snort2-docker/docker/etc/rules/netbios.rules

266 lines
132 KiB
Plaintext
Raw Normal View History

2020-02-24 13:56:30 +00:00
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#---------------
# NETBIOS RULES
#---------------
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:534; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:535; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; metadata:ruleset community; reference:cve,2003-0201; classtype:protocol-command-decode; sid:2103; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; metadata:ruleset community, service netbios-ssn; classtype:attempted-dos; sid:2191; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; metadata:ruleset community; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2401; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2402; rev:10;)
# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,&,0x80,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; metadata:ruleset community, service netbios-ns; reference:bugtraq,10333; reference:cve,2004-0444; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:7;)
# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,&,0x80,2; content:"|00 01|"; depth:2; offset:6; metadata:ruleset community, service netbios-ns; reference:bugtraq,10335; reference:cve,2004-0444; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:7;)
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure"; flow:to_client,established,no_stream; content:"|FF|SMBs"; depth:5; offset:4; content:"m|00 00 C0|"; within:4; detection_filter:track by_dst,count 10,seconds 60; metadata:ruleset community, service netbios-ssn; classtype:unsuccessful-user; sid:2924; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:2474; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP winreg InitiateSystemShutdown attempt"; flow:established,to_server; dce_iface:338cd001-2244-31f1-aaaa-900038001003; dce_opnum:24; metadata:ruleset community, service netbios-ssn; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2942; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3019; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3021; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3020; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3023; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3022; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3025; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3024; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3026; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3027; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3028; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3029; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3030; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3031; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3032; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3033; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3034; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3035; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3036; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3037; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3038; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3039; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3040; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3041; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3043; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3042; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3045; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3044; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3047; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3046; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3049; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3048; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3051; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3050; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3053; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3052; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3055; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3054; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3057; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3056; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3135; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3141; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3140; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3139; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3137; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3142; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3136; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3138; rev:10;)
# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS SMB Trans unicode data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3641; rev:3;)
# alert udp $EXTERNAL_NET any -> $EXTERNAL_NET 138 (msg:"NETBIOS SMB Trans andx data displacement null pointer DOS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3647; rev:4;)
# alert udp $EXTERNAL_NET any -> $EXTERNAL_NET 138 (msg:"NETBIOS SMB Trans data displacement null pointer DOS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3648; rev:4;)
# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; metadata:service netbios-ssn; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3644; rev:4;)
# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS SMB Trans data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3640; rev:3;)
# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans unicode andx data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; metadata:service netbios-ssn; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3646; rev:4;)
# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS SMB Trans andx data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3639; rev:3;)
# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans andx data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; metadata:service netbios-ssn; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3643; rev:4;)
# alert udp $EXTERNAL_NET any -> $EXTERNAL_NET 138 (msg:"NETBIOS SMB Trans unicode data displacement null pointer DOS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3649; rev:4;)
# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 139 (msg:"NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3642; rev:3;)
