207 lines
80 KiB
Plaintext
207 lines
80 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#-------------------
|
|
# SERVER-MAIL RULES
|
|
#-------------------
|
|
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL YPOPS buffer overflow attempt"; flow:to_server,established; content:"|EB 06 92|F"; pcre:"/(\xeb\x08\x46\x92){49}/"; metadata:service smtp; reference:bugtraq,11256; reference:cve,2004-1558; classtype:attempted-admin; sid:8706; rev:6;)
|
|
# alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"SERVER-MAIL Mortal Universe POP Peeper date header overflow attempt"; flow:to_client,established; content:"date: "; fast_pattern; isdataat:290,relative; content:!"|0D 0A|"; within:290; metadata:service pop3; reference:cve,2009-1029; reference:url,exploit-db.com/exploits/8203/; classtype:attempted-user; sid:23404; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL sniffit overflow"; flow:to_server,established; dsize:>512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; metadata:ruleset community, service smtp; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 110 (msg:"SERVER-MAIL Axigen POP3 server remote format string exploit"; flow:to_server,established; content:"%18u%66$n%34u%65$hhn%31u%72$hhn%10u%68$hhn%31u%71$hhn%87u%70$hhn%14u%69$hhn%90u%73$hhn%158u%67$hhn|0D 0A|"; fast_pattern:only; metadata:service pop3; reference:bugtraq,22603; classtype:attempted-admin; sid:20614; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [25,143] (msg:"SERVER-MAIL Microsoft Windows Exchange ical/vcal malformed property"; flow:to_server,established; content:"DESCRIPTION|3A|"; nocase; isdataat:268,relative; content:!"|0A|"; within:256; pcre:"/^DESCRIPTION\x3A[^\n]{268}/smi"; reference:bugtraq,17908; reference:cve,2006-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-019; classtype:attempted-admin; sid:12619; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Ipswitch IMail search command buffer overflow attempt"; flow:to_server,established; content:"charset"; fast_pattern:only; pcre:"/^\S+\s+(uid\s+|)search\s+charset\s*\{\s/smi"; byte_test:5,>,250,0,string,dec,relative; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,24962; reference:cve,2007-3925; reference:url,docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewRelease; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=563; classtype:attempted-admin; sid:12115; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Ipswitch IMail search command buffer overflow attempt"; flow:to_server,established; content:"charset"; fast_pattern:only; pcre:"/^\S+\s+(uid\s+|)search\s+charset\s+[^\s]{250}/smi"; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,24962; reference:cve,2007-3925; reference:url,docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewRelease; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=563; classtype:attempted-admin; sid:12114; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Ipswitch IMail literal search date command buffer overflow attempt"; flow:to_server,established; content:"search"; fast_pattern:only; pcre:"/^\S+\s+(uid\s+|)search\s[^\n]*(sent|)(on|before|since)\s*\{\s/smi"; byte_test:5,>,64,0,string,dec,relative; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,24962; reference:cve,2007-3925; reference:url,docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewRelease; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=563; classtype:attempted-admin; sid:12212; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Multiple IMAP server literal CREATE command buffer overflow attempt"; flow:to_server,established; content:" CREATE "; nocase; content:"{"; within:5; byte_test:8,>,180,0,relative, string; metadata:service imap; reference:bugtraq,14315; reference:bugtraq,41704; reference:cve,2005-1520; reference:cve,2010-2777; classtype:attempted-admin; sid:17240; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL MailEnable IMAP Service Invalid Command Buffer Overlow LOGIN"; flow:to_server,established; content:"login|20 7B|"; depth:7; offset:3; nocase; byte_test:10,>,1023,0,relative,string; metadata:service imap; reference:bugtraq,21252; classtype:attempted-admin; sid:17503; rev:4;)
|
|
# alert tcp any 110 -> $HOME_NET any (msg:"SERVER-MAIL Eureka Mail 2.2q server error response overflow attempt"; flow:to_client,established; content:"-ERR"; isdataat:718,relative; content:!"|0A|"; within:718; reference:cve,2009-3837; reference:url,archives.neohapsis.com/archives/bugtraq/2009-10/0170.html; classtype:misc-attack; sid:16799; rev:4;)
|
|
# alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"SERVER-MAIL Qualcomm Eudora url buffer overflow attempt"; flow:to_client,established; content:"|3C|x|2D|html|3E|"; fast_pattern; nocase; content:"href|3D 22|file|3A 2F 2F|"; distance:0; nocase; isdataat:281,relative; content:!"|22 3E|"; within:281; metadata:service pop3; reference:bugtraq,10298; reference:cve,2002-1770; classtype:attempted-user; sid:20578; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL battle-mail traffic"; flow:to_server,established; content:"BattleMail"; metadata:ruleset community, service smtp; classtype:policy-violation; sid:490; rev:12;)
|
|
# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL SMTP relaying denied"; flow:established,to_client; content:"550 5.7.1"; depth:70; metadata:ruleset community, service smtp; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Netmanager chameleon SMTPd buffer overflow attempt"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; metadata:ruleset community, service smtp; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:20;)
|
|
# alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Windows Exchange Server 5.5 mime DOS"; flow:to_server,established; content:"charset = |22 22|"; nocase; metadata:ruleset community, service smtp; reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-082; classtype:attempted-dos; sid:658; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; fast_pattern:only; pcre:"/^expn\s+decode/smi"; metadata:ruleset community, service smtp; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; fast_pattern:only; pcre:"/^expn\s+root/smi"; metadata:ruleset community, service smtp; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Vintra Mailserver expn *@"; flow:to_server,established; content:"expn"; fast_pattern:only; content:"*@"; pcre:"/^expn\s+\*@/smi"; metadata:ruleset community, service smtp; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2310; reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|"; fast_pattern:only; metadata:ruleset community, service smtp; reference:cve,1999-0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; fast_pattern:only; pcre:"/^rcpt\s+to\:\s*[\x7c\x3b]/smi"; metadata:ruleset community, service smtp; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s*decode/smi"; metadata:ruleset community, service smtp; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SEND FROM prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; fast_pattern:only; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; reference:nessus,11316; classtype:attempted-admin; sid:2261; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SEND FROM prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; fast_pattern:only; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:misc-attack; sid:2262; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SAML FROM prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; fast_pattern:only; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2263; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SAML FROM prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; fast_pattern:only; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:misc-attack; sid:2264; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SOML FROM prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; fast_pattern:only; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2265; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SOML FROM prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; fast_pattern:only; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:misc-attack; sid:2266; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail MAIL FROM prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; fast_pattern:only; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2267; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail MAIL FROM prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; fast_pattern:only; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:attempted-admin; sid:2268; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail RCPT TO prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; fast_pattern:only; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2269; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail RCPT TO prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; fast_pattern:only; pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:cve,2003-0694; reference:nessus,11499; classtype:attempted-admin; sid:2270; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Kinesphere eXchange POP3 mail server overflow attempt"; flow:to_server,established; content:"MAIL"; fast_pattern:only; pcre:"/^\s*MAIL\s+[^\s\n][^\n]{1006,}/smi"; metadata:service smtp; reference:bugtraq,10180; reference:cve,2004-1945; classtype:misc-attack; sid:3815; rev:11;)
|
|
# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL Yahoo YPOPS Banner"; flow:to_client,established; content:"220 YahooPOPs!"; flowbits:set,ypops.banner; flowbits:noalert; metadata:service smtp; classtype:not-suspicious; sid:8704; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Yahoo YPOPS buffer overflow attempt"; flow:to_server,established; flowbits:isset,ypops.banner; flowbits:unset,ypops.banner; pcre:"/[^\x0d\x00\x0a]{509}/"; metadata:service smtp; reference:bugtraq,11256; reference:cve,2004-1558; classtype:attempted-admin; sid:8705; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Windows Mail file execution attempt"; flow:to_server,established; file_data; content:"Content-Type|3A| text/html"; fast_pattern:only; content:"href|3D|"; pcre:"/<[^>]+href[^>]*(\x22c\x3A\x2F|\x22c\x3A\x5C|\\\\)[^>]*(\x3F|\x2Eexe)/i"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2007-1658; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-034; classtype:attempted-user; sid:11837; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Windows Exchange CDO long header name"; flow:to_server,established; content:"|0D 0A|DATA|0D 0A|"; pcre:"/\r\n\w{200,}\x3a.*\r\n/"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15067; reference:cve,2005-1987; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-048; classtype:attempted-admin; sid:12423; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL IBM Lotus Notes MIF viewer MIFFILE comment overflow"; flow:to_server,established; content:"<MIFFile"; fast_pattern:only; content:"|23|"; isdataat:76,relative; content:!"|0A|"; within:76; metadata:service smtp; reference:bugtraq,26175; reference:cve,2007-5909; reference:cve,2007-5910; classtype:attempted-user; sid:12704; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL IBM Lotus Notes MIF viewer statement overflow"; flow:to_server,established; content:"MIFFile"; fast_pattern:only; pcre:"/\x3D[^\s\n]{88}/si"; metadata:service smtp; reference:bugtraq,26175; reference:cve,2007-5909; reference:cve,2007-5910; classtype:attempted-user; sid:12705; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL MailEnable SMTP HELO command denial of service attempt"; flow:to_server,established; content:"HELO "; depth:5; content:"|00|"; within:2; metadata:service smtp; reference:bugtraq,18630; reference:cve,2006-3277; classtype:attempted-dos; sid:13923; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise Internet Agent SMTP AUTH LOGIN command buffer overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; content:"LOGIN"; distance:0; nocase; pcre:"/^\s*AUTH\s+LOGIN[^\x0a\x0d]{100,}(?<!\x0d)\x0a/mi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35065; reference:cve,2009-1636; classtype:attempted-admin; sid:16193; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Ipswitch IMail RCPT TO proxy overflow attempt"; flow:to_server,established; content:"RCPT TO|3A|"; content:"|3A|"; within:500; nocase; pcre:"/^RCPT TO\x3A[^\r\n\x3C]*\x3C(?=[^\r\n\x3E]*\x3A)[^\r\n\x3E]{460}/mi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,19885; reference:cve,2006-4379; reference:url,www.ipswitch.com/support/imail/releases/im20061.asp; classtype:attempted-admin; sid:18317; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-MAIL Microsoft Windows Exchange OWA XSS and spoofing attempt"; flow:to_client,established; file_data; content:"exchange/calendar/pick.asp?view=ppp%22></applet><script>alert|28|%22hi,%20this%20is%20javascript%20here%22|29|</script>|22|>click this</a>"; metadata:service http; reference:bugtraq,10902; reference:cve,2004-0203; classtype:misc-attack; sid:15964; rev:9;)
|
|
# alert tcp $EXTERNAL_NET 113 -> $HOME_NET any (msg:"SERVER-MAIL Sendmail identd command parsing vulnerability"; flow:to_client,established; content:"|7C|sed|0A|'1,/^|24|/d'|7C|/bin/sh"; nocase; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:15936; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail smtp timeout buffer overflow attempt"; flow:to_server,established; content:"Subject|3A| AAAAAA|CC CC CC CC CC CC|"; metadata:service smtp; reference:bugtraq,17192; reference:cve,2006-0058; classtype:attempted-admin; sid:16057; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Metamail header length exploit attempt"; flow:to_server,established; content:"To|3A|"; isdataat:80,relative; pcre:"/^To\x3a[^\n]{80}/im"; metadata:service smtp; reference:bugtraq,9692; reference:cve,2004-0104; classtype:attempted-admin; sid:22115; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Metamail format string exploit attempt"; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/From\x3a[^\n]*?\x25(\d+\x24)?(\d+)?[nxXcsd]/i"; metadata:service smtp; reference:bugtraq,9692; reference:cve,2004-0104; classtype:attempted-admin; sid:22110; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Metamail format string exploit attempt"; flow:to_server,established; content:"To|3A|"; fast_pattern:only; pcre:"/^To\x3a[^\n]*?\x25(\d+\x24)?(\d+)?[nxXcsd]/smi"; metadata:service smtp; reference:bugtraq,9692; reference:cve,2004-0104; classtype:attempted-admin; sid:22111; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Metamail header length exploit attempt"; flow:to_server,established; content:"Subject|3A|"; isdataat:200,relative; pcre:"/^Subject\x3a[^\n]{200}/im"; metadata:service smtp; reference:bugtraq,9692; reference:cve,2004-0104; classtype:attempted-admin; sid:22113; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Metamail format string exploit attempt"; flow:to_server,established; content:"Content|2D|Type|3A|"; fast_pattern:only; pcre:"/^Content-Type\x3a[^\n]*?\x25(\d+\x24)?(\d+)?[nxXcsd]/smi"; metadata:service smtp; reference:bugtraq,9692; reference:cve,2004-0104; classtype:attempted-admin; sid:22112; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Metamail header length exploit attempt"; flow:to_server,established; content:"From|3A|"; isdataat:80,relative; pcre:"/^From\x3a[^\n]{80}/im"; metadata:service smtp; reference:bugtraq,9692; reference:cve,2004-0104; classtype:attempted-admin; sid:22114; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Alt-N MDaemon file attachment directory traversal attempt"; flow:to_server,established; content:"filename="; fast_pattern:only; pcre:"/filename\s*?