_pattern:only; classtype:shellcode-detect; sid:30367; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_lua"; content:"|6C 75 61 20 2D 65 20 22 6C 6F 63 61 6C 20 73 3D 72 65 71 75 69 72 65 28 27 73 6F 63 6B 65 74 27 29 3B 6C 6F 63 61 6C 20 73 3D 61 73 73 65 72 74|"; fast_pattern:only; classtype:shellcode-detect; sid:30366; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_inetd"; content:"|20 73 74 72 65 61 6D 20 74 63 70 20 6E 6F 77 61 69 74 20 72 6F 6F 74 20 2F 62 69 6E 2F 73 68 20 73 68 3E 2F 74 6D 70|"; fast_pattern:only; classtype:shellcode-detect; sid:30365; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_bind_awk"; content:"|61 77 6B 20 27 42 45 47 49 4E 7B 73 3D 22 2F 69 6E 65 74 2F 74 63 70 2F 34 34 34 34 2F 30 2F 30 22 3B 66 6F 72 28 3B 73 7C 26 67 65 74 6C 69 6E|"; fast_pattern:only; classtype:shellcode-detect; sid:30364; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsdi_x86_shell_find_port"; content:"|50 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 54 53|"; fast_pattern:only; classtype:shellcode-detect; sid:30363; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_reverse_tcp"; content:"|68 0A 07 00 2B 68 FF 02 11 5C 89 E7 31 C0 50 6A 01 6A 02 6A 10 B0 61 CD 80 57 50 50 6A 62 58 CD 80 50 6A 5A 58 CD 80 FF 4F E8 79 F6 68 2F 2F 73|"; fast_pattern:only; classtype:shellcode-detect; sid:30362; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_reverse_ipv6_tcp"; content:"|31 C0 50 40 50 6A 1C 6A 61 58 50 CD 80 EB 0E 59 6A 1C 51 50 97 6A 62 58 50 CD 80 EB 21 E8 ED FF FF FF 1C 1C 11 5C 00 00 00 00 FE 80 00 00 00 00|"; fast_pattern:only; classtype:shellcode-detect; sid:30361; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_find_port"; content:"|EE 50 6A 5A 58 CD 80 FF 4F F0 79 F6 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 54 53 50 B0 3B CD 80|"; fast_pattern:only; classtype:shellcode-detect; sid:30360; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_bind_tcp"; content:"|31 C0 50 68 FF 02 11 5C 89 E7 50 6A 01 6A 02 6A 10 B0 61 CD 80 57 50 50 6A 68 58 CD 80 89 47 EC B0 6A CD 80 B0 1E CD 80 50 50 6A 5A 58 CD 80 FF|"; fast_pattern:only; classtype:shellcode-detect; sid:30359; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_shell_bind_ipv6_tcp"; content:"|31 C0 50 40 50 6A 1C 6A 61 58 50 CD 80 89 C3 31 D2 52 52 52 52 52 52 68 1C 1C 11 5C 89 E1 6A 1C 51 50 6A 68 58 50 CD 80 B0 6A CD 80 52 53 B6 10|"; fast_pattern:only; classtype:shellcode-detect; sid:30358; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_x86_exec"; content:"|6A 3B 58 99 52 68 2D 63 00 00 89 E7 52 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 52 E8 08 00 00 00 2F 62 69 6E 2F 73 68 00 57 53 89 E1 52 51 53 50 CD|"; fast_pattern:only; classtype:shellcode-detect; sid:30357; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_sparc_shell_reverse_tcp"; content:"|9C 2B A0 07 94 1A C0 0B 92 10 20 01 90 10 20 02 82 10 20 61 91 D0 20 08 D0 23 BF F8 92 10 20 03 92 A2 60 01 82 10 20 5A 91 D0 20 08 12 BF FF FD|"; fast_pattern:only; classtype:shellcode-detect; sid:30356; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload bsd_sparc_shell_bind_tcp"; content:"|9C 2B A0 07 94 1A C0 0B 92 10 20 01 90 10 20 02 82 10 20 61 91 D0 20 08 D0 23 BF F8 21 3F C0 80 E0 23 BF F0 C0 23 BF F4 92 23 A0 10 94 10 20 10|"; fast_pattern:only; classtype:shellcode-detect; sid:30355; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload android_shell_reverse_tcp"; content:"|BB F5 F2 DF 82 54 99 5E 7C A7 92 76 3F 1B F0 EF 72 B4 B4 5B 07 FF 7E 8C 7F 19 1D 92 DF 97 F1 2F 93 98 FC 0D EA BF 50 4B 03 04 14 00 00 00 08 00|"; fast_pattern:only; classtype:shellcode-detect; sid:30354; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload aix_ppc_shell_reverse_tcp"; content:"|7C A5 2A 79 40 82 FF FD 7F C8 02 A6 3B DE 01 FF 3B DE FE 25 7F C9 03 A6 4E 80 04 20 FF 02 11 5C 0A 07 00 2B 4C C6 33 42 44 FF FF 02 3B DE FF F8|"; fast_pattern:only; classtype:shellcode-detect; sid:30353; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload aix_ppc_shell_interact"; content:"|7C A5 2A 79 40 82 FF FD 7F E8 02 A6 3B FF 01 20 38 7F FF 08 38 9F FF 10 90 7F FF 10 90 BF FF 14 88 5F FF 0F 98 BF FF 0F 4C C6 33 42 44 FF FF 02|"; fast_pattern:only; classtype:shellcode-detect; sid:30352; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload aix_ppc_shell_find_port"; content:"|7F FF FA 79 40 82 FF FD 7F C8 02 A6 3B DE 01 FF 3B DE FE 1D 7F C9 03 A6 4E 80 04 20 4C C6 33 42 44 FF FF 02 3B DE FF F8 3B A0 07 FF 97 E1 FF FC|"; fast_pattern:only; classtype:shellcode-detect; sid:30351; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Metasploit payload aix_ppc_shell_bind_tcp"; content:"|7F FF FA 79 40 82 FF FD 7F C8 02 A6 3B DE 01 FF 3B DE FE 1D 7F C9 03 A6 4E 80 04 20 4C C6 33 42 44 FF FF 02 3B DE FF F8 3B A0 07 FF 7C A5 2A 78|"; fast_pattern:only; classtype:shellcode-detect; sid:30350; rev:1;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE ASCII heapspray characters