# alert udp $EXTERNAL_NET any -> $EXTERNAL_NET 138 (msg:"NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3650; rev:4;)
# alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans unicode data displacement null pointer DOS attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|08|"; within:1; content:"|00 00|"; within:2; distance:14; metadata:service netbios-ssn; reference:bugtraq,13504; reference:cve,2005-1456; reference:cve,2005-1457; reference:cve,2005-1458; reference:cve,2005-1459; reference:cve,2005-1460; reference:cve,2005-1461; reference:cve,2005-1462; reference:cve,2005-1463; reference:cve,2005-1464; reference:cve,2005-1465; reference:cve,2005-1466; reference:cve,2005-1467; reference:cve,2005-1468; reference:cve,2005-1469; reference:cve,2005-1470; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:protocol-command-decode; sid:3645; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup unicode andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2404; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; metadata:ruleset community; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2403; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; metadata:ruleset community; classtype:attempted-dos; sid:2190; rev:6;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4671; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4657; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4661; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4664; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4668; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4652; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC andx DACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4672; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4662; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4651; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4656; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4670; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4669; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4665; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4674; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4655; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4654; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC SACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4659; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4666; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC andx SACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4660; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4667; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4653; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC unicode DACL overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4673; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT SET SECURITY DESC unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4658; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT SET SECURITY DESC DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03 00|"; within:2; distance:37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/sR"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:4663; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Session Setup andx username overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5683; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; metadata:service netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5679; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Session Setup unicode andx username overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5684; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; metadata:service netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5678; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Session Setup unicode username overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5681; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5677; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup unicode andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5682; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Session Setup username overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:5680; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6712; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6709; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans Secondary unicode andx Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; metadata:service netbios-ssn; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6711; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans Secondary Param Count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6706; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans Secondary andx Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6708; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans Secondary unicode Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; metadata:service netbios-ssn; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6705; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6707; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans Secondary Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; metadata:service netbios-ssn; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6704; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans Secondary Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6702; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans Secondary unicode Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A1|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6703; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans Secondary andx Param Count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; metadata:service netbios-ssn; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6710; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB NT Trans Secondary unicode andx Param Count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A1|"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,>,1000,20,relative; reference:bugtraq,7106; reference:cve,2003-0085; classtype:protocol-command-decode; sid:6713; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Session Service NetDDE attack"; flow:established,to_server; content:"|00|"; depth:1; content:"|01 00 00 00|"; depth:4; offset:36; content:!"|03 00|"; depth:2; offset:44; byte_jump:2,50, from_beginning; content:!"|00|"; within:34; distance:58; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:11816; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 OPEN2 maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11945; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Datagram Service NetDDE attack"; content:"|10|"; depth:1; content:"|01 00 00 00|"; depth:4; offset:114; content:!"|03 00|"; depth:2; offset:122; byte_jump:2,128,from_beginning; content:!"