65 lines
16 KiB
Plaintext
65 lines
16 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#---------------------
|
|
# PROTOCOL-SNMP RULES
|
|
#---------------------
|
|
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP NT UserList"; flow:to_server; content:"+|06 10|@|14 D1 02 19|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP missing community string attempt"; content:"0"; depth:1; content:"|02|"; within:6; content:"|04 00|"; within:8; pcre:"/^\x30(\x84....|\x82..|[^\x80-\xFF])\x02(\x84\x00\x00\x00\x01.|\x82\x00\x01.|\x01.)\x04\x00/"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt"; flow:to_server; content:"|02 01 00 04 82 01 00|"; offset:4; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:19;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt with evasion"; flow:to_server; content:" |04 82 01 00|"; depth:5; offset:7; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:19;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access udp"; flow:to_server; content:"|06|public"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access tcp"; flow:to_server,established; content:"public"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:20;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access udp"; flow:to_server; content:"private"; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access tcp"; flow:to_server,established; content:"private"; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:18;)
|
|
# alert udp any any -> 255.255.255.255 161 (msg:"PROTOCOL-SNMP Broadcast request"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:17;)
|
|
# alert udp any any -> 255.255.255.255 162 (msg:"PROTOCOL-SNMP broadcast trap"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request udp"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request tcp"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap udp"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap tcp"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"PROTOCOL-SNMP AgentX/tcp request"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP oversized sysName set request"; content:"+|06 01 02 01 01 05 00|"; byte_test:1,>,99,1,relative; metadata:service snmp; reference:bugtraq,26001; reference:cve,2007-5381; classtype:attempted-admin; sid:12712; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET [161,1118] (msg:"PROTOCOL-SNMP Samsung printer default community string"; content:"|04 0B|s|21|a|40|m|23|n|24|p|25|c"; depth:14; offset:5; metadata:service snmp; reference:url,attack.mitre.org/techniques/T1078; reference:url,l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; reference:url,www.kb.cert.org/vuls/id/281284; classtype:attempted-admin; sid:24814; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Brocade snAgentUserAccntPassword enumeration attempt"; flow:to_server; content:"|30 12 06 0E 2B 06 01 04 01 8F 47 01 01 02 09 02 01 02 05 00|"; fast_pattern:only; metadata:service snmp; reference:url,www.kb.cert.org/vuls/id/139516; classtype:attempted-recon; sid:31059; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Brocade snAgentUserAccntName enumeration attempt"; flow:to_server; content:"|30 12 06 0E 2B 06 01 04 01 8F 47 01 01 02 09 02 01 01 05 00|"; fast_pattern:only; metadata:service snmp; reference:url,www.kb.cert.org/vuls/id/139516; classtype:attempted-recon; sid:31058; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Motorola Netopia 3347 series WPA key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 82 30 01 03 01 1A 01 09 01 05 01 05 00|"; fast_pattern:only; metadata:service snmp; reference:url,www.kb.cert.org/vuls/id/779628; classtype:attempted-recon; sid:31057; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Motorola Netopia 3347 series WEP key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 82 30 01 03 01 1A 01 0F 01 03 01 05 00|"; fast_pattern:only; metadata:service snmp; reference:url,www.kb.cert.org/vuls/id/779628; classtype:attempted-recon; sid:31056; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee U10C019 series password enumeration attempt"; flow:to_server; content:"|30 16 06 12 2B 06 01 04 01 A4 4C 02 11 01 01 01 02 61 64 6D 69 6E 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31100; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee U10C019 series WPA key enumeration attempt"; flow:to_server; content:"|30 15 06 11 2B 06 01 04 01 A3 0B 02 04 01 01 06 02 02 01 05 06 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31099; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee U10C019 series WEP key enumeration attempt"; flow:to_server; content:"|30 12 06 0E 2B 06 01 04 01 A4 4C 02 0E 02 05 01 02 01 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31098; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP CableHome Devices cabhPsDevUIPassword enumeration attempt"; flow:to_server; content:"|30 13 06 0F 2B 06 01 04 01 A3 0B 02 04 01 01 06 01 02 00 05 