detected"; flow:to_client,established; file_data; content:"0d0d0d0d"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,sf-freedom.blogspot.com/2006/07/heap-spraying-internet-exploiter.html; classtype:attempted-user; sid:33339; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SHELLCODE percent encoded heapspray detected"; flow:to_server,established; file_data; content:"%68%65%61%70%73%70%72%61%79"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:shellcode-detect; sid:34019; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE percent encoded heapspray detected"; flow:to_client,established; file_data; content:"%68%65%61%70%73%70%72%61%79"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:34018; rev:2;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SHELLCODE Metasploit payload cmd_unix_reverse_perl"; flow:to_server,established; content:"|70 65 72 6C 20 2D 4D 49 4F 20 2D 65 20 27 24 70 3D 66 6F 72 6B 3B 65 78 69 74 2C 69 66 28 24 70 29 3B 66 6F 72 65 61 63 68 20 6D 79 20 24 6B 65|"; fast_pattern:only; http_uri; classtype:shellcode-detect; sid:34224; rev:1;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"spray"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26791; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"shellcode"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26790; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"block"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26787; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"agent"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:26786; rev:6;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"payload"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25640; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"block"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25[0-9a-f]{2}([\x22\x27]\s*\x2B\s*[\x22\x27])?\x25[0-9a-f]{2}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25639; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"shellcode"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25636; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoder shellcode"; flow:to_client,established; content:"unescape"; content:"spray"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:25634; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE heapspray characters detected - hexadecimal encoding"; flow:to_client,established; file_data; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:23862; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE heapspray characters detected - ASCII"; flow:to_client,established; file_data; content:"0c0c0c0c0c0c0c0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:attempted-user; sid:23860; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SHELLCODE heapspray characters detected - hexadecimal encoding"; flow:to_server,established; file_data; content:"|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c|5C|x0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:23859; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SHELLCODE heapspray characters detected - ASCII"; flow:to_server,established; file_data; content:"0c0c0c0c0c0c0c0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:23857; rev:9;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Feng-Shui heap grooming using Oleaut32"; flow:to_client, established; file_data; content:"Oleaut32"; fast_pattern:only; content:"CollectGarbage"; nocase; content:"heapLib"; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.phreedom.org/research/heap-feng-shui/; classtype:shellcode-detect; sid:21258; rev:9;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_net_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_net_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_net_(config_get_interfaces|config_get_routes|config_add_route|config_remove_route|udp_client|tcp_server|tcp_client|socket_tcp_shutdown)/"; metadata:policy max-detect-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20191; rev:7;)
|
||
|
# alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE Metasploit meterpreter stdapi_sys_config_method request/response attempt"; flow:established; pkt_data; content:"|00 01 00 01|stdapi_sys_config_"; fast_pattern:only; pcre:"/\x00\x00\x00[\x00\x01].{4}\x00\x01\x00\x01stdapi_sys_config_(getuid|sysinfo|rev2self|steal_token|drop_token|getprivs)/"; metadata:policy max-detect-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:20188; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode tolower encoder"; content:"|6A|"; content:"|6B 3C 24 0B 60 03 0C 24 6A|"; within:9; distance:1; fast_pattern; content:"|03 0C 24 6A 04|"; within:5; distance:1; content:"|5F 29 39 03 0C 24|"; distance:0; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19288; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode mixed encoder"; content:"YAZBABABABABkMAGB9u4JB"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19287; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode uppercase encoder"; content:"1AYAZBABABABAB30APB944JB"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19286; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic non-alpha/non-upper encoder"; content:"|66 B9 FF FF EB 19 5E 8B FE 83 C7|"; fast_pattern; content:"|8B