|00|"; within:34; distance:136; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:11946; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Trans2 OPEN2 unicode andx maximum param count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11964; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 OPEN2 unicode andx maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; metadata:service netbios-ssn; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11962; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11958; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 OPEN2 unicode maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; metadata:service netbios-ssn; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11956; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 OPEN2 unicode andx maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11960; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 OPEN2 andx maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11959; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Trans2 OPEN2 andx maximum param count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11963; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB Trans2 OPEN2 maximum param count overflow attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11957; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 OPEN2 andx maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; metadata:service netbios-ssn; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11961; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 OPEN2 maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; metadata:service netbios-ssn; reference:cve,2003-0201; classtype:protocol-command-decode; sid:11955; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _TakeActionOnAFile attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"D|00 03 00|"; depth:4; byte_test:4,>,520,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12332; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_a0030 attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"0|00 0A 00|"; depth:4; byte_test:4,>,260,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12341; rev:12;)
# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB repeated logon failure"; flow:to_client,established,no_stream; content:"|FF|SMBs"; depth:5; offset:4; content:"m|00 00 C0|"; within:4; detection_filter:track by_dst,count 10,seconds 60; metadata:ruleset community; classtype:unsuccessful-user; sid:2923; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /sql/query unicode andx create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|s|00|q|00|l|00 5C 00|q|00|u|00|e|00|r|00|y|00 00 00|"; within:23; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; sid:15326; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /sql/query unicode andx create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|s|00|q|00|l|00 5C 00|q|00|u|00|e|00|r|00|y|00 00 00|"; within:23; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; classtype:protocol-command-decode; sid:15324; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /sql/query unicode create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|s|00|q|00|l|00 5C 00|q|00|u|00|e|00|r|00|y|00 00 00|"; within:23; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; sid:15322; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /sql/query unicode create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|s|00|q|00|l|00 5C 00|q|00|u|00|e|00|r|00|y|00 00 00|"; within:23; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; classtype:protocol-command-decode; sid:15320; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /sql/query andx create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|sql|5C|query|00|"; within:12; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; sid:15325; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /sql/query create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|sql|5C|query|00|"; within:12; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; classtype:protocol-command-decode; sid:15319; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /sql/query andx create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|sql|5C|query|00|"; within:12; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; classtype:protocol-command-decode; sid:15323; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /sql/query create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|sql|5C|query|00|"; within:12; distance:51; nocase; flowbits:set,smb.tree.create.sql.query; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; sid:15321; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB session negotiation request"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBr"; within:5; distance:3; flowbits:set,smb.session.negotiate; flowbits:noalert; metadata:service netbios-ssn; classtype:misc-activity; sid:16381; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS NT QUERY SECURITY DESC flowbit"; flow:to_server,established; content:"|FF|SMB|A0|"; depth:5; offset:4; isdataat:66,relative; content:"|06 00|"; within:2; distance:64; flowbits:set,smb.query_sec_desc; flowbits:noalert; metadata:service netbios-ssn; classtype:misc-activity; sid:16538; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Timbuktu Pro overflow andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; byte_jump:2,-6,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16766; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /PlughNTCommand unicode create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|"; within:33; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips alert; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16761; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /PlughNTCommand unicode andx create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|"; within:33; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips alert; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16760; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /PlughNTCommand create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|PlughNTCommand|00|"; within:17; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips alert; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16759; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16764; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"NETBIOS SMB /PlughNTCommand andx create tree attempt"; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|PlughNTCommand|00|"; within:17; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips alert; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16758; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Timbuktu Pro overflow WriteAndX andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"/"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16762; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian object call overflow attempt"; flow:established,to_server; dce_iface:62b93df0-8b02-11ce-876c-00805f842837; content:"|05|"; byte_test:1,&,16,3,relative,dce; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative,dce; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,64,12,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2008-4398; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143; classtype:attempted-admin; sid:17634; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 overflow attempt"; flow:to_server,established; dce_iface:62b93df0-8b02-11ce-876c-00805f842837; content:"|05|"; byte_test:1,!