=\s*?\x22[^\x22]+?(\x2e\x2e(\x2f|\x5c)){3}/i"; metadata:service smtp; reference:bugtraq,14400; classtype:misc-attack; sid:23435; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; metadata:ruleset community, service smtp; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; metadata:ruleset community, service smtp; classtype:attempted-recon; sid:1446; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:protocol-command-decode; sid:631; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:protocol-command-decode; sid:632; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL HELO overflow attempt"; flow:to_server,established; content:"HELO"; nocase; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:27;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; nocase; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,1297; reference:bugtraq,7515; reference:cve,2000-0490; reference:nessus,10438; classtype:attempted-admin; sid:1550; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL From comment overflow attempt"; flow:to_server,established; content:"From|3A|"; nocase; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding"; nocase; content:"|3A|"; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/^\s*Content-Transfer-Encoding\s*\x3A[^\n]{100}/mi"; metadata:ruleset community, service smtp; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; fast_pattern:only; pcre:"/^XEXCH50\s+-\d/smi"; metadata:ruleset community, service smtp; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-046; classtype:attempted-admin; sid:2253; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; isdataat:255,relative; pcre:"/^EXPN[^\n]{255}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; isdataat:255,relative; pcre:"/^VRFY[^\n]{255}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:17;)
|
|
# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL AUTH LOGON brute force attempt"; flow:to_client,established,no_stream; content:"Authentication unsuccessful"; offset:54; nocase; detection_filter:track by_dst, count 5, seconds 60; metadata:ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2275; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL WinZip MIME content-type buffer overflow"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2487; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL WinZip MIME content-disposition buffer overflow"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2488; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL SEND overflow attempt"; flow:to_server,established; content:"SEND"; isdataat:246,relative; pcre:"/^\s*SEND\s+[^\n]{246}/sm"; metadata:service smtp; reference:bugtraq,11238; reference:cve,2004-1546; classtype:attempted-user; sid:3655; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL SAML overflow attempt"; flow:to_server,established; content:"SAML"; isdataat:246,relative; pcre:"/^\s*SAML\s+[^\n]{246}/sm"; metadata:service smtp; reference:bugtraq,11238; reference:cve,2004-1546; classtype:attempted-user; sid:3653; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL MDaemon 6.5.1 and prior versions MAIL overflow attempt"; flow:to_server,established; content:"MAIL"; depth:4; isdataat:246,relative; pcre:"/^MAIL\s+[^\n]{246}/sm"; metadata:service smtp; reference:bugtraq,11238; reference:cve,2004-1546; classtype:attempted-user; sid:3656; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL SOML overflow attempt"; flow:to_server,established; content:"SOML"; depth:4; isdataat:246,relative; pcre:"/^SOML\s+[^\n]{246}/sm"; metadata:service smtp; reference:bugtraq,11238; reference:cve,2004-1546; classtype:attempted-user; sid:3654; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL spoofed MIME-Type auto-execution attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"audio/"; fast_pattern:only; pcre:"/Content-Type\x3A\s+audio\/(x-wav|mpeg|x-midi).*filename=[\x22\x27]?.{1,221}\.(vbs|exe|scr|pif|bat)/smi"; metadata:service smtp; reference:bugtraq,2524; reference:cve,2001-0154; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-020; classtype:attempted-admin; sid:3682; rev:11;)
|
|
# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL headers too long server response"; flow:to_client,established; content:"552"; content:"Headers"; fast_pattern:only; pcre:"/^552[A-Z0-9\s\x5F\x2D\x2E\x28\x29\x22\x27]+Headers\s+too\s+large/smi"; metadata:service smtp; reference:bugtraq,17192; reference:cve,2006-0058; classtype:bad-unknown; sid:5739; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Windows Address Book attachment detected"; flow:to_server,established; content:"|9C CB CB 8D 13|u|D2 11 91|X|00 C0|OyV|A4|"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,17459; reference:cve,2006-0014; reference:cve,2006-2386; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-016; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-076; classtype:misc-activity; sid:6412; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Windows Address Book Base64 encoded attachment detected"; flow:to_server,established; content:"Content-Transfer-Encoding"; nocase; content:"base64"; distance:0; nocase; content:"nMvLjRN10hGRWADAT3lWpA"; distance:0; pcre:"/^Content-Transfer-Encoding\s*\x3A\s*base64/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,17459; reference:cve,2006-0014; reference:cve,2006-2386; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-016; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-076; classtype:misc-activity; sid:6413; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL ClamAV mime parsing directory traversal"; flow:to_server,established; content:"Message/Partial"; fast_pattern:only; pcre:"/Content-Type\s*\x3a\s*Message\x2fPartial/smi"; pcre:"/id\s*=\s*[\x22\x27]?[^\x22\x27\n]*..[\x2f\x5c]/smi"; metadata:service smtp; reference:bugtraq,22581; reference:cve,2007-0898; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=476; classtype:attempted-user; sid:10186; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL MAIL FROM command overflow attempt"; flow:to_server,established; content:"MAIL"; nocase; content:"FROM"; distance:1; nocase; content:"|3A|"; distance:0; nocase; isdataat:260; content:!"|0A|"; within:260; pcre:"/^\s*MAIL\s+FROM\s*\x3A\s*\x3C?\s*[^\x3E\s]{257}\s/mi"; metadata:service smtp; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2003-0263; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:15574; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL BDAT size public exploit attempt"; flow:to_server,established; content:"b00mAUTH LOGIN"; metadata:service smtp; reference:cve,2002-0055; classtype:attempted-dos; sid:13845; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL BDAT size longer than contents exploit attempt"; flow:to_server,established; content:"0123AUTH LOGIN"; metadata:service smtp; reference:cve,2002-0055; classtype:attempted-dos; sid:13844; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft collaboration data objects buffer overflow attempt"; flow:to_server, established; content:"FromAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15067; reference:cve,2005-1987; classtype:attempted-user; sid:17737; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL IBM Lotus Notes DOC attachment viewer buffer overflow"; flow:to_server,established; content:"filename="; nocase; content:".wpd"; within:50; fast_pattern; nocase; file_data; content:"|00 00 C9|mup|B6 89|a|88|"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26146; reference:cve,2007-5544; classtype:attempted-user; sid:18476; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Lotus Notes MIF viewer statement data overflow 2"; flow:to_server,established; content:".mif"; fast_pattern:only; file_data; content:"<MIFFile"; depth:8; pcre:"/\x3C[^\x3E]{88}/smiR"; metadata:service smtp; reference:bugtraq,26175; reference:cve,2007-5909; reference:cve,2007-5910; classtype:attempted-user; sid:18477; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL RCPT TO overflow"; flow:to_server,established; content:"|6A 12 59 D9 EE D9 74 24 F4 58 81 70 13 91 38 F2 7E 83 E8 FC E2 F4|"; fast_pattern:only; pcre:"/^RCPT\s*TO\x3a\s*\x3c?