D7 3B F2 7D 0B B0 7B F2 AE FF|"; within:11; distance:1; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19285; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic time-based context keyed encoder"; content:"|31 DB 8D 43 0D CD 80 66 31 C0|"; fast_pattern; content:"|D9 74 24 F4|"; distance:0; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19284; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic stat-based context keyed encoder"; content:"|D9 EE D9 74 24 F4 5B|"; fast_pattern; byte_jump:1,1,relative; content:"|83 C3 09 8D 53|"; within:5; content:"|31 C0 88 02 8D 4C 24 A8|"; within:8; distance:1; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19283; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic cpuid-based context keyed encoder"; content:"|31 F6 31 FF 89 F8 31 C9 0F A2 31 C6 39 F0 75 03 8D 78 01 31|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19282; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic single-byte xor countodwn encoder"; content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:19281; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Possible generic javascript heap spray attempt"; flow:to_client,established; content:"%u4141%u4141"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35660; reference:cve,2009-2477; classtype:attempted-user; sid:18168; rev:14;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Possible generic javascript heap spray attempt"; flow:to_client,established; content:"%u9090%u9090"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35660; reference:cve,2009-2477; classtype:attempted-user; sid:18167; rev:14;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE JavaScript var heapspray"; flow:to_client,established; file_data; content:" heapspray"; nocase; pcre:"/var\s+heapspray[A-Z\d_\s]*=/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:17393; rev:12;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE JavaScript var shellcode"; flow:to_client,established; file_data; content:" shellcode"; nocase; pcre:"/var\s+shellcode\s*=/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:17392; rev:11;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17345; rev:8;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic xor dword decoder"; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|83 EE FC E2 F4|"; distance:4; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17344; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode upper case decoder"; content:"Q|00|A|00|T|00|A|00|X|00|A|00|Z|00|A|00|P|00|U|00|3|00|Q|00|A|00|D|00|A|00|Z|00|A|00|B|00|"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17343; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic unicode mixed case decoder"; content:"j|00|X|00|A|00|Q|00|A|00|D|00|A|00|Z|00|A|00|B|00|A|00|R|00|A|00|L|00|A|00|Y|00|A|00|I|00|A|00|"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17342; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha UTF8 tolower avoidance decoder"; content:"|6A|"; content:"|6B 3C 24 0B 60 03 0C 24 6A|"; distance:1; content:"03 0c 24 6a 04"; distance:1; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17341; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder"; content:"VTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8A"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17340; rev:9;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 generic OS alpha numeric mixed case decoder"; content:"jAXP0A0AkAAQ2AB2BB0BBABXP8ABu"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17339; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 Microsoft Windows 32-bit SEH get EIP technique"; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17338; rev:8;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 Microsoft Win32 export table enumeration variant"; content:"|8B 6C 24 24 8B 45 3C 8B 7C 05 78 01 EF 8B 4F 18 8B 5F 20 01 EB 49 8B 34 8B|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17337; rev:9;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic call geteip byte xor decoder"; content:"|EB 10|"; content:"|31 C9 66 81 E9|"; distance:1; content:"|E2 FA EB 05 E8 EB FF FF FF|"; distance:5; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17336; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip byte xor decoder"; content:"|D9 E1 D9 34 24|"; content:"|E7 31 C9 66 81 E9|"; distance:6; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17335; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic alpha numeric upper case decoder variant"; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17325; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 Linux reverse connect shellcode"; content:"|31 DB 53 43 53 6A 02 6A 66 58 89 E1 CD 80|"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17324; rev:7;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic fnstenv geteip dword xor decoder"; content:"|D9 EE D9 74 24 F4|"; content:"|81|"; distance:1; content:"|13|"; distance:1; content:"|83|"; distance:1; content:"|FC E2 F4|"; distance:1; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:17322; rev:7;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"INDICATOR-SHELLCODE x86 win2k-2k3 decoder base shellcode"; flow:to_server,established; content:"|C7 0B|GGGG|81|7"; content:"u|F4|"; within:2; distance:4; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,19409; reference:cve,2006-3439; classtype:attempted-user; sid:15902; rev:8;)
|