&,16,3,relative,dce; content:"|00|"; within:1; distance:1; content:"|00 00|"; within:2; distance:19; byte_test:4,>,64,12,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2008-4398; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143; classtype:attempted-admin; sid:17637; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 object call overflow attempt"; flow:established,to_server; dce_iface:62b93df0-8b02-11ce-876c-00805f842837; content:"|05|"; byte_test:1,!&,16,3,relative,dce; content:"|00|"; within:1; distance:1; byte_test:1,&,128,0,relative,dce; content:"|00 00|"; within:2; distance:19; pcre:"/^.{16}/sR"; byte_test:4,>,64,12,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2008-4398; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143; classtype:attempted-admin; sid:17636; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB TRANS2 Find_First2 request attempt"; flow:to_server,established; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|00|"; within:1; distance:18; content:"|00 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:10; flowbits:set,smb.trans2.findfirst2; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:17745; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum attempt"; flow:to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; content:"_t|D1 05|0|00 00 00 10 00 00 00| |00 00 00 00 00 00 00|"; depth:20; offset:68; metadata:policy max-detect-ips drop; reference:bugtraq,24198; reference:cve,2007-2446; classtype:protocol-command-decode; sid:18192; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum attempt"; flow:established,to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; content:"_t|D1 05|0|00 00 00 10 00 00 00| |00 00 00 00 00 00 00|"; depth:20; offset:68; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,24198; reference:cve,2007-2446; classtype:protocol-command-decode; sid:18191; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum attempt"; flow:established,to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; content:"^t|D1 05|0|00 00 00 10 00 00 00| |00 00 00 00 00 00 00|"; depth:20; offset:48; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,24198; reference:cve,2007-2446; classtype:protocol-command-decode; sid:18189; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum attempt"; flow:to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; content:"^t|D1 05|0|00 00 00 10 00 00 00| |00 00 00 00 00 00 00|"; depth:20; offset:48; metadata:policy max-detect-ips drop; reference:bugtraq,24198; reference:cve,2007-2446; classtype:protocol-command-decode; sid:18190; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans2 Distributed File System GET_DFS_REFERRAL request"; flow:established,to_server; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00 00|"; within:4; content:"|10 00|"; depth:2; offset:65; flowbits:set,smb.trans2.get_dfs_referral; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:19190; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS Juniper Odyssey Access Client DSSETUPSERVICE_CMD_UNINSTALL overflow attempt"; flow:established,to_server; flowbits:isset,smb.neoteris; content:"|FF|SMB|2F|"; depth:5; offset:4; content:"|03 00 00 00|"; within:4; distance:62; isdataat:228,relative; metadata:service netbios-ssn; reference:cve,2009-4643; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=850; classtype:attempted-admin; sid:19817; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS Juniper NeoterisSetupService named pipe access attempt"; flow:established,to_server,no_stream; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|NeoterisSetupService"; within:21; distance:78; fast_pattern; nocase; flowbits:set,smb.neoteris; flowbits:noalert; metadata:service netbios-ssn; reference:cve,2009-4643; classtype:protocol-command-decode; sid:19816; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP NetShareEnumAll request"; flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:15; content:"|00|"; depth:1; content:"|FF|SMB|25|"; within:5; distance:3; content:"|00 00 00 00|"; within:4; byte_test:1,!&,128,0,relative,dce; flowbits:set,dce.net_share_enum_all.request; flowbits:noalert; metadata:service netbios-ssn; reference:url,attack.mitre.org/techniques/T1049; classtype:protocol-command-decode; sid:20274; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP msqueue function 1 overflow attempt"; dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:1; dce_stub_data; byte_test:4,>,128,20,dce; classtype:attempted-admin; sid:9773; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor QSIGetQueuePath overflow attempt"; flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:43; dce_stub_data; isdataat:672; content:!"|00|"; depth:672; metadata:policy max-detect-ips drop; reference:bugtraq,20365; reference:cve,2006-5143; reference:url,www.lssec.com/advisories/LS-20060313.pdf; classtype:attempted-admin; sid:9441; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc GetGroupStatus overflow attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:37; dce_stub_data; byte_test:4,>,4096,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,21221; reference:cve,2006-6076; reference:url,www.lssec.com/advisories/LS-20060908.pdf; classtype:attempted-admin; sid:9806; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP msqueue function 1 overflow attempt"; flow:established,to_server; dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:1; dce_stub_data; byte_test:4,>,128,20,dce; classtype:attempted-admin; sid:9772; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters Name Field attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:0; dce_stub_data; byte_test:4,>,283,16,dce; content:"N|00|e|00|t|00|W|00|a|00|r|00|e|00| |00|R|00|e|00|m|00|o|00|t|00|e|00| |00|P|00|r|00|i|00|n|00|t|00|e|00|r|00|s|00|"; depth:46; offset:20; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2008-0639; classtype:protocol-command-decode; sid:15881; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP svcctl ChangeServiceConfig2A attempt"; flow:established,to_server; dce_iface:367abb81-9844-35f1-ad32-98f038001003; dce_opnum:36; dce_stub_data; byte_test:4,=,1,24,dce; content:"|00 00 00 00|"; depth:4; classtype:protocol-command-decode; sid:10285; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters overflow attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:0; dce_stub_data; byte_test:4,>,256,16,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,21220; reference:cve,2006-5854; reference:cve,2006-6114; reference:cve,2008-0639; classtype:attempted-admin; sid:13162; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss OpenPrinter overflow attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:1; dce_stub_data; byte_test:4,>,458,4,dce; metadata:service netbios-ssn; reference:bugtraq,21220; reference:cve,2006-5854; classtype:attempted-admin; sid:12808; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss RouteRefreshPrinterChangeNotification attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:65; dce_stub_data; pcre:"/^.