00|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69630; reference:bugtraq,69631; reference:cve,2014-4862; reference:cve,2014-4863; reference:url,oid-info.com/get/1.3.6.1.4.1.4491.2.4.1.1.6.1.2; classtype:attempted-recon; sid:31097; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee DDW3611 series WPA key enumeration attempt"; flow:to_server; content:"|30 15 06 11 2B 06 01 04 01 A3 0B 02 04 01 01 06 02 02 01 05 0C 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31096; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee DDW3611 series WEP key enumeration attempt"; flow:to_server; content:"|30 18 06 14 2B 06 01 04 01 A4 4C 26 02 02 02 01 05 04 02 03 01 02 0C 01 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31095; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP HP Huawei password disclosure attempt"; flow:to_server; content:"|2B 06 01 04 01 8F 5B 0A|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,56183; reference:cve,2012-3268; classtype:attempted-recon; sid:31578; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP HP Huawei password disclosure attempt"; flow:to_server; content:"|2B 06 01 04 01 81 C7 22|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,56183; reference:cve,2012-3268; classtype:attempted-recon; sid:31577; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Multiple Products WPA key enumeration attempt"; flow:to_server; content:"|30 16 06 12 2B 06 01 04 01 A2 3D 02 02 02 01 05 04 02 04 01 02 20|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69630; reference:cve,2014-4862; classtype:attempted-recon; sid:31856; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Multiple Products 64 bit WEP key enumeration attempt"; flow:to_server; content:"|2B 06 01 04 01 A2 3D 02 02 02 01 05 04 02 02 01 02 20|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69630; reference:cve,2014-4862; classtype:attempted-recon; sid:31855; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Multiple Products 128 bit WEP key enumeration attempt"; flow:to_server; content:"|2B 06 01 04 01 A2 3D 02 02 02 01 05 04 02 03 01 02 20|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69630; reference:cve,2014-4862; classtype:attempted-recon; sid:31854; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Arris DG950A WPA key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 A0 13 01 14 01 01 03 1A 01 02 0C 05 00|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69631; reference:cve,2014-4863; classtype:attempted-recon; sid:31853; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Arris DG950A 64 bit WEP key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 A0 13 01 14 01 01 03 18 01 02 0C 05 00|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69631; reference:cve,2014-4863; classtype:attempted-recon; sid:31852; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Arris DG950A 128 bit WEP key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 A0 13 01 14 01 01 03 19 01 02 0C 05 00|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69631; reference:cve,2014-4863; classtype:attempted-recon; sid:31851; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"PROTOCOL-SNMP Multiple vendors AgentX receive_agentx integer overflow attempt"; flow:established,to_server; content:"|FF FF FF FF|"; depth:4; offset:16; metadata:policy max-detect-ips drop, service snmp; reference:bugtraq,39561; reference:cve,2010-1319; classtype:attempted-admin; sid:18926; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Allen-Bradley MicroLogix PLC firmware update detected"; flow:to_server; content:"|2B 06 01 04 01 5F 02 03 01 01 01 01 00|"; fast_pattern:only; metadata:service snmp; reference:cve,2016-5645; reference:url,www.talosintelligence.com/reports/TALOS-2016-0184; classtype:policy-violation; sid:39877; rev:2;)
|
|
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Allen-Bradley MicroLogix PLC SNMP request via undocumented community string attempt"; flow:to_server; content:"wheel"; content:"|2B 06 01 04 01 5F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service snmp; reference:cve,2016-5645; reference:url,www.talosintelligence.com/reports/TALOS-2016-0184; classtype:attempted-recon; sid:39876; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Cambium cnPilot SNMP request with read-only community string attempt"; flow:to_server; content:"|2B 06 01 04 01 82 C0 32|"; fast_pattern:only; content:"public"; metadata:service snmp; reference:cve,2017-5262; reference:url,blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities; classtype:attempted-recon; sid:45611; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Cambium ePMP SNMP request with read-only community string attempt"; flow:to_server; content:"|2B 06 01 04 01 81 8A 31|"; fast_pattern:only; content:"public"; metadata:service snmp; reference:bugtraq,99083; reference:cve,2017-7918; reference:cve,2017-7922; reference:url,ipositivesecurity.com/2017/04/07/cambium-snmp-security-vulnerabilities/; classtype:attempted-recon; sid:45618; rev:1;)
|