||
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Possible generic javascript heap spray attempt"; flow:to_client,established; content:"%u0c0c%u0c0c"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,35660; reference:cve,2009-2477; classtype:attempted-user; sid:15698; rev:15;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 fldz get eip shellcode"; content:"|D9 EE D9|t|24 F4|X"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:14986; rev:10;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:12802; rev:10;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0ND"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:12800; rev:10;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"QkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJC"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:12799; rev:10;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE base64 x86 NOOP"; content:"QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB"; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:12798; rev:10;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape unicode encoded shellcode"; flow:to_client,established; content:"u|00|n|00|e|00|s|00|c|00|a|00|p|00|e|00|"; fast_pattern:only; pcre:"/(s\x00p\x00r\x00a\x00y\x00|r\x00e\x00t\x00u\x00r\x00n\x00_\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00c\x00o\x00d\x00e\x00|s\x00h\x00e\x00l\x00l\x00c\x00o\x00d\x00e\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00|r\x00e\x00t\x00a\x00d\x00d\x00r\x00e\x00s\x00s\x00|b\x00l\x00o\x00c\x00k\x00|p\x00a\x00y\x00l\x00o\x00a\x00d\x00|a\x00g\x00e\x00n\x00t\x00|h\x00s\x00p\x00t\x00)/smi"; pcre:"/u\x00n\x00e\x00s\x00c\x00a\x00p\x00e\x00\s*\x28(\x22|\x27|\x26quot\x3B|\x5c\x22)/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:12630; rev:11;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"payload"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:10505; rev:14;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE unescape encoded shellcode"; flow:to_client,established; content:"unescape"; content:"return_address"; fast_pattern:only; pcre:"/unescape\s*\x28\s*[\x22\x27]\x25u[0-9a-f]{4}(\x22\x27]\s*\x2B\s*[\x22\x27])?\x25u[0-9a-f]{4}/smi"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:10504; rev:12;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata:policy max-detect-ips drop, ruleset community; classtype:shellcode-detect; sid:1390; rev:17;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:14;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:shellcode-detect; sid:648; rev:18;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Javascript 0xCCCC unicode unescape"; flow:to_client,established; file_data; content:"unescape|28|"; nocase; content:"%ucccc"; within:200; fast_pattern; nocase; metadata:service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:37583; rev:1;)
|
||
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder"; flow:to_server,established; file_data; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; classtype:shellcode-detect; sid:40279; rev:1;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 OS agnostic dword additive feedback decoder"; flow:to_client,established; file_data; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:40278; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 decoder"; content:"|EB 03 59 EB 05 E8 F8 FF FF FF 49 49 49 49 49 49 49 49 49 49 37 49 49 49 49 49 49 49 51 5A 6A 49 58 30 42 30 50 42 6B 42 41 59 42 41 32 42 41 32 41 41|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41297; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 decoder"; content:"|7C A5 2A 79 40 82 FF FD 7F E8 02 A6 3B FF 07 FA 38 A5 F8 4A 3C C0 EB 83 60 C6 F8 1C 38 85 07 EE 7C 89 03 A6 80 9F F8 4A 7C 84 32 78 90 9F F8 4A 7C 05|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41296; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 decoder"; content:"|7C 63 1A 79 40 82 FF FD 7D A8 02 A6 38 C3 E1 35 39 80 01 18 39 AD 1F FF 81 CD E1 39 81 ED E1 35 7D EF 72 78 91 ED E1 35 7C 06 68 AC 7C 01 04 AC 7C 06|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41295; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 decoder"; content:"|29 C9 B8 71 16 14 7D B1 51 DA D8 D9 74 24 F4 5B 31 43 0E 83 EB FC 03 32 1C F6 88 48 4A 1D 3F 58 72 1E 3F 67 E5 6A AC B3 C2 E7 68 87 81 84 77 8F 94 9B|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41294; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 decoder"; content:"|23 24 EF B4 A2 14 62 78 20 BF FF FF 20 BF FF FF 7F FF FF FF EA 03 E0 20 AA 9D 40 11 EA 23 E0 20 A2 04 40 15 81 DB E0 20 12 BF FF FB 9E 03 E0 04 0F 95|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41293; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Windows