snort2-docker/docker/etc/rules/server-mysql.rules
2020-02-24 08:56:30 -05:00

95 lines
32 KiB
Plaintext

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#--------------------
# SERVER-MYSQL RULES
#--------------------
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt"; flow:to_server,established; content:"envelope("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"0600000001000000"; within:16; distance:10; content:"01000000"; within:8; distance:10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26313; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt"; flow:to_server,established; content:"envelope("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"0500000001000000"; within:16; distance:10; byte_test:2,>=,0x10,16,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26312; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt"; flow:to_server,established; content:"envelope("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"0300000001000000"; within:16; distance:10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26311; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt"; flow:to_server,established; content:"envelope("; fast_pattern; nocase; content:"0x"; distance:0; byte_test:2,>=,0x10,18,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26310; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt"; flow:to_server,established; content:"st_area("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"0600000001000000"; within:16; distance:10; content:"01000000"; within:8; distance:10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26309; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt"; flow:to_server,established; content:"st_area("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"0500000001000000"; within:16; distance:10; byte_test:2,>=,0x10,16,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26308; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt"; flow:to_server,established; content:"st_area("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"0300000001000000"; within:16; distance:10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26307; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt"; flow:to_server,established; content:"st_area("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"02000000"; within:8; distance:10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26306; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt"; flow:to_server,established; content:"astext("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"0600000001000000"; within:16; distance:10; content:"01000000"; within:8; distance:10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26305; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt"; flow:to_server,established; content:"astext("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"0500000001000000"; within:16; distance:10; byte_test:2,>=,0x10,16,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26304; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt"; flow:to_server,established; content:"astext("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"0300000001000000"; within:16; distance:10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26303; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query linestring object integer overflow attempt"; flow:to_server,established; content:"astext("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"02000000"; within:8; distance:10; byte_test:2,>=,0x10,6,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26302; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multipolygon object integer overflow attempt"; flow:to_server,established; content:"geometryn("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"0700000001000000"; within:16; distance:10; content:"0600000001000000"; within:16; distance:2; content:"01000000"; within:8; distance:10; byte_test:8,>=,65535,0,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26301; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query multistring object integer overflow attempt"; flow:to_server,established; content:"geometryn("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"0700000001000000"; within:16; distance:10; content:"0500000001000000"; within:16; distance:2; byte_test:8,>=,65535,10,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26300; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query polygon object integer overflow attempt"; flow:to_server,established; content:"geometryn("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"0700000001000000"; within:16; distance:10; content:"0300000002000000"; within:16; distance:2; byte_test:8,>=,65535,8,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:26299; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL Oracle MySQL MDL free corrupted pointer heap overflow attempt"; flow:to_server,established; content:"delete"; depth:6; offset:5; nocase; isdataat:200,relative; metadata:service mysql; reference:bugtraq,56768; reference:cve,2012-5612; classtype:attempted-user; sid:24910; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL Oracle MySQL select UpdateXML nested xml elements denial of service attempt"; flow:to_server,established; content:"SELECT "; nocase; content:"UpdateXML|28|"; within:50; nocase; isdataat:1024; content:!"|29|"; within:1024; pcre:"/^\s*[\x22\x27]<\w>\s*<\s*[a-z][0-9]\s*>\s*<\s*[a-z][0-9]\s*>\s*<\s*[a-z][0-9]\s*>/Ri"; metadata:service mysql; reference:cve,2012-5614; classtype:attempted-dos; sid:24909; rev:2;)
# alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"SERVER-MYSQL Oracle MySQL user enumeration attempt"; flow:to_client,established,no_stream; content:"|15 04|"; depth:2; offset:5; content:"Access denied for user"; fast_pattern:only; detection_filter:track by_dst,count 10, seconds 2; metadata:service mysql; reference:bugtraq,56766; reference:cve,2012-5615; classtype:attempted-recon; sid:24908; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL Oracle MySQL grant file long database name stack overflow attempt"; flow:to_server,established; content:"grant "; nocase; isdataat:193,relative; pcre:"/grant\s.+?\son\s[^\.\s]{193}/mi"; metadata:service mysql; reference:bugtraq,56769; reference:cve,2012-5611; classtype:attempted-user; sid:24897; rev:4;)
# alert tcp any any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB client authentication bypass attempt"; flow:to_server,established,no_stream; content:"|00 00 01|"; depth:3; offset:1; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:23; distance:9; detection_filter:track by_src,count 100, seconds 60; metadata:service mysql; reference:cve,2012-2122; classtype:attempted-admin; sid:23115; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL Database SELECT subquery denial of service attempt"; flow:to_server,established; content:"|65 6C 65 63 74 20 2A 20 66 72 6F 6D 20 62 6F 6F 6D 29 20 69|"; fast_pattern:only; metadata:service mysql; reference:cve,2009-4019; reference:url,bugs.mysql.com/bug.php?id=48291; classtype:attempted-dos; sid:20053; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL mysql_log COM_DROP_DB format string vulnerability exploit attempt"; flow:to_server,established; content:"|06|"; depth:1; offset:4; content:"|25|"; distance:0; byte_jump:3,0,little; isdataat:0,relative; isdataat:!1,relative; metadata:service mysql; reference:bugtraq,35609; reference:cve,2009-2446; classtype:attempted-user; sid:16708; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL mysql_log COM_CREATE_DB format string vulnerability exploit attempt"; flow:to_server,established; content:"|05|"; depth:1; offset:4; content:"|25|"; distance:0; byte_jump:3,0,little; isdataat:0,relative; isdataat:!1,relative; metadata:service mysql; reference:bugtraq,35609; reference:cve,2009-2446; classtype:attempted-user; sid:16707; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL yaSSL library cert parsing stack overflow attempt"; flow:to_server,established; content:"|16 03 01|"; depth:3; content:"|0B|"; within:1; distance:2; content:"*|86 00 84 00 00 04|"; within:8; distance:56; metadata:service mysql; reference:bugtraq,37640; reference:cve,2009-4484; classtype:attempted-user; sid:16385; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL database Procedure Analyse denial of service attempt - 2"; flow:to_server,established; content:",|00 00 00 03|select * from `theview` procedure analyse|28 29|"; depth:48; metadata:service mysql; reference:cve,2009-4019; reference:url,dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html; classtype:attempted-dos; sid:16349; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL database PROCEDURE ANALYSE denial of service attempt - 1"; flow:to_server,established; content:"'|00 00 00 03|select * from `v1` procedure analyse|28 29|"; depth:43; metadata:service mysql; reference:cve,2009-4019; reference:url,dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html; classtype:attempted-dos; sid:16348; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL create function libc arbitrary code execution attempt"; flow:to_server,established; content:"|03|create function"; depth:16; offset:4; content:"libc.so"; distance:0; metadata:policy max-detect-ips drop, service mysql; reference:bugtraq,12781; reference:cve,2005-0709; classtype:attempted-user; sid:15952; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL XML Functions ExtractValue Scalar XPath denial of service attempt"; flow:to_server,established; content:"|03|"; depth:1; offset:4; content:"SELECT"; distance:0; nocase; content:"ExtractValue"; distance:1; nocase; pcre:"/^.{4}\x03\s*SELECT\s+ExtractValue\s*\x28.*?\x2c\s*((\x22|\x27)?[0-9].*?|(?P<q1>(\x22|\x27)?)\x28.*?\x29(?P=q1)|.*?\x24\x40.*?|\x22.*?\x27.*?|\x27.*?\x22.*?)