{32}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,26,48,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2007-2446; classtype:protocol-command-decode; sid:15911; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP srvsvc NetrShareEnum null policy handle attempt"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:15; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; content:"|00 00 00 00|"; within:4; distance:8; classtype:protocol-command-decode; sid:15448; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP netdfs NetrDfsEnum overflow attempt"; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; byte_test:4,>,16777215,24,dce; pcre:"/^.{16}(([\x01\x02\x03\x04\xC8]\x00|\x2C\x01)\x00{2}|\x00{2}(\x00[\x01\x02\x03\x04]|\x01\x2C))/s"; metadata:policy max-detect-ips drop; reference:bugtraq,24198; reference:cve,2007-2446; classtype:attempted-admin; sid:14988; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss GetPrinterData attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:26; dce_stub_data; pcre:"/^.{20}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,>,65536,0,relative,dce; metadata:service netbios-ssn; reference:bugtraq,21401; reference:cve,2006-6296; classtype:protocol-command-decode; sid:13367; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP lsarpc LsarAddPrivilegesToAccount overflow attempt"; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:19; dce_stub_data; isdataat:32; pcre:"/^.{20}(.{4}).{4}(?!\1)/s"; metadata:policy max-detect-ips drop; reference:cve,2007-2446; classtype:attempted-admin; sid:11443; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt"; flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:15; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; content:"|00 00 00 00|"; within:4; distance:8; metadata:ruleset community; classtype:protocol-command-decode; sid:529; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [138,1024:] (msg:"NETBIOS DCERPC NCADG-IP-UDP srvsvc NetSetFileSecurity integer overflow attempt"; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:40; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,=,4294967295,40,relative,dce; metadata:policy max-detect-ips drop; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12985; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request"; flow:established,to_server; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; byte_test:1,!&,128,0,relative; content:"|01 00|"; within:2; distance:52; content:"|04 01|"; within:2; distance:11; flowbits:set,smb.trans2.fileinfo; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:24972; rev:3;)
# alert tcp any any -> $HOME_NET [139,445] (msg:"NETBIOS SMB named pipe bruteforce attempt"; flow:established,to_server,no_stream; content:"|FF|SMB|A2 00 00 00 00|"; depth:10; offset:3; content:"|FF 00 00 00 00|"; within:5; distance:24; content:"|07 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 00|"; within:17; distance:26; content:"|5C|"; within:1; distance:2; pcre:"/^(samr|atsvc|DAV RPC SERVICE|epmapper|InitShutdown|LSM_API_service|plugplay|protected_storage|SapiServerPipeS-1-5-5-0-70123|scerpc|tapsrv|trkwks|W32TIME_ALT|PIPE_EVENTROOT\x5cCIMV2SCM EVENT PROVIDER|db2remotecmd)\x00$/R"; detection_filter:track by_src, count 14, seconds 1; metadata:service netbios-ssn; reference:url,www.metasploit.com/modules/auxiliary/scanner/smb/pipe_auditor; classtype:attempted-recon; sid:26321; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters overflow attempt"; flow:established,to_server; content:"N|00|e|00|t|00|W|00|a|00|r|00|e|00| |00|R|00|e|00|m|00|o|00|t|00|e|00| |00|P|00|r|00|i|00|n|00|t|00|e|00|r|00|s|00 21 00|"; isdataat:300,relative; content:!"|00 00|"; within:300; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,21220; reference:cve,2006-5854; reference:cve,2006-6114; reference:cve,2008-0639; classtype:attempted-admin; sid:29621; rev:2;)
# alert tcp $EXTERNAL_NET 139 -> $HOME_NET any (msg:"NETBIOS SMB server response heap overflow attempt"; flow:established,to_client; isdataat:500; content:"|00|"; depth:1; byte_test:4, >, 66563, 0; byte_test:4, <, 131072, 0; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,29404; reference:cve,2008-1105; classtype:attempted-user; sid:32631; rev:2;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"NETBIOS Wireshark console.lua file load exploit attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"c|00|o|00|n|00|s|00|o|00|l|00|e|00|.|00|l|00|u|00|a|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,49528; reference:cve,2011-3360; reference:url,www.wireshark.org/security/wnpa-sec-2011-15.html; classtype:attempted-user; sid:23238; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP ca-alert function 16,23,40, and 41 overflow attempt"; flow:established,to_server; dce_iface:3d742890-397c-11cf-9bf1-00805f88cb72; dce_opnum:16,23,40,41; dce_stub_data; byte_test:4,>,950,8,dce; content:"|05 00 00|"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,28605; reference:cve,2007-4620; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:20061; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [6503,6504] (msg:"NETBIOS DCERPC NCACN-IP-TCP CA Arcserve Backup directory traversal attempt"; flow:established,to_server; dce_iface:506B1890-14C8-11D1-BBC3-00805FA6962E; dce_opnum:342; dce_stub_data; pcre:"/(\x2E\x2E[\x5C\x2F]){3}/"; content:"|05 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,31684; reference:cve,2008-4397; classtype:attempted-admin; sid:19890; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarLookupSids lsa_io_trans_name heap overflow attempt"; flow:established,to_server; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:15; dce_stub_data; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:20; byte_extract:4,0,count,relative,dce; byte_test:4,>,count,4,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:18472; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|09 00 0A 00|"; depth:4; byte_test:4,>,600,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:17715; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect CMON_ActiveUpdate attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|08 00 0A 00|"; depth:4; byte_test:4,>,600,0,relative,dce; metadata:policy max-detect-ips drop; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:17714; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect trend_req_num buffer overflow attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|47 00 03 00|"; depth:4; byte_test:4,>,98,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:17707; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor opnum 43 overflow attempt"; flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:43; dce_stub_data; byte_test:4,>,624,0,dce; metadata:policy max-detect-ips drop; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:17640; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian overflow attempt"; flow:established,to_server; dce_iface:62b93df0-8b02-11ce-876c-00805f842837; content:"|05 00 00 03 10 00 00 00|"; depth:8; content:"|00 00 00 00 00 00|"; within:6; distance:14; isdataat:65,relative; content:!"