x86 PassiveX stage"; content:"|FC E8 8E 00 00 00 53 6F 66 74 77 61 72 65 5C 4D 69 63 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 49 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41292; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Windows x86 EMET disable"; content:"|58 94 C3 66 58 C3 E8 27 B7 67 FF 20 66 5B C3 66 BB 3C 00 00 00 66 01 C3 C3 66 31 ED C3 66 01 C5 C3 66 67 03 03 C3 66 5B C3 66 BB 28 00 00 00 66 01 C3|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41291; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Windows x86 download execute"; content:"|EB 10 5A 4A 33 C9 66 B9 3C 01 80 34 0A 99 E2 FA EB 05 E8 EB FF FF FF 70 4C 99 99 99 C3 FD 38 A9 99 99 99 12 D9 95 12 E9 85 34 12 D9 91 12 41 12 EA A5|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41290; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Windows x86 add user"; content:"|FC E8 44 00 00 00 8B 45 3C 8B 7C 05 78 01 EF 8B 4F 18 8B 5F 20 01 EB 49 8B 34 8B 01 EE 31 C0 99 AC 84 C0 74 07 C1 CA 0D 01 C2 EB F4 3B 54 24 04 75 E5|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41289; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Solaris x86 reverse connect shell"; content:"|B8 FF F8 FF 3C F7 D0 50 31 C0 B0 9A 50 89 E5 31 C9 51 41 41 51 51 B0 E6 FF D5 31 D2 89 C7 68 66 68 93 93 66 51 10 E1 6A 10 56 57 B0 EB FF D5 31 D2 B2|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41288; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Solaris x86 FindSock shell"; content:"|56 5F 83 EF 7C 57 8D 4F 10 B0 91 AB AB 91 AB 95 B5 54 51 66 B9 01 01 51 33 C0 B0 36 FF D6 59 33 DB 3B C3 75 0A 66 BB 00 00 66 39 5D 02 74 02 E2 E6 6A|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41287; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Solaris x86 bind shell"; content:"|B8 FF F8 FF 3C F7 D0 50 31 C0 B0 9A 50 89 E5 31 C9 51 41 41 51 51 B0 E6 FF D5 31 D2 89 C7 52 66 68 11 5C 66 51 89 E6 6A 10 56 57 B0 E8 FF D5 B0 E9 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41286; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SCO OpenServer x86 shell"; content:"|31 C9 89 E3 68 D0 8C 97 FF 68 D0 9D 96 91 89 E2 68 FF F8 FF 6F 68 9A FF FF FF 80 F1 10 F6 13 4B E2 FB 91 50 54 52 50 34 3B FF E3|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41285; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE OpenBSD x86 bind shell"; content:"|41 51 C9 31 51 51 41 51 61 B0 C0 31 07 89 80 CD 4F 88 C9 31 05 47 C6 04 08 4F 89 02 06 47 C7 66 10 6A 39 1B 50 04 47 8D 50 50 07 8B 68 B0 C0 31 01 6A|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41284; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE OpenBSD x86 add user"; content:"|EB 2B 5E 31 C0 88 46 0B 88 46 29 50 B0 09 50 31 C0 56 50 B0 05 CD 80 89 C3 6A 1D 8D 46 0C 50 53 50 31 C0 B0 04 CD 80 31 C0 B0 01 CD 80 E8 D0 FF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41283; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE NetBSD x86 shell"; content:"|EB 23 5E 8D 1E 89 5E 0B 31 D2 89 56 07 89 56 0F 89 56 14 88 56 19 31 C0 B0 3B 8D 4E 0B 89 CA 52 51 53 50 EB 18 E8 D8 FF FF FF 2F 62 69 6E 2F 73 68 01|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41282; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE NetBSD x86 shell"; content:"|99 52 52 52 6A 7E 58 CD 80 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 52 54 53 52 34 3B CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41281; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE NetBSD x86 shell"; content:"|31 C0 50 50 50 34 7E CD 80 58 68 2F 2F 73 68 68 2F 62 69 6E 89 E3 50 54 53 50 34 3B CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41280; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE NetBSD x86 reverse connect shell"; content:"|31 C0 31 C9 50 40 50 40 50 50 B0 61 CD 80 89 C3 89 E2 49 51 51 41 68 F5 FF FF FD 68 FF FD E5 F5 B1 10 51 F6 12 4A E2 FB F6 12 52 50 50 B0 62 CD 80 B1|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41279; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Multi-OS shell - solaris/linux/irix"; content:"|37 37 EB 2F 30 80 00 12 04 10 FF FF 24 02 03 F3 23 FF 02 14 23 E4 FE 08 23 E5 FE 10 AF E4 FE 10 AF E0 FE 14 A3 E0 FE 0F 03 FF FF CC 2F 62 69 6E 2F 73|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41278; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Multi-OS shell - solaris/linux"; content:"|90 90 EB 34 21 0B D8 9A A0 14 21 6E 23 0B CB DC A2 14 63 68 E0 3B BF F0 C0 23 BF F8 90 23 A0 10 C0 23 BF EC D0 23 BF E8 92 23 A0 18 94 22 80 0A 82 10|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41277; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Multi-OS shell - osx x86/ppc"; content:"|5F 90 EB 48 7C A5 2A 79 40 82 FF FD 7D 68 02 A6 3B EB 01 70 39 40 01 70 39 1F FE CF 7C A8 29 AE 38 7F FE C8 90 61 FF F8 90 A1 FF FC 38 81 FF F8 38 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41276; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Multi-OS shell - linux x86/ppc"; content:"|5F 90 EB 48 69 69 69 69 69 69 69 69 69 69 69 69 7C 3F 0B 78 7C A5 2A 79 42 40 FF F9 7F 08 02 A6 3B 18 01 34 98 