[^\n\x3e]{64}/im"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; reference:cve,2003-0694; reference:cve,2008-0394; reference:cve,2009-0410; classtype:attempted-admin; sid:18574; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL IBM Lotus Notes Applix Graphics Parsing Buffer Overflow"; flow:to_server,established; content:"Content-Disposition|3A 20|attachment"; nocase; file_data; content:"|2A|BEGIN GRAPHICS VERSION"; within:23; nocase; pcre:"/VERSION\x3d\d{3}\x2f[^\r\n]{20}/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,28454; reference:cve,2007-5405; classtype:attempted-admin; sid:18603; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Majordomo2 smtp directory traversal attempt"; flow:to_server,established; content:"help ../../../../../.."; fast_pattern:only; metadata:service smtp; reference:bugtraq,46127; reference:cve,2011-0049; classtype:web-application-attack; sid:18765; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 105 (msg:"SERVER-MAIL Mercury Mail Transport System buffer overflow attempt"; flow:to_server,established; content:"|4A 4A 4A 4A 4B 4B 4B 4B 4C 4C 4C 4C 4D 4D 4D 4D 4E 4E 4E 4E 4F 4F 4F 4F 50 50 50 50 E9 87 FE FF FF|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,16396; reference:cve,2005-4411; classtype:attempted-user; sid:20552; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise internet agent iCalendar parsing denial of service attempt"; flow:to_server,established; file_data; content:"BEGIN:VCALENDAR"; fast_pattern:only; pcre:"/^(PERIOD|DTSTART|DTEND|RECUR|DTSTAMP|TRIGGER|COMPLETED|DUE|FREEBUSY|RECURRENCE-ID|EXDATE|RDATE|CREATED|LAST-MODIFIED)\x3a(?!\s*\d{8}T\d{6})[^\r\n]*?[\r\n]/m"; metadata:service smtp; reference:bugtraq,55574; reference:cve,2011-3827; reference:url,www.novell.com/support/kb/doc.php?id=7010767; classtype:denial-of-service; sid:24524; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL IBM Lotus Notes URI handler command execution attempt"; flow:to_server,established; file_data; content:"notes|3A|"; content:"-RPARAMS"; distance:0; content:"-vm"; within:6; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,54070; reference:cve,2012-2174; classtype:attempted-user; sid:24200; rev:6;)
|
|
# alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"SERVER-MAIL MailEnable SMTP service SPF lookup buffer overflow attempt"; flow:to_client,established; content:"|00 01|Q|80 04|9|06|v=spf1|0A|AAAAAAAAAA|0A|AAAAAAAAAA"; metadata:service dns; reference:bugtraq,20091; reference:cve,2006-4616; classtype:attempted-admin; sid:16025; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SERVER-MAIL Exim and Dovecot mail from remote command execution attempt"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; content:"|60|wget"; within:50; fast_pattern; nocase; metadata:service smtp; reference:url,isc.sans.edu/diary/Dovecot++Exim+Exploit+Detects/16243; classtype:attempted-admin; sid:27532; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"SERVER-MAIL Mortal Universe POP Peeper uidl header overflow attempt"; flow:to_client,established; content:"+OK|0D 0A|"; depth:5; isdataat:1070,relative; content:!"|0D 0A|"; within:1070; metadata:service pop3; reference:cve,2009-1029; reference:url,exploit-db.com/exploits/8203/; classtype:attempted-user; sid:30202; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL BitDefender Antivirus logging function format string remote code execution attempt"; flow:to_server,established; content:"filename"; nocase; content:"%"; within:10; pcre:"/filename\s*?=\s*?[\x22\x27]?\w+?(\x25[npsd])+?\x2e\w/i"; metadata:service smtp; reference:bugtraq,14968; reference:cve,2005-3154; classtype:attempted-user; sid:30950; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-MAIL Microsoft Windows Mail file execution attempt"; flow:to_client,established; file_data; content:"Content-Type|3A| text/html"; fast_pattern:only; content:"href|3D|"; pcre:"/<[^>]+href[^>]*(\x22c\x3A(\x2F|\x5C)|\\\\)[^>]*(\x3F|\x2Eexe)(\x22|\x27)/i"; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2007-1658; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-034; classtype:attempted-user; sid:31650; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Exchange OWA meeting invite XSS attempt"; flow:to_server,established; file_data; content:"BEGIN:VCALENDAR"; depth:15; content:"|0D 0A|DESCRIPTION:"; distance:0; content:"onerror="; within:300; nocase; metadata:service smtp; reference:cve,2014-6326; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-075; classtype:misc-attack; sid:32705; rev:1;)
|
|
alert tcp any any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Exim gethostbyname heap buffer overflow attempt"; flow:to_server,established; content:"HELO"; isdataat:500,relative; content:!"|0A|"; within:500; pcre:"/^\s*?HELO\s+\d[\d\x2e]{500}/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72325; reference:cve,2015-0235; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:33226; rev:3;)
|
|
alert tcp any any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Exim gethostbyname heap buffer overflow attempt"; flow:to_server,established; content:"EHLO"; isdataat:500,relative; content:!"|0A|"; within:500; pcre:"/^\s*?EHLO\s+\d[\d\x2e]{500}/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,72325; reference:cve,2015-0235; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:33225; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL GNU Mailman date field buffer overflow attempt"; flow:to_server,established; file_data; content:"Date|3A 20|"; depth:250; pcre:"/Date:\s*\w+\x2c\s*\d{3,20}\s*\w+\s*\d{5,20}\s*\d{3,20}\x3a\d{3,20}\x3A\d{3,20}\s*\x2d\d{5,20}/smi"; metadata:service smtp; reference:cve,2005-4153; classtype:attempted-user; sid:33564; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-MAIL Microsoft Exchange UM Management user stored XSS attempt"; flow:to_server,established; content:"UM Management"; http_client_body; content:"Members"; within:300; http_client_body; content:"Identity:ECP|22|,|22|DisplayName|22|:|22|"; fast_pattern:only; http_client_body; pcre:"/Identity:ECP\x22\x2C\x22DisplayName\x22:\x22[^\x22]*\x22(?!\s*,\s*\x22RawIdentity)/Psi"; metadata:service http; reference:cve,2015-1630; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-026; classtype:web-application-attack; sid:33811; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-MAIL Microsoft Exchange OWA X-OWA-CANARY command injection attempt"; flow:to_server,established; content:"/owa/?ae=Item&"; fast_pattern:only; http_uri; content:"X-OWA-CANARY="; http_header; content:"|22|"; within:80; http_header; pcre:"/X-OWA-CANARY=[^\r\n]+?([\x22\x3c\x3e\x28\x29]|script|onload|src)/iH"; metadata:service http; reference:cve,2015-1628; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-026; classtype:misc-attack; sid:33807; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt"; flow:to_server,established; content:"MAIL|20|FROM|3A 20|"; nocase; content:"|24 28|"; distance:0; pcre:"/(^|\x0d\x0a)MAIL\x20FROM\x3a\x20[^\x0d\x0a]*?\x24\x28/i"; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:31890; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Exim Dovecot LDA sender_address command injection attempt"; flow:to_server,established; content:"MAIL|20|FROM|3A 20|"; nocase; content:"|60|"; distance:0; pcre:"/(^|\x0d\x0a)MAIL\x20FROM\x3a\x20[^\x0d\x0a]*?