|00|"; within:65; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2008-4398; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=188143; classtype:attempted-admin; sid:17635; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss EnumPrinters name overflow attempt"; flow:established,to_server; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:0; dce_stub_data; byte_test:4,>,100,16,dce; content:"N|00|e|00|t|00|W|00|a|00|r|00|e|00| |00|R|00|e|00|m|00|o|00|t|00|e|00| |00|P|00|r|00|i|00|n|00|t|00|e|00|r|00|s|00|"; depth:46; offset:20; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,25092; reference:cve,2007-6701; reference:url,support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5005400.html; classtype:attempted-admin; sid:17321; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB negotiate protocol request - ascii strings"; flow:to_server,established; content:"|FF|SMB|72 00 00 00 00|"; depth:9; offset:4; byte_test:1,!&,0x40,0,relative,little; byte_test:2,!&,0x8000,1,relative,little; flowbits:set,smb.req.ascii; flowbits:noalert; metadata:service netbios-ssn; classtype:protocol-command-decode; sid:17151; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Timbuktu Pro overflow WriteAndX unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16765; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Timbuktu Pro overflow WriteAndX attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.timbuktu; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,23,relative,from_beginning,little; pcre:"/^.{4}/sR"; pcre:"/^9\s(\S{101}|\S+\s(\S{349}|\S+\s\S{521}))/siR"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:attempted-admin; sid:16763; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /PlughNTCommand unicode create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|"; within:33; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16757; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /PlughNTCommand unicode andx create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|P|00|l|00|u|00|g|00|h|00|N|00|T|00|C|00|o|00|m|00|m|00|a|00|n|00|d|00 00 00|"; within:33; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16756; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /PlughNTCommand create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|5C|PlughNTCommand|00|"; within:17; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16755; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS SMB /PlughNTCommand andx create tree attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|PlughNTCommand|00|"; within:17; distance:51; nocase; flowbits:set,smb.tree.create.timbuktu; flowbits:noalert; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2009-1394; classtype:protocol-command-decode; sid:16754; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x3B null strings attempt"; flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:59; dce_stub_data; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,35396; reference:cve,2009-1761; classtype:attempted-dos; sid:15710; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor opcode 0x13 overflow attempt"; flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:19; dce_stub_data; byte_test:4,=,1,0,dce; byte_test:4,>,64000,8,dce; byte_test:4,=,0,12,dce; byte_test:4,>,64000,16,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,35396; reference:cve,2009-1761; classtype:attempted-dos; sid:15702; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP netdfs NetrDfsEnum overflow attempt"; flow:established,to_server; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; byte_test:4,>,16777215,24,dce; pcre:"/^.{16}(([\x01\x02\x03\x04\xC8]\x00|\x2C\x01)\x00{2}|\x00{2}(\x00[\x01\x02\x03\x04]|\x01\x2C))/s"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,24198; reference:cve,2007-2446; classtype:attempted-admin; sid:14900; rev:15;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB server response heap overflow attempt"; flow:established,to_client; flowbits:isset,smb.session.negotiate; flowbits:unset,smb.session.negotiate; isdataat:500; content:"|00|"; depth:1; byte_test:4, >, 66563, 0; byte_test:4, <, 131072, 0; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,29404; reference:cve,2008-1105; classtype:attempted-user; sid:13901; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP srvsvc NetSetFileSecurity integer overflow attempt"; flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:40; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; pcre:"/^(\x00\x00\x00\x00|.{12})/sR"; byte_jump:4,-4,multiplier 2,relative,align,dce; byte_test:4,=,4294967295,40,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:12984; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [6503,6504] (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 CA call 269 overflow attempt"; flow:established,to_server; dce_iface:506B1890-14C8-11D1-BBC3-00805FA6962E; dce_opnum:269; dce_stub_data; pcre:"/^.