B8 FE FB 38 78 FE F4 90 61 FF F8 38 81|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41275; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC Xterm execution"; content:"|7C A5 2A 79 40 82 FF FD 7F E8 02 A6 39 5F 01 70 39 0A FE FC 7C A8 29 AE 39 0A FF 05 7C A8 29 AE 39 0A FF 14 7C A8 29 AE 38 6A FF 06 90 61 FF F8 38 6A|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41274; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC shell setuid"; content:"|7C 63 1A 79 40 82 FF FD 7D 68 02 A6 3B EB 01 70 39 40 01 70 39 1F FE DF 7C 68 19 AE 38 0A FE A7 44 FF FF 02 60 60 60 60 7C A5 2A 79 38 7F FE D8 90 61|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41273; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC shell"; content:"|7C A5 2A 79 40 82 FF FD 7D 68 02 A6 3B EB 01 70 39 40 01 70 39 1F FE CF 7C A8 29 AE 38 7F FE C8 90 61 FF F8 90 A1 FF FC 38 81 FF F8 38 0A FE CB 44 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41272; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC reverse stage null free"; content:"|3B 60 30 91 38 1B CF D0 38 7B CF 71 38 9B CF 70 38 BB CF 75 44 FF FF 02 7C A5 2A 78 7C 7E 1B 78 3B 20 11 E0 6B 39 01 01 3B BB CF 71 57 BD 80 1E 7F BD|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41271; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC reverse stage"; content:"|38 60 00 02 38 80 00 01 38 A0 00 06 38 00 00 61 44 00 00 02 7C 00 02 78 7C 7E 1B 78 48 00 00 0D 00 02 10 E1 7F 00 00 01 7C 88 02 A6 38 A0 00 10 38 00|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41270; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC reverse shell"; content:"|38 60 00 02 38 80 00 01 38 A0 00 06 38 00 00 61 44 00 00 02 7C 00 02 78 7C 7E 1B 78 48 00 00 0D 00 02 10 E1 7C 88 02 A6 38 A0 00 10 38 00 00 62 7F C3|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41269; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC reboot"; content:"|7C 63 1A 79 39 40 01 70 38 0A FE B4 44 FF FF 02 60 60 60 60 38 0A FE C7 44 FF FF 02|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41268; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC INETD backdoor"; content:"|7C A5 2A 79 40 82 FF FD 7D 48 02 A6 3B EA 01 70 39 60 01 70 39 1F FF 1B 7C A8 29 AE 39 1F FF 65 7C A8 29 AE 38 7F FF 0C 38 8B FE 99 38 A0 FF FF 38 0B|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41267; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC create setuid"; content:"|7C A5 2A 79 40 82 FF FD 7F E8 02 A6 39 1F 01 71 39 08 FE F4 7C A8 29 AE 38 7F 01 68 38 63 FE F4 38 80 02 01 38 A0 FF FF 39 40 01 70 38 0A FE 95 44 FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41266; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Mac OS X PPC add user"; content:"|7C A5 2A 79 40 82 FF FD 7D 48 02 A6 3B EA 01 70 39 60 01 70 39 1F FF 0D 7C A8 29 AE 38 7F FF 04 38 80 02 01 38 A0 FF FF 38 0B FE 95 44 FF FF 02 60 60|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41265; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux x86 reverse connect UDP shell"; content:"|31 DB 53 6A 02 6A 02 43 6A 66 58 89 E1 CD 80 93 59 B0 3F CD 80 49 79 F9 5B 5A 68 66 68 10 E1 66 53 89 E1 6A 10 51 53 89 E1 43 B0 66 CD 80 6A 0B 58 52|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41264; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux x86 FindSock shell"; content:"|31 D2 52 89 E5 6A 07 5B 6A 10 54 55 52 89 E1 FF 01 6A 66 58 CD 80 66 81 7D 02 00 00 75 F1 5B 6A 02 59 B0 3F CD 80 49 79 F9 52 68 2F 2F 73 68 68 2F 62|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41263; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux x86 execute"; content:"|6A 0B 58 99 52 66 68 2D 63 89 E7 68 2F 73 68 00 68 2F 62 69 6E 89 E3 52 E8 09 00 00 00 69 66 63 6F 6E 66 69 67 00 57 53 89 E1 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41262; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux SPARC reverse connect shell"; content:"|9D E3 BF 80 90 10 20 02 D0 37 BF E0 90 10 29 09 D0 37 BF E2 13 30 2A 19 90 12 60 01 D0 27 BF E4 90 10 20 02 92 10 20 01 94 22 60 01 D0 23 A0 44 D2 23|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41261; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux SPARC reverse connect shell"; content:"|9C 2B A0 07 90 10 20 01 A0 10 20 02 E0 23 BF F4 D0 23 BF F8 C0 23 BF FC 92 23 A0 0C 82 10 20 CE 91 D0 20 10 A4 23 A0 20 A6 10 20 10 D0 23 BF F4 E6 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41260; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux SPARC FindSock shell"; content:"|AC 10 20 00 9C 2B A0 07 90 1A 80 0A D0 23 BF E0 90 02 20 01 90 0A 2F FF 96 10 20 10 94 23 A0 04 92 23 A0 20 D0 3B BF F0 D4 3B BF F8 92 23 A0 10 90 10|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41259; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux SPARC bind shell"; content:"|9D E3 BF 78 90 10 20 02 92 10 20 01 94 22 80 0A D0 23 A0 44 D2 23 A0 48 D4 23 A0 4C 90 10 20 01 92 03 A0 44 82 10 20 CE 91 D0 20 10 D0 27 BF F4 90 10|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41258; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux SPARC bind shell"; content:"|9C 