# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-------------------------
# PROTOCOL-SERVICES RULES
#-------------------------

# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin guest"; flow:to_server,established; content:"guest|00|guest|00|"; fast_pattern:only; classtype:attempted-user; sid:20602; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin nobody"; flow:to_server,established; content:"nobody|00|nobody|00|"; fast_pattern:only; classtype:attempted-user; sid:20601; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; metadata:ruleset community; classtype:attempted-admin; sid:2114; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; metadata:ruleset community; classtype:attempted-admin; sid:2113; rev:6;)
# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"|01|rlogind|3A| Permission denied."; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:611; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:609; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:608; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:607; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:606; rev:10;)
# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"login incorrect"; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:605; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,458; reference:cve,1999-0113; classtype:attempted-admin; sid:604; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:603; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:602; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:601; rev:10;)
# alert tcp any any -> $HOME_NET [3260,860] (msg:"PROTOCOL-SERVICES  Linux iscsi_add_notunderstood_response request buffer overflow attempt"; flow:to_server,established; content:"TargetName="; fast_pattern:only; isdataat:94; content:!"="; depth:64; offset:30; pcre:"/[\w\x2e\x2b\x3a\x2d@_]{64,}\x3d[\w\x2e\x2b\x3a\x2d@_]+\x00/"; reference:cve,2013-2850; reference:url,seclists.org/oss-sec/2013/q2/448; classtype:attempted-user; sid:31590; rev:1;)
# alert tcp any any -> $HOME_NET [3260,860] (msg:"PROTOCOL-SERVICES  Linux iscsi_add_notunderstood_response request buffer overflow attempt"; flow:to_server,established; content:"TargetName="; fast_pattern:only; content:"|00|"; offset:30; isdataat:64,relative; content:!"="; within:64; pcre:"/[\w\x2e\x2b\x3a\x2d@_]{64,}\x3d[\w\x2e\x2b\x3a\x2d@_]+?\x00/R"; reference:cve,2013-2850; reference:url,seclists.org/oss-sec/2013/q2/448; classtype:attempted-user; sid:31589; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES Cisco Prime Lan Management rsh command execution attempt"; flow:to_server,established; content:"|00|casuser|00|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00casuser\x00/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57221; reference:cve,2012-6392; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms; classtype:attempted-admin; sid:25535; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh root"; flow:to_server,established; content:"|00|root|00|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i"; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-admin; sid:610; rev:15;)