\x60/i"; metadata:policy max-detect-ips drop, service smtp; classtype:attempted-user; sid:31889; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-MAIL IBM Lotus Notes URI handler command execution attempt"; flow:to_client,established; file_data; content:"notes|3A|"; content:"-RPARAMS"; distance:0; content:"-vm"; within:6; metadata:policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,54070; reference:cve,2012-2174; classtype:attempted-user; sid:24199; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Windows Exchange MODPROPS denial of service attempt"; flow:to_server,established; content:"X-MICROSOFT-CDO-MODPROPS:"; fast_pattern:only; content:"Content-Type: text/calendar"; nocase; content:"X-MICROSOFT-CDO-MODPROPS:"; isdataat:25; content:!"|0A|"; within:1; distance:24; content:"X-MICROSOFT-CDO-MODPROPS"; distance:0; content:"X-MICROSOFT-CDO-MODPROPS:"; distance:0; content:"END:"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,23808; reference:cve,2007-0039; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026; classtype:attempted-dos; sid:21776; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Postfix SMTP Server SASL AUTH Handle Reuse Memory Corruption"; flow:to_server,established; content:"EHLO"; nocase; content:"|0A|AUTH|20|"; distance:0; nocase; content:"|0A|AUTH|20|"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,47778; reference:cve,2011-1720; classtype:attempted-user; sid:19708; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Ipswitch IMail Server Mailing List Message Subject buffer overflow"; flow:to_server,established; content:"Subject|3A 20|"; nocase; content:"?Q?"; distance:0; fast_pattern; content:!"|0A|"; within:512; pcre:"/Subject\x3a\x20[^\n]*\x3fQ\x3f[^\n]{512}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:url,secunia.com/advisories/40638; classtype:attempted-admin; sid:19213; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Ipswitch IMail Server List Mailer Reply-To address buffer overflow attempt"; flow:to_server,established; content:"Reply-To|3A|"; nocase; isdataat:1024,relative; content:"Reply-To|3A|"; distance:0; pcre:"/^Reply\-To\x3a[^\n]{512}.*^Reply\-To\x3a[^\n]{512}/ism"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,41717; classtype:attempted-admin; sid:18808; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise Internet Agent RRULE parsing buffer overflow attempt"; flow:to_server,established; file_data; content:"BEGIN:VCALENDAR"; nocase; content:"|0A|RRULE"; distance:0; nocase; isdataat:300,relative; content:!"|0A|"; within:300; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,44732; reference:bugtraq,49777; reference:bugtraq,49781; reference:cve,2010-4715; reference:cve,2011-2662; reference:cve,2011-2663; classtype:attempted-admin; sid:18768; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,465,587,691] (msg:"SERVER-MAIL IBM Lotus Domino nrouter.exe iCalendar MAILTO stack buffer overflow attempt"; flow:to_server, established; content:"ORGANIZER|3A|mailto|3A|"; nocase; isdataat:300,relative; pcre:"/ORGANIZER\x3amailto\x3a[^\r\n]{300}/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,43219; reference:cve,2010-3407; reference:url,www.exploit-db.com/exploits/15005/; classtype:attempted-admin; sid:18461; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL IBM Lotus Notes WPD attachment handling buffer overflow attempt"; flow:to_server,established; content:"=FFWPC=3D=06=00=00=01=0A"; nocase; content:"=D5ju=FC=16=F8=AE2"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,34086; reference:cve,2008-4564; classtype:attempted-admin; sid:17777; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL IBM Lotus Notes HTML input tag buffer overflow attempt"; flow:to_server,established; content:"<input "; nocase; isdataat:128,relative; pcre:"/<input\s+[^>]*?name\s*=\s*(3D=)?[^\x20]{128}/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26200; reference:cve,2007-4222; reference:url,www-1.ibm.com/support/docview.wss?rs=477&uid=swg21272930; classtype:attempted-user; sid:17717; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL IBM Lotus Notes DOC attachment viewer buffer overflow"; flow:to_server,established; content:"attachment|3B|"; content:"filename=|22|poc.wpd|22|"; distance:0; content:"00=00=c9mup=B6=89a=88"; distance:0; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26146; reference:cve,2007-5544; classtype:attempted-user; sid:17716; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL RealNetworks RealPlayer wav chunk string overflow attempt in email"; flow:to_server,established; content:"LIST|3D|1C|3D|"; content:"INFOINAM|3D|10|3D|00|3D|00|3D|00AAAAAAAAAAAA"; within:32; distance:8; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,12697; reference:cve,2005-0611; classtype:attempted-user; sid:17698; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Windows Exchange and Outlook TNEF Decoding Integer Overflow attempt"; flow:to_server,established; content:"application/ms-tnef"; nocase; content:"AwMDAwMDQBdXNlckBleGFtcGxlLmNvbQE"; content:"I18jIA+zM2AegCpAPjA"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,16197; reference:cve,2006-0002; classtype:attempted-admin; sid:17481; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL MailEnable service APPEND command handling buffer overflow attempt"; flow:to_server,established; content:"append"; fast_pattern:only; pcre:"/^\d+\s+append\s+[^\r\n]*\{[^\r\n}]{128}/i"; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,22792; reference:cve,2007-1301; classtype:attempted-admin; sid:17369; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Lotus Notes Attachment Viewer UUE file buffer overflow attempt"; flow:to_server,established; flowbits:isset,smtp.contenttype.attachment; content:"|0D 0A 0D 0A|begin|20|"; isdataat:278,relative; content:!"end|0D 0A|"; within:278; nocase; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,16576; reference:cve,2005-2618; classtype:attempted-user; sid:17333; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Content-Disposition attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"attachment"; distance:0; nocase; pcre:"/^Content-Disposition\x3A\s*attachment/smi"; flowbits:set,smtp.contenttype.attachment; flowbits:noalert; metadata:service smtp; classtype:protocol-command-decode; sid:17332; rev:12;)
|
|
# alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"SERVER-MAIL IBM Lotus Notes HTML Speed Reader Long URL buffer overflow attempt"; flow:established,to_client; file_data; content:"Content-Disposition|3A| attachment"; nocase; content:"<a "; nocase; content:"href="; distance:0; content:!"|3E|"; within:500; pcre:"/href=.*?[\x22\x27][^\x22\x27]{500}/smi"; metadata:policy max-detect-ips drop, service pop3; reference:bugtraq,16576; reference:cve,2005-2618; classtype:attempted-user; sid:17331; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Qualcomm WorldMail IMAP Literal Token Parsing Buffer Overflow"; flow:to_server,established; flowbits:isset,qualcom.worldmail.ok; dsize:>668; content:"}|0D 0A|"; fast_pattern:only; file_data; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,15980; reference:cve,2005-4267; classtype:attempted-admin; sid:17328; rev:9;)
|
|
alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"SERVER-MAIL Qualcomm WorldMail Server Response"; flow:established,to_client; content:"WorldMail IMAP4 Server"; fast_pattern:only; flowbits:set,qualcom.worldmail.ok; flowbits:noalert; metadata:service imap; classtype:protocol-command-decode; sid:17327; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 105 (msg:"SERVER-MAIL Mercury Mail Transport System buffer overflow attempt"; flow:to_server,established; content:"aaaaaa"; nocase; isdataat:526; pcre:"/^[^\x0a]{526}/m"; metadata:policy max-detect-ips drop; reference:bugtraq,16396; reference:cve,2005-4411; classtype:attempted-user; sid:17283; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Symantec Brightmail AntiSpam nested Zip handling denial of service attempt"; flow:to_server,established; content:"Content-Disposition|3A 20|attachment"; content:"|55 45 73 44 42 41 6F 41 41 41 41 41 41 44 57 43|"; distance:0; content:"|42 55 41 54 43 30 33 4C 6E 70 70 63 46 56 55 43|"; distance:0; content:"|44 33 54 49 6E 51 39 30 79 4A 30 4E 56 65 41 51|"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,14757; reference:url,ftp.symantec.com/public/english_us_canada/products/sba/sba_60x/updates/release_notes_p157.txt; classtype:attempted-dos; sid:17275; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Multiple IMAP servers CREATE command buffer overflow attempt"; flow:to_server,established; content:" CREATE"; nocase; isdataat:180,relative; content:!"|0D 0A|"; within:180; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,14315; reference:bugtraq,41704; reference:cve,2005-1520; reference:cve,2010-2777; reference:cve,2017-1274; classtype:attempted-admin; sid:17239; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL McAfee WebShield SMTP bounce message format string attempt"; flow:to_server,established; content:"RCPT"; nocase; pcre:"/^RCPT\s+TO\x3a\s+[^\r\n]*\x25[npd]/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,16742; reference:cve,2006-0559; classtype:attempted-admin; sid:17224; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise Internet Agent Email address processing buffer overflow attempt"; flow:to_server,established; content:"MAIL"; nocase; content:"FROM"; distance:0; nocase; pcre:"/^\s*MAIL\s*FROM\s*\x3a\s*(\x3c[\x3e]*\x3e|\S+)\s+[^\x09\x0a\x0d\x20\x3d]{40}/mi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,35064; reference:cve,2009-1636; classtype:attempted-admin; sid:16597; rev:9;)
|
|
# alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"SERVER-MAIL Microsoft Windows Mail remote code execution attempt"; flow:to_client, established; flowbits:isset,pop3.stat; content:"+OK "; flowbits:unset,pop3.stat; byte_test:10,>,350000000,0,relative,dec,string; metadata:policy max-detect-ips drop, service pop3; reference:cve,2010-0816; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-030; classtype:attempted-user; sid:16595; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell Groupwise Internet Agent RCPT command overflow attempt"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; isdataat:256,relative; pcre:"/^RCPT\x20TO\x3a\s*\x3c?[^\r\n\x3e]{256}(\x3e|\x0d|\x0a)/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,33560; reference:cve,2009-0410; classtype:attempted-user; sid:16515; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Ipswitch Collaboration Suite SMTP format string exploit attempt"; flow:to_server,established; content:"MAIL FROM|3A|c|3A 07|ppsipswitchstuser@%s%s%n%s%s%s"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15752; reference:cve,2005-2931; classtype:attempted-admin; sid:16201; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL SpamAssassin long message header denial of service attempt"; flow:to_server,established; content:" b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A| b|0A|"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,15373; reference:cve,2005-3351; classtype:attempted-dos; sid:16199; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL SpamAssassin malformed email header DoS attempt"; flow:to_server,established; content:"Content-Type|3A| hello|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,13978; reference:cve,2005-1266; classtype:attempted-dos; sid:15954; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL IBM Lotus Notes DOC attachment viewer buffer overflow"; flow:to_server,established; content:"Content-Disposition|3A| attachment|3B|"; content:"filename=|22|poc.doc|22|"; distance:0; content:"Mb4AAACr"; distance:0; content:"WnoHAQQABAAAAAUAtQFUaGlzIGlzIGEgdGVzdA0K"; distance:0; content:"/wAB5kBBQUFB//8"; distance:0; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26146; reference:cve,2007-5544; classtype:attempted-user; sid:15485; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"SERVER-MAIL Microsoft Windows Exchange System Attendant denial of service attempt"; flow:to_server; dsize:8; content:"|00 00 00 00|"; depth:4; metadata:policy max-detect-ips drop; reference:bugtraq,33136; reference:cve,2009-0099; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-003; classtype:attempted-dos; sid:15302; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Office Outlook Web Access invalid CSS escape sequence script execution attempt "; flow:to_server,established; content:"|22 5C 5C 22|"; fast_pattern; content:"</style>"; within:100; nocase; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-2248; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-039; classtype:misc-attack; sid:13895; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Office Outlook Web Access From field cross-site scripting attempt "; flow:to_server,established; content:"From|3A|"; fast_pattern:only; pcre:"/^From\x3a[^\r\n<]*(>[^\r\n]*<|\x22[^\r\n>]*on[A-Z]{4,9}\s*\x3d)/smi"; metadata:policy max-detect-ips drop, service smtp; reference:cve,2008-2247; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-039; classtype:misc-attack; sid:13894; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Alt-N MDaemon IMAP Server FETCH command buffer overflow attempt"; flow:to_server,established; flowbits:isset,server.mdaemon; content:"FETCH"; fast_pattern:only; content:"BODY"; content:"["; isdataat:256,relative; content:!"]"; within:256; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,28245; reference:cve,2008-1358; reference:url,files.altn.com/MDaemon/Release/RelNotes_en.txt; classtype:attempted-admin; sid:13663; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Novell GroupWise client IMG SRC buffer overflow"; flow:to_server,established; content:"<IMG"; nocase; content:"SRC"; distance:0; nocase; isdataat:244,relative; pcre:"/src\s*\x3D(3D)?\s*['"][^'"]{244}/i"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26875; reference:cve,2007-6435; classtype:attempted-user; sid:13364; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL IBM Lotus Notes MIF viewer statement data overflow"; flow:to_server,established; content:"MIFFile"; fast_pattern:only; pcre:"/\x3C[^\s]+\s[^\x3c\x3E]{80}/si"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,26175; reference:cve,2007-5909; reference:cve,2007-5910; classtype:attempted-user; sid:12706; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Recipient arbitrary command injection attempt"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; content:!"ORCPT"; distance:0; nocase; pcre:"/^RCPT TO\x3a[^\n]+[\x26\x3B\x7C]+/mi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,25439; reference:bugtraq,38578; reference:cve,2007-4560; classtype:attempted-admin; sid:12592; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL GNU Mailutils request tag format string vulnerability attempt"; flow:to_server,established; content:"%"; content:"n"; distance:0; pcre:"/^\S*\x25(\d+\x24)?\d*h?n\s/sm"; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,13764; reference:cve,2005-1523; classtype:attempted-admin; sid:12392; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Ipswitch IMail search date command buffer overflow attempt"; flow:to_server,established; content:"search"; fast_pattern:only; pcre:"/^\S+\s+(uid\s+|)search\s[^\n]*(sent|)(on|before|since)\s+[^\s]{64}/Osmi"; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,24962; reference:cve,2007-3925; reference:url,docs.ipswitch.com/IMail%202006.21/ReleaseNotes/IMail_RelNotes.htm#NewRelease; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=563; classtype:attempted-admin; sid:12213; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Multiple IMAP servers APPEND command buffer overflow attempt"; flow:to_server,established; content:"AP"; nocase; isdataat:256,relative; content:!"