2B A0 07 A0 10 20 02 90 10 20 01 E0 23 BF F4 D0 23 BF F8 C0 23 BF FC 92 23 A0 0C 82 10 20 CE 91 D0 20 10 A4 23 A0 20 A6 10 20 10 D0 23 BF F4 E6 3B|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41257; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux PPC shell"; content:"|7C C6 32 78 2F 86 7F FF 41 BC 00 54 7C 68 02 A6 B0 C3 FF F9 B0 C3 FF F1 38 86 7F F0 38 A6 7F F4 38 E6 7F F3 7C A5 22 78 7C E7 22 78 7C 85 3A 14 7C C4|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41256; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux PPC shell"; content:"|7C 3F 0B 78 7C A5 2A 79 42 40 FF F9 7F 08 02 A6 3B 18 01 34 98 B8 FE FB 38 78 FE F4 90 61 FF F8 38 81 FF F8 90 A1 FF FC 3B C0 01 60 7F C0 2E 70 44 DE|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41255; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux PPC reverse connect shell"; content:"|7C 3F 0B 78 3B 40 01 0E 3B 5A FE F4 7F 43 D3 78 3B 60 01 0D 3B 7B FE F4 7F 64 DB 78 7C A5 2A 78 7C 3C 0B 78 3B 9C 01 0C 90 7C FF 08 90 9C FF 0C 90 BC|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41254; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux PPC read execute"; content:"|7C 63 1A 79 38 A0 04 04 30 05 FB FF 7C 24 0B 78 44 DE AD F2 69 69 69 69 7C 29 03 A6 4E 80 04 21|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41253; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux MIPS shell"; content:"|FF FF 10 04 AB 0F 02 24 55 F0 46 20 66 06 FF 23 C2 F9 EC 23 66 06 BD 23 9A F9 AC AF 9E F9 A6 AF 9A F9 BD 23 21 20 80 01 21 28 A0 03 CC CD 44 03 2F 62|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41252; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE IRIX MIPS shell"; content:"|04 10 FF FF 24 02 03 F3 23 FF 01 14 23 E4 FF 08 23 E5 FF 10 AF E4 FF 10 AF E0 FF 14 A3 E0 FF 0F 03 FF FF CC 2F 62 69 6E 2F 73 68|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41251; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX PA-RISC shell"; content:"|E8 3F 1F FD 08 21 02 80 34 02 01 02 08 41 04 02 60 40 01 62 B4 5A 01 54 0B 39 02 99 0B 18 02 98 34 16 04 BE 20 20 08 01 E4 20 E0 08 96 D6 05 34 DE AD|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41250; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE freeBSD x86 shell"; content:"|EB 17 5B 31 C0 88 43 07 89 5B 08 89 43 0C 50 8D 53 08 52 53 B0 3B 50 CD 80 E8 E4 FF FF FF 2F 62 69 6E 2F 73 68|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41249; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE freeBSD x86 shell"; content:"|99 52 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 51 52 53 53 6A 3B 58 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41248; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE freeBSD x86 shell - chown/chmod/exec"; content:"|31 C0 50 68 2F 2F 73 68 68 2F 74 6D 70 89 E3 50 50 53 50 B0 10 CD 80 31 C0 66 0D ED 0D 50 53 50 31 C0 B0 0F CD 80 B0 01 50 50 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41247; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE freeBSD x86 kldload"; content:"|EB 2C 5E 31 C0 B0 17 50 CD 80 31 C0 50 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 50 66 68 2D 63 89 E7 50 56 57 53 89 E7 50 57 53 50 B0 3B CD 80 E8 CF FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41246; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 shell - evade"; content:"|EB 1B 5E 31 C0 6A 1A 6A 17 59 49 5B 8A 04 0E F6 D3 30 D8 88 04 0E 50 85 C9 75 EF EB 05 E8 E0 FF FF FF 0E 6F C7 F9 BE A3 E4 FF B8 FF B2 F4 1F 95 4C FB|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41245; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 shell - evade"; content:"|EB 0E 5E 31 C9 B1 1C FE 04 0E E2 FB FE 06 56 C3 E8 ED FF FF FF EA 0D 5D 30 BF 87 45 06 4F 53 55 AF 3A 4F CC 7F E7 EC FE FE FE 2E 61 68 6D 2E 72 67|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41244; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 shell"; content:"|EB 0D 5F 31 C0 50 89 E2 52 57 54 B0 3B CD 80 E8 EE FF FF FF 2F 62 69 6E 2F 73 68|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41243; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 setuid shell"; content:"|31 C0 50 B0 17 50 CD 80 50 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 50 54 53 50 B0 3B CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41242; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 reverse stage"; content:"|6A 61 58 99 52 42 52 42 52 68 7F 00 00 01 CD 80 68 10 02 10 E1 89 E1 6A 10 51 50 51 97 6A 62 58 CD 80 B0 03 C6 41 FD 10 CD 80 C3|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41241; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 reverse connect shell"; content:"|EB 68 5E 31 C0 31 DB B3 06 53 B3 01 53 B3 02 53 53 B0 61 CD 80 89 C2 C6 46 01 02 66 C7 46 02 69 7A B3 10 53 8D 1E 53 50 50 B0 62 CD 80 31 DB 53 52 B0|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41240; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 reverse connect shell"; content:"|EB 56 5E 31 C0 C6 46 01 02 66 C7 46 02 AE 08 C7 46 04 C3 2E 40 28 6A 06 6A 01 6A 02 B0 61 50 CD 80 89 C2 6A 10 8D 06 50 52 31 C0 B0 62 50 CD 80 B1 