45 lines
7.6 KiB
Plaintext
45 lines
7.6 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#-----------------------
|
|
# CONTENT-REPLACE RULES
|
|
#-----------------------
|
|
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CONTENT-REPLACE AIM deny out-bound file transfer attempts"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; content:"DEST"; distance:-5; replace:"XXXX"; byte_test:2,=,0,-24,relative; classtype:policy-violation; sid:12038; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CONTENT-REPLACE MSN deny out-bound file transfer attempts"; flow:established,to_server; content:"INVITE MSNMSGR"; nocase; replace:"AAAAAAAAAAAAAA"; content:"context"; nocase; replace:"aaaaaaa"; classtype:policy-violation; sid:12032; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts"; flow:established,to_server; content:"/notifyft"; nocase; replace:"/XXXXXXXX"; content:"Host|3A|filetransfer.msg.yahoo.com"; classtype:policy-violation; sid:12040; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"CONTENT-REPLACE Jabber deny out-bound file transfer attempts"; flow:established,to_server; content:"jabber.org/protocol"; nocase; content:"file xmlns="; nocase; content:"|22|set|22|"; replace:"|22|NOT|22|"; classtype:policy-violation; sid:12034; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CONTENT-REPLACE IRC deny out-bound file transfer attempts"; flow:established,to_server; content:"PRIVMSG"; nocase; content:"|3A 01|DCC SEND"; nocase; content:"SEND"; distance:-4; nocase; replace:"XXXX"; classtype:policy-violation; sid:12036; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts"; flow:established,to_client; content:"YMSG"; content:"|00 DC|"; within:8; distance:6; replace:"AA"; classtype:policy-violation; sid:12041; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CONTENT-REPLACE MSN deny in-bound file transfer attempts"; flow:established,to_client; content:"MSG"; content:"msnmsgrp2p"; nocase; replace:"AAAAAAAAAA"; content:"INVITE MSNMSGR"; nocase; replace:"AAAAAAAAAAAAAA"; content:"context"; nocase; classtype:policy-violation; sid:12031; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CONTENT-REPLACE AIM deny in-bound file transfer attempts"; flow:to_client,established; content:"*|02|"; depth:2; content:"|00 04 00 07|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; content:"DEST"; distance:-5; replace:"XXXX"; byte_test:2,=,0,-24,relative; classtype:policy-violation; sid:12037; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts"; flow:established,to_client; content:"YMSG"; depth:4; content:"|00|F"; depth:2; offset:10; replace:"OK"; classtype:policy-violation; sid:12039; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"CONTENT-REPLACE Jabber deny in-bound file transfer attempts"; flow:established,to_client; content:"profile="; nocase; content:"jabber.org/protocol"; nocase; content:"id="; nocase; replace:"NO="; classtype:policy-violation; sid:12033; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts"; flow:established,to_server; content:"YMSG"; content:"|00 DC|"; within:8; distance:6; replace:"AA"; classtype:policy-violation; sid:12042; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CONTENT-REPLACE IRC deny in-bound file transfer attempts"; flow:established,to_server; content:"PRIVMSG"; nocase; content:"|3A 01|DCC SEND"; nocase; content:"SEND"; distance:-4; nocase; replace:"XXXX"; classtype:policy-violation; sid:12035; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET [443,5190] (msg:"CONTENT-REPLACE AIM or ICQ deny unencrypted login connection"; flow:established,to_server; dsize:<500; content:"*|01|"; depth:2; replace:"|FF FF|"; reference:url,www.protocolbase.net/protocols/protocol_ICQ.php; classtype:policy-violation; sid:15415; rev:6;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CONTENT-REPLACE AIM deny server certificate for encrypted login"; flow:established,to_client; ssl_version:tls1.0; content:"0|16 06 03|U|04 03 13 0F|kdc.uas.aol.com"; nocase; replace:"0|16 06 03|U|04 03 13 00|xxx.xxx.xxx.com"; classtype:policy-violation; sid:15417; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CONTENT-REPLACE MSN deny login"; flow:established,to_server; content:"USR "; depth:4; replace:"FFF "; classtype:policy-violation; sid:15420; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CONTENT-REPLACE ICQ deny http proxy login"; flow:established,to_server; content:"Host|3A| http.proxy.icq.com"; nocase; content:"GET /hello"; depth:10; nocase; replace:"GET /gdbye"; metadata:service http; classtype:policy-violation; sid:15416; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CONTENT-REPLACE Yahoo Messenger deny outbound login attempt"; flow:established,to_server; content:"YMSG"; depth:4; content:"|00|W"; depth:2; offset:10; replace:"|FF FF|"; classtype:policy-violation; sid:15429; rev:2;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"CONTENT-REPLACE QQ 2008 deny udp login"; content:"|02 12|Q|00|"; depth:4; replace:"|FF FF FF FF|"; classtype:policy-violation; sid:15440; rev:2;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"CONTENT-REPLACE QQ 2009 deny udp login"; content:"|02 16|!|00|"; depth:4; replace:"|FF FF FF FF|"; classtype:policy-violation; sid:15438; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CONTENT-REPLACE QQ 2009 deny tcp login"; flow:established,to_server; content:"|00|N|02 12|Q|00|"; depth:6; replace:"|FF FF FF FF FF FF|"; classtype:policy-violation; sid:15441; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CONTENT-REPLACE QQ 2009 deny tcp login"; flow:established,to_server; content:"|00|N|02 16|!|00|"; depth:6; replace:"|FF FF FF FF FF FF|"; classtype:policy-violation; sid:15439; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET [443,5222] (msg:"CONTENT-REPLACE Google Talk deny login"; flow:established,to_server; content:"<stream|3A|stream"; depth:14; nocase; replace:"<AAAAAA|3A|AAAAAA"; classtype:policy-violation; sid:15570; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,6503,6504] (msg:"CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt"; flow:established,to_server; content:"|05 00 0B|"; content:"NTLMSSP|00 01 00 00 00|"; distance:0; content:"|0A 06 00 00|"; within:4; distance:-20; replace:"|0A 02 00 00|"; metadata:policy max-detect-ips drop; classtype:protocol-command-decode; sid:18469; rev:7;)
|