|0D 0A|"; within:256; metadata:policy max-detect-ips drop, service imap; reference:bugtraq,21723; reference:cve,2006-6425; reference:cve,2017-1274; classtype:misc-attack; sid:10011; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Office Outlook VEVENT overflow attempt"; flow:to_server,established; file_data; content:"BEGIN|3A|VEVENT"; fast_pattern; nocase; content:"DTSTART|3B|"; distance:0; nocase; pcre:!"/^(VALUE|TZID)/Ri"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,21931; reference:cve,2007-0033; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-003; classtype:attempted-user; sid:9841; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL AUTH user overflow attempt"; flow:to_server,established; content:"AUTH"; isdataat:128,relative; pcre:"/^AUTH\s+\S+\s+[^\n\s]{128}/m"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,13772; reference:cve,2005-0022; reference:cve,2005-1781; reference:cve,2005-2223; reference:cve,2006-5478; reference:cve,2007-4440; reference:cve,2018-6789; classtype:attempted-admin; sid:3824; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL X-LINK2STATE CHUNK command attempt"; flow:to_server,established; content:"X-LINK2STATE"; fast_pattern:only; pcre:"/^X-LINK2STATE\s+CHUNK/smi"; metadata:policy max-detect-ips drop, service smtp; reference:bugtraq,13118; reference:cve,2005-0560; reference:nessus,18024; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-021; classtype:protocol-command-decode; sid:3627; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Content-Type overflow attempt"; flow:to_server,established; content:"Content-Type"; nocase; content:"|3A|"; distance:0; pcre:"/^\s*Content-Type\s*\x3A\s*[^\r\n]{300}/mi"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,44732; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-015; classtype:attempted-admin; sid:3461; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:256,relative; pcre:"/^RCPT TO\x3a\s*\x3c?[^\n\x3e]{256}/im"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,2283; reference:bugtraq,43182; reference:bugtraq,9696; reference:cve,2001-0260; reference:cve,2003-0694; reference:cve,2008-0394; reference:cve,2009-0410; reference:cve,2010-2580; classtype:attempted-admin; sid:654; rev:28;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Exim buffer overflow attempt"; flow:to_server,established; content:"FROM"; nocase; isdataat:256,relative; content:!"|0D 0A|"; within:256; metadata:policy max-detect-ips drop, service smtp; reference:cve,2004-0399; reference:cve,2004-0400; classtype:attempted-admin; sid:34645; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-MAIL IBM Lotus Notes WPD attachment handling buffer overflow attempt"; flow:to_client,established; content:"=FFWPC=3D=06=00=00=01=0A"; nocase; content:"=D5ju=FC=16=F8=AE2"; distance:0; nocase; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,34086; reference:cve,2008-4564; classtype:attempted-admin; sid:34632; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL cURL protocol file path URL parsing control character injection attempt"; flow:to_server,established; file_data; content:"smtp://"; nocase; content:"%0d%0a"; within:25; nocase; metadata:service smtp; reference:bugtraq,51665; reference:cve,2012-0036; reference:url,curl.haxx.se/docs/adv_20120124.html; classtype:attempted-user; sid:35555; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-MAIL cURL protocol file path URL parsing control character injection attempt"; flow:to_client,established; file_data; content:"smtp://"; nocase; content:"%0d%0a"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,51665; reference:cve,2012-0036; reference:url,curl.haxx.se/docs/adv_20120124.html; classtype:attempted-user; sid:35554; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL cURL protocol file path URL parsing control character injection attempt"; flow:to_server,established; file_data; content:"pop3://"; nocase; content:"%0d%0a"; within:25; nocase; metadata:service smtp; reference:bugtraq,51665; reference:cve,2012-0036; reference:url,curl.haxx.se/docs/adv_20120124.html; classtype:attempted-user; sid:35553; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-MAIL cURL protocol file path URL parsing control character injection attempt"; flow:to_client,established; file_data; content:"pop3://"; nocase; content:"%0d%0a"; within:25; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,51665; reference:cve,2012-0036; reference:url,curl.haxx.se/docs/adv_20120124.html; classtype:attempted-user; sid:35552; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL IBM Domino BMP color palette stack buffer overflow attempt"; flow:to_server,established; file_data; content:"BM"; depth:2; content:"|00 00 00 00|"; within:4; distance:4; content:"|28 00 00 00|"; within:4; distance:4; byte_test:2,<,16,10,relative,little; byte_test:4,>,0x100,28,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74598; reference:cve,2015-1903; classtype:attempted-admin; sid:35944; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Multiple IMAP servers EXAMINE command buffer overflow attempt"; flow:to_server,established; content:"EXAMINE"; nocase; isdataat:256,relative; content:!"|0D 0A|"; within:256; metadata:service imap; reference:cve,2006-6290; reference:cve,2017-1274; classtype:attempted-admin; sid:37375; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL excessive email recipients - potential spam attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:"rcpt to|3A|"; distance:0; nocase; content:"rcpt to|3A|"; distance:0; nocase; content:"rcpt to|3A|"; distance:0; nocase; content:"rcpt to|3A|"; distance:0; nocase; content:"rcpt to|3A|"; distance:0; nocase; content:"rcpt to|3A|"; distance:0; nocase; content:"rcpt to|3A|"; distance:0; nocase; content:"rcpt to|3A|"; distance:0; nocase; content:"rcpt to|3A|"; distance:0; nocase; pcre:"/(\nrcpt to:.*){256}/i"; metadata:service smtp; classtype:misc-activity; sid:38136; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt"; flow:to_server,established; file_data; content:"GIF89a"; depth:6; content:"|21 F9 04|"; distance:0; content:"|00 2C|"; within:2; distance:4; byte_test:2,>,65500,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,74194; reference:cve,2015-0135; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21701647; classtype:attempted-user; sid:39655; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-MAIL IBM Lotus Domino Server nrouter.exe malformed GIF parsing remote exploit attempt"; flow:to_client,established; file_data; content:"GIF89a"; depth:6; content:"|21 F9 04|"; distance:0; content:"|00 2C|"; within:2; distance:4; byte_test:2,>,65500,4,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,74194; reference:cve,2015-0135; reference:url,www-01.ibm.com/support/docview.wss?uid=swg21701647; classtype:attempted-user; sid:39654; rev:1;)
|
|
# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL SysGauge SMTP response buffer overflow"; flow:to_client,established; content:"220|20|"; depth:4; isdataat:523; content:!"|0D 0A|"; within:523; content:"ESMTP Sendmail"; distance:0; metadata:service smtp; classtype:attempted-user; sid:43136; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt"; flow:to_server,established; file_data; content:"mhtml:"; fast_pattern; nocase; content:"file://"; within:100; content:"!http://"; within:250; metadata:service smtp; reference:cve,2004-0380; classtype:attempted-admin; sid:44735; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-MAIL Microsoft Outlook Express mhtml code execution attempt"; flow:to_client,established; file_data; content:"mhtml:"; fast_pattern; nocase; content:"file://"; within:100; content:"!http://"; within:250; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2004-0380; classtype:attempted-admin; sid:44734; rev:1;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"SERVER-MAIL Multiple products non-ascii sender address spoofing attempt"; flow:to_client,established; content:"From:"; nocase; content:"=?utf-8?"; within:10; nocase; content:"=?utf-8?"; within:100; nocase; content:"=00"; distance:0; nocase; content:"=0A"; within:100; distance:-10; nocase; content:"To:"; distance:0; nocase; content:"Subject:"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service imap, service pop3; reference:cve,2017-7829; reference:cve,2018-0819; reference:url,mailsploit.com; classtype:misc-attack; sid:45119; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Multiple products non-ascii sender address spoofing attempt"; flow:to_server,established; content:"MAIL FROM:"; nocase; content:"=?utf-8?"; within:10; nocase; content:"=?utf-8?"; within:100; nocase; content:"=00"; distance:0; nocase; content:"=0A"; within:100; distance:-10; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-7829; reference:cve,2018-0819; reference:url,mailsploit.com; classtype:misc-attack; sid:45118; rev:3;)
|
|
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"SERVER-MAIL Multiple products non-ascii sender address spoofing attempt"; flow:to_client,established; content:"From:"; nocase; content:"?utf-8?Q?="; within:100; content:"=?utf-8?b?"; within:200; distance:-100; content:"To:"; distance:0; nocase; content:"Subject:"; distance:0; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service imap, service pop3; reference:cve,2017-7829; reference:cve,2018-0819; reference:url,mailsploit.com; classtype:misc-attack; sid:45116; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Multiple products non-ascii sender address spoofing attempt"; flow:to_server,established; content:"MAIL FROM:"; nocase; content:"?utf-8?Q?="; within:100; content:"=?utf-8?b?"; within:200; distance:-100; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2017-7829; reference:cve,2018-0819; reference:url,mailsploit.com; classtype:misc-attack; sid:45115; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL SqWebMail print_header_ua cross site scripting attempt"; flow:to_server,established; file_data; content:"Content-Type: message/delivery-status|0D 0A 0D 0A|<<"; content:"alert("; within:100; nocase; metadata:service smtp; reference:cve,2004-0591; classtype:attempted-admin; sid:45639; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL SqWebMail print_header_ua cross site scripting attempt"; flow:to_server,established; file_data; content:"data<<"; depth:6; nocase; metadata:service smtp; reference:cve,2004-0591; classtype:attempted-admin; sid:45638; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"SERVER-MAIL Multiple IMAP servers DELETE command buffer overflow attempt"; flow:to_server,established; content:"DELETE"; nocase; isdataat:256,relative; content:!"|0D 0A|"; within:256; metadata:service imap; reference:cve,2017-1274; classtype:attempted-admin; sid:46484; rev:1;)
|
|
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"SERVER-MAIL Office 365 ATP Safe Links bypass attempt"; flow:to_client,established; file_data; content:"<base href="; content:"<a href="; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service imap, service pop3; classtype:attempted-user; sid:46633; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Office 365 ATP Safe Links bypass attempt"; flow:to_server,established; file_data; content:"<base href="; content:"<a href="; within:100; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; classtype:attempted-user; sid:46632; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL EHLO user overflow attempt"; flow:to_server,established; content:"EHLO "; nocase; isdataat:500,relative; content:!"|20|"; within:495; distance:4; content:!"|0A|"; within:500; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:bugtraq,13772; reference:cve,2018-6789; classtype:attempted-admin; sid:46610; rev:2;)
|
|
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt"; flow:to_client,established; file_data; content:"Content-Type: text/html"; content:"<base href"; distance:0; content:"<a href"; distance:0; content:"--"; distance:0; content:"Content-Type: text/html"; distance:0; content:"</a>"; distance:0; pcre:"/Content-Type: text\x2fhtml.+?\x3cbase href.+?\x3ca href(?!.+?\x3c\x2fa\x3e.+?Content-Type).+?Content-Type.+?\x3c\x2fa\x3e/is"; metadata:policy max-detect-ips drop, policy security-ips drop, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1020; classtype:attempted-recon; sid:46685; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt"; flow:to_server,established; file_data; content:"Content-Type: text/html"; content:"<base href"; distance:0; content:"<a href"; distance:0; content:"--"; distance:0; content:"Content-Type: text/html"; distance:0; content:"</a>"; distance:0; pcre:"/Content-Type: text\x2fhtml.+?\x3cbase href.+?\x3ca href(?!.+?\x3c\x2fa\x3e.+?Content-Type).+?Content-Type.+?\x3c\x2fa\x3e/is"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1020; classtype:attempted-recon; sid:46684; rev:2;)
|
|
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt"; flow:to_client,established; file_data; content:"Content-Type: text/html"; content:"--"; distance:0; content:"Content-Type: text/html"; distance:0; pcre:"/Content-Type: text\x2fhtml[\S\s]+?\x3c[^\x3e]+?[\x22\x27]?(https?|ftp|file|telnet):\x2f\x2f[^\x22\x27\x3e]+?--[^\x3e]+?\x0d\x0a.+?Content-Type: text\x2fhtml/is"; metadata:policy max-detect-ips drop, policy security-ips drop, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1020; classtype:attempted-recon; sid:46683; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Multiple products email with crafted MIME parts direct exfiltration attempt"; flow:to_server,established; file_data; content:"Content-Type: text/html"; content:"--"; distance:0; content:"Content-Type: text/html"; distance:0; pcre:"/Content-Type: text\x2fhtml[\S\s]+?\x3c[^\x3e]+?[\x22\x27]?(https?|ftp|file|telnet):\x2f\x2f[^\x22\x27\x3e]+?--[^\x3e]+?\x0d\x0a.+?Content-Type: text\x2fhtml/is"; metadata:policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1020; classtype:attempted-recon; sid:46682; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-MAIL PHPMailer information disclosure attempt"; flow:to_server,established; content:"your-email="; fast_pattern:only; http_client_body; content:"your-message="; nocase; http_client_body; content:"%3Cimg"; distance:0; http_client_body; metadata:service http; reference:cve,2017-5223; reference:url,github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md; classtype:attempted-recon; sid:48029; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL EHLO user overflow attempt"; flow:to_server,established; content:"EHLO "; depth:5; nocase; isdataat:125,relative; content:!"|20|"; within:120; distance:4; content:!"|0A|"; within:125; metadata:service smtp; reference:bugtraq,13772; reference:cve,2018-6789; classtype:attempted-admin; sid:47541; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Zerofont phishing attempt"; flow:to_server,established; file_data; content:"<span style="; content:"font-size:0"; within:20; nocase; content:"<span style="; distance:0; content:"font-size:0"; within:20; nocase; content:"<span style="; distance:0; content:"font-size:0"; within:20; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1192; classtype:attempted-user; sid:47116; rev:2;)
|
|
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"SERVER-MAIL Zerofont phishing attempt"; flow:to_client,established; file_data; content:"<span style="; content:"font-size:0"; within:20; nocase; content:"<span style="; distance:0; content:"font-size:0"; within:20; nocase; content:"<span style="; distance:0; content:"font-size:0"; within:20; nocase; metadata:service imap, service pop3; reference:url,attack.mitre.org/techniques/T1192; classtype:attempted-user; sid:47115; rev:2;)
|