03|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41239; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 mail passwd"; content:"|EB 25 59 31 C0 50 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 50 66 68 2D 63 89 E7 50 51 57 53 89 E7 50 57 53 50 B0 3B CD 80 E8 D6 FF FF FF 2F 62 69 6E 2F 63|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41238; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 FindSock shell"; content:"|31 FF 57 89 E5 47 89 EC 6A 10 54 55 57 6A 1F 58 6A 02 CD 80 66 81 7D 02 00 00 75 E9 59 51 57 6A 5A 58 51 CD 80 49 79 F5 68 2F 2F 73 68 68 2F 62 69 6E|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41237; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 FindRecv stage"; content:"|31 D2 52 89 E6 52 52 B2 80 52 B6 0C 52 56 52 52 66 FF 46 E8 6A 1D 58 CD 80 81 3E 6D 73 66 21 75 EF FC AD 5A 5F 5A FF E6|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41236; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 execute"; content:"|6A 3B 58 99 52 66 68 2D 63 89 E7 52 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 52 E8 09 00 00 00 69 66 63 6F 6E 66 69 67 00 57 53 89 E1 52 51 53 50 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41235; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 chroot"; content:"|68 62 2E 2E 2E 89 E7 33 C0 88 47 03 57 B0 88 50 CD 80 57 B0 3D 50 CD 80 47 33 C9 B1 FF 57 50 B0 0C CD 80 E2 FA 47 57 B0 3D 50 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41234; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD x86 bind stage"; content:"|6A 61 58 99 52 68 10 02 11 5C 89 E1 52 42 52 42 52 6A 10 CD 80 99 93 51 53 52 6A 68 58 CD 80 B0 6A CD 80 52 53 B6 10 52 B0 1E CD 80 51 50 51 97 6A 03|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41233; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD SPARC bind shell"; content:"|9C 2B A0 07 94 1A C0 0B 92 10 20 01 90 10 20 02 82 10 20 61 91 D0 20 08 D0 23 BF F8 21 3F C0 84 A0 14 21 5C E0 23 BF F0 C0 23 BF F4 92 23 A0 10 94 10|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41232; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSD PPC shell"; content:"|7C C6 32 78 2F 86 7F FF 41 BC 00 5C 7C 68 02 A6 B0 C3 FF F9 B0 C3 FF F1 38 86 7F F0 38 A6 7F F4 38 E6 7F F3 7C A5 22 78 7C E7 22 78 7C 85 3A 14 7C C4|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41231; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSDi x86 shell toupper"; content:"|EB 57 5E 31 DB 83 C3 08 83 C3 02 88 5E 26 31 DB 83 C3 23 83 C3 23 88 5E A8 31 DB 83 C3 26 83 C3 30 88 5E C2 31 C0 88 46 0B 89 F3 83 C0 05 31 C9 83 C1|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41230; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSDi x86 shell"; content:"|EB 1F 5E 31 C0 89 46 F5 88 46 FA 89 46 0C 89 76 08 50 8D 5E 08 53 56 56 B0 3B 9A FF FF FF FF 07 FF E8 DC FF FF FF 2F 62 69 6E 2F 73 68 00|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41229; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSDi x86 reverse connect stage"; content:"|89 E5 68 00 07 00 C3 B8 9A 00 00 00 99 50 89 E6 52 42 52 42 52 6A 61 58 FF D6 97 68 7F 00 00 01 68 10 02 10 E1 89 E3 6A 10 53 57 6A 62 58 FF D6 B0 03|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41228; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE BSDi x86 bind stage"; content:"|89 E5 68 00 07 00 C3 B8 9A 00 00 00 99 50 89 E6 31 C0 50 40 50 40 50 B0 61 FF D6 52 68 10 02 11 5C 89 E3 6A 10 53 50 6A 68 58 FF D6 B0 6A FF D6 59 52|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41227; rev:1;)
|
||
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE AIX /bin/sh"; content:"|7C 08 02 A6 94 21 FB B0 90 01 04 58 3C 60 F0 19 60 63 2C 48 90 61 04 40 3C 60 D0 02 60 63 4C 0C 90 61 04 44 3C 60 2F 62 60 63 69 6E 90 61 04 38 3C 60|"; fast_pattern:only; metadata:policy max-detect-ips drop; classtype:shellcode-detect; sid:41226; rev:1;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE single byte x86 xor decryption routine"; flow:to_client,established; file_data; content:"EB125831C966B96D0549803408"; content:"85C975F7FFE0E8E9FFFFFF"; within:22; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:43255; rev:1;)
|
||
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE KUSER_SHARED_DATA NtMajorVersion and NtMinorVersion offsets"; flow:to_client,established; content:"0x7ffe026c"; content:"0x7ffe0270"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:43254; rev:1;)
|
||
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SHELLCODE KernelFuzzer system call 64 bit"; flow:to_server,established; file_data; content:"|8B 4D 50 51 48 8B 4D 48 51 48 8B 4D 40 51 48 8B 4D 38 51 4C 8B 4D 30 49 8B CA 0F 05 48 8B E5 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:shellcode-detect; sid:49691; rev:1;)
|
||
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SHELLCODE KernelFuzzer system call 64 bit"; flow:to_client,established; file_data; content:"|8B 4D 50 51 48 8B 4D 48 51 48 8B 4D 40 51 48 8B 4D 38 51 4C 8B 4D 30 49 8B CA 0F 05 48 8B E5 5D|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:shellcode-detect; sid:49690; rev:1;)
|