{268}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,190,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,26015; reference:cve,2007-5327; classtype:attempted-admin; sid:12940; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 19 attempt"; flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:19; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12934; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 18 attempt"; flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:18; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12928; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 16 attempt"; flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:16; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12922; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 12 attempt"; flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:12; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12916; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc3 CA opcode 4 attempt"; flow:established,to_server; dce_iface:88435ee0-861a-11ce-b86b-00001b27f656; dce_opnum:4; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,26015; reference:cve,2007-5329; classtype:protocol-command-decode; sid:12910; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP wkssvc NetrWkstaGetInfo attempt"; flow:established,to_server; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:2; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,multiplier 2,relative,align,dce; content:"|00 00 00 00|"; within:4; distance:12; byte_test:4,>,52428800,4,relative,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2006-6723; classtype:protocol-command-decode; sid:12489; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetSvcImpersonateUser attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|10 00 0A 00|"; depth:4; byte_test:4,>,520,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12347; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect Trent_req_num_30010 overflow attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; pcre:"/^(\x10|\x0d)/s"; content:"|00 03 00|"; within:3; byte_test:4,>,38,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,25395; reference:cve,2007-4218; classtype:attempted-admin; sid:12335; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _AddTaskExportLogItem attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|0C 01 03 00|"; depth:4; byte_test:4,>,512,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12326; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect-earthagent RPCFN_CopyAUSrc attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|00 1F 00|"; depth:3; offset:1; byte_test:4,>,512,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,23866; reference:bugtraq,25395; reference:cve,2007-2508; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12317; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetPagerNotifyConfig attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|08 05 03 00|"; depth:4; byte_test:4,>,528,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,25395; reference:cve,2007-4218; classtype:protocol-command-decode; sid:12307; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC-NCACN-IP-TCP ca alert function 16/23 overflow attempt"; flow:established,to_server; dce_iface:3d742890-397c-11cf-9bf1-00805f88cb72; dce_opnum:16,23; dce_stub_data; byte_test:4,>,200,12,dce; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,24947; reference:cve,2007-3825; reference:url,supportconnectw.ca.com/public/antivirus/infodocs/caantivirus-secnotice.asp; classtype:attempted-admin; sid:12100; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:19; dce_stub_data; isdataat:32; pcre:"/^.{20}(.{4}).{4}(?!\1)/s"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2007-2446; classtype:attempted-admin; sid:11442; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc corrupt user-supplied memory address attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:15,16,17; content:"|05 00 00 03 10 00 00 00 1C 00|"; depth:10; content:"|0F 00 00 00 00 00|"; within:6; distance:12; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22994; reference:cve,2006-6076; reference:cve,2007-1447; reference:url,www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=101317; classtype:protocol-command-decode; sid:10486; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect COMN_NetTestConnection attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|17 00 0A 00|"; depth:4; byte_test:4,>,600,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10208; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"NETBIOS DCERPC NCACN-IP-TCP trend-serverprotect _SetRealTimeScanConfigInfo attempt"; flow:established,to_server; dce_iface:25288888-BD5B-11D1-9D53-0080C83A5C2C; dce_opnum:0; dce_stub_data; content:"|04 00 03 00|"; depth:4; byte_test:4,>,600,0,relative,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22639; reference:cve,2007-1070; reference:url,esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034290; classtype:protocol-command-decode; sid:10202; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc GetGCBHandleFromGroupName overflow attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:207; dce_stub_data; byte_test:4,>,1024,0,dce; metadata:policy max-detect-ips drop; reference:bugtraq,22005; reference:cve,2007-0169; classtype:attempted-admin; sid:10117; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [6503,6504] (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc2 ASDBLoginToComputer overflow attempt"; flow:established,to_server; dce_iface:506B1890-14C8-11D1-BBC3-00805FA6962E; dce_opnum:117; dce_stub_data; byte_test:4,>,119,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10050; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor ASRemotePFC overflow attempt"; flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:47; dce_stub_data; byte_test:4,>,624,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22005; reference:cve,2007-0169; reference:url,www.kb.cert.org/vuls/id/180336; classtype:attempted-admin; sid:10036; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6503 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor QSIGetQueuePath_Function_45 overflow attempt"; flow:established,to_server; dce_iface:DC246BF0-7A7A-11CE-9F88-00805FE43838; dce_opnum:45; dce_stub_data; byte_test:4,>,1,0,dce; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,20365; reference:cve,2006-5143; reference:cve,2006-6076; classtype:attempted-admin; sid:10030; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc ClientDBMiniAgentClose attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:191; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,22010; reference:cve,2007-0168; reference:url,www.kb.cert.org/vuls/id/662400; reference:url,www.lssec.com/advisories/LS-20061002.pdf; classtype:protocol-command-decode; sid:10024; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC NCACN-IP-TCP brightstor-arc ReserveGroup attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:38; content:"|05 00 00|"; depth:3; content:"|26 00 10 09 F9 77|"; within:6; distance:19; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2006-6076; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:10018; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6106 (msg:"NETBIOS DCERPC NCACN-IP-TCP veritas bind attempt"; flow:established,to_server; dce_iface:93841fd0-16ce-11ce-850d-02608c44967b; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,14020; reference:cve,2005-0771; reference:url,www.idefense.com/application/poi/display?id=269&type=vulnerabilities; classtype:protocol-command-decode; sid:3697; rev:13;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB client NULL deref race condition attempt "; flow:to_client,established,no_stream; content:"|FF|SMB|72|"; depth:5; offset:4; byte_test:1,&,128,4,relative; content:"|00|"; depth:1; detection_filter:track by_dst, count 25, seconds 1; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-0017; reference:cve,2010-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-006; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:attempted-admin; sid:16418; rev:10;)
# alert tcp any any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Corel PaintShop Pro u32zlib.dll dll-load exploit attempt"; flow:established,to_server; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"u|00|3|00|2|00|z|00|l|00|i|00|b|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34916; rev:4;)
# alert tcp any any -> $HOME_NET [139,445] (msg:"NETBIOS SMB Corel PaintShop Pro quserex.dll dll-load exploit attempt"; flow:established,to_server; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; content:"q|00|u|00|s|00|e|00|r|00|e|00|x|00|.|00|d|00|l|00|l|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2014-8393; reference:url,attack.mitre.org/techniques/T1038; reference:url,attack.mitre.org/techniques/T1129; reference:url,attack.mitre.org/techniques/T1157; classtype:attempted-user; sid:34915; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6502 (msg:"NETBIOS DCERPC BrightStor ARCserve corrupt user-supplied memory location attempt"; flow:established,to_server; dce_iface:62B93DF0-8B02-11CE-876C-00805F842837; dce_opnum:16; dsize:29; content:"|05 00 00 03 10 00 00 00|"; depth:8; content:"|10 00|"; within:2; distance:14; byte_extract:1,0,memoryAddr,relative,multiplier 257; byte_test:2,=,memoryAddr,0,relative; byte_test:2,=,memoryAddr,1,relative; metadata:policy max-detect-ips drop, service dcerpc; reference:cve,2006-6076; reference:cve,2006-6917; reference:url,www.lssec.com/advisories/LS-20061001.pdf; classtype:protocol-command-decode; sid:36877; rev:1;)
# alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB samr named pipe creation attempt"; flow:to_server,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|05 00|"; within:2; distance:6; content:"s|00|a|00|m|00|r|00|"; fast_pattern:only; metadata:service netbios-ssn; classtype:misc-activity; sid:38322; rev:1;)
# alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB svcctl named pipe creation attempt"; flow:to_server,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|05 00|"; within:2; distance:6; content:"s|00|v|00|c|00|c|00|t|00|l|00|"; fast_pattern:only; metadata:service netbios-ssn; classtype:misc-activity; sid:38321; rev:1;)
# alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB srvsvc named pipe creation attempt"; flow:to_server,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|05 00|"; within:2; distance:6; content:"s|00|r|00|v|00|s|00|v|00|c|00|"; fast_pattern:only; metadata:service netbios-ssn; classtype:misc-activity; sid:38320; rev:1;)
# alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB winreg named pipe creation attempt"; flow:to_server,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|05 00|"; within:2; distance:6; content:"w|00|i|00|n|00|r|00|e|00|g|00|"; fast_pattern:only; metadata:service netbios-ssn; classtype:misc-activity; sid:38319; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP lsarpc LsarAddPrivilegesToAccount overflow attempt"; flow:established,to_server; content:"|FF|SMB"; content:"|05 00 00 03 10 00 00 00|"; within:48; distance:48; content:"|13 00|"; within:2; distance:14; byte_extract:4,24,count,relative; byte_test:4,>,count,0,relative; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2007-2446; classtype:attempted-admin; sid:39875; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NETBIOS DCERPC possible wmi remote process launch"; flow:to_server,established; dce_iface:00000143-0000-0000-c000-000000000046; metadata:service dcerpc; reference:url,attack.mitre.org/techniques/T1047; reference:url,attack.mitre.org/techniques/T1084; reference:url,car.mitre.org/wiki/CAR-2014-12-001; classtype:policy-violation; sid:43370; rev:2;)
# alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB NTLMSSP authentication brute force attempt"; flow:to_server,established,no_stream; content:"|FF|SMB|73|"; depth:5; offset:4; content:"NTLMSSP|00 03 00 00 00|"; fast_pattern:only; detection_filter:track by_src, count 5, seconds 1; metadata:service netbios-ssn; reference:url,attack.mitre.org/techniques/T1110; reference:url,en.wikipedia.org/wiki/NTLMSSP; classtype:attempted-user; sid:44651; rev:4;)
alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB SESSION_SETUP subcommand detected"; flow:to_server,established; content:"|FF|SMB2"; depth:5; offset:4; content:"|0E 00|"; within:2; distance:56; flowbits:set,smb.session_setup_subcommand; flowbits:noalert; metadata:service netbios-ssn; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; classtype:protocol-command-decode; sid:45515; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS MikroTik RouterOS buffer overflow attempt"; flow:to_server,established; content:"|81 00|"; depth:2; byte_test:2,>,75,0,relative; byte_extract:2,0,len,relative; isdataat:!len,relative; isdataat:len; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,103427; reference:cve,2018-7445; classtype:attempted-user; sid:46076; rev:2;)
# alert tcp any any -> $HOME_NET 445 (msg:"NETBIOS SMB NTLM Authentication with unknown authentication message type attempt"; flow:to_server,established; content:"|FF|SMB|73|"; depth:5; offset:4; content:"NTLMSSP|00|"; distance:0; content:!"|01 00 00 00|"; within:4; content:!"|02 00 00 00|"; within:4; content:!"|03 00 00 00|"; within:4; metadata:service netbios-ssn; classtype:misc-activity; sid:46403; rev:1;)
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB client NULL deref race condition attempt "; flow:to_client,established,only_stream; content:"|FF|SMB|72|"; depth:5; offset:4; byte_test:1,&,128,4,relative; content:"|00|"; depth:1; detection_filter:track by_dst, count 25, seconds 1; metadata:policy max-detect-ips drop, service netbios-ssn; reference:cve,2010-0017; reference:cve,2010-0231; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-006; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:attempted-admin; sid:46637; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS Cisco WebEx WebExService.exe remote code execution attempt"; flow:to_server,established; content:"|FF|SMB|2F|"; content:"s|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00|-|00|u|00|p|00|d|00|a|00|t|00|e|00 00 00 02 00 00 00 00 00 00 00 02 00 00 00|1|00 00 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-15442; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection; classtype:attempted-admin; sid:48241; rev:1;)