\s*\x29/siO"; metadata:service mysql; reference:bugtraq,33972; reference:cve,2009-0819; reference:url,dev.mysql.com/doc/refman/5.1/en/news-5-1-32.html; reference:url,secunia.com/advisories/34115; classtype:attempted-dos; sid:15442; rev:6;)
# alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"SERVER-MYSQL Oracle Mysql login attempt from unauthorized location"; flow:established,to_client; content:"j|04|"; depth:2; offset:5; metadata:service mysql; reference:url,dev.mysql.com/doc/refman/5.1/en/error-messages-server.html; classtype:misc-activity; sid:13358; rev:7;)
# alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"SERVER-MYSQL failed Oracle Mysql login attempt"; flow:established,to_client; content:"|15 04|"; depth:2; offset:5; metadata:service mysql; reference:url,dev.mysql.com/doc/refman/5.1/en/error-messages-server.html; classtype:misc-activity; sid:13357; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL create function buffer overflow attempt"; flow:to_server,established; content:"|03|create"; offset:4; nocase; pcre:"/\x03create\s+(aggregate\s+)*function\s+\S{50}/smi"; metadata:service mysql; reference:bugtraq,14509; reference:cve,2005-2558; classtype:misc-activity; sid:4649; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL client overflow attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,!&,0x80,4; byte_test:1,!&,0x02,4; content:"|00|"; offset:9; isdataat:74,relative; content:!"|00|"; within:74; metadata:service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3672; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL protocol 41 client overflow attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,!&,0x80,4; byte_test:1,&,0x02,4; content:"|00|"; offset:36; isdataat:74,relative; content:!"|00|"; within:74; metadata:service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3671; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL secure client overflow attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,!&,0x02,4; content:"|00 14|"; offset:9; isdataat:74,relative; content:!"|00|"; within:74; metadata:service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3670; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL protocol 41 secure client overflow attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,&,0x02,4; content:"|00 14|"; offset:36; isdataat:74,relative; content:!"|00|"; within:74; metadata:service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3669; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL client authentication bypass attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,!&,0x02,4; content:"|00 14 00|"; offset:9; metadata:service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3668; rev:12;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL protocol 41 client authentication bypass attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,&,0x02,4; content:"|00 14 00|"; offset:36; metadata:service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3667; rev:10;)
# alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"SERVER-MYSQL server greeting finished"; flow:to_client,established; byte_test:1,>,0,3; flowbits:isset,mysql.server_greeting; flowbits:unset,mysql.server_greeting; flowbits:noalert; metadata:service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:attempted-user; sid:3666; rev:12;)
# alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"SERVER-MYSQL server greeting"; flow:to_client,established; content:"|00|"; depth:1; offset:3; flowbits:set,mysql.server_greeting; flowbits:noalert; metadata:service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:attempted-user; sid:3665; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-MYSQL MaxDB WebSQL wppassword buffer overflow default port"; flow:to_server,established; content:"websql?logon"; nocase; content:"wqPassword="; distance:0; nocase; pcre:"/wqPassword=[^\r\n\x26]{294}/i"; metadata:service http; reference:bugtraq,12265; reference:cve,2005-0111; reference:url,attack.mitre.org/techniques/T1078; classtype:web-application-attack; sid:3519; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-MYSQL MaxDB WebSQL wppassword buffer overflow"; flow:to_server,established; content:"websql?logon"; nocase; content:"wqPassword="; distance:0; nocase; pcre:"/wqPassword=[^\r\n\x26]{294}/i"; metadata:service http; reference:bugtraq,12265; reference:cve,2005-0111; classtype:web-application-attack; sid:3518; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:3; content:"root|00|"; within:5; distance:5; nocase; metadata:ruleset community, service mysql; classtype:protocol-command-decode; sid:3456; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; fast_pattern:only; metadata:ruleset community, service mysql; classtype:protocol-command-decode; sid:1776; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; fast_pattern:only; metadata:ruleset community, service mysql; classtype:protocol-command-decode; sid:1775; rev:9;)
# alert tcp $EXTERNAL_NET 3306 -> $HOME_NET any (msg:"SERVER-MYSQL MySQL/MariaDB mysql.cc buffer overflow attempt"; flow:to_client,established; content:"|01 00 00 01 01 27 00 00 02|"; depth:9; content:"@@version_comment"; fast_pattern; isdataat:460,relative; metadata:service mysql; reference:bugtraq,65298; reference:cve,2014-0001; classtype:attempted-user; sid:31570; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"SERVER-MYSQL Oracle MySQL Server XPath memory Corruption attempt"; flow:to_server,established; content:"substring("; nocase; content:",.."; within:7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:cve,2014-0384; classtype:denial-of-service; sid:32533; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt"; flow:to_server, established,no_stream; content:"@@"; fast_pattern:only; content:"add"; depth:3; detection_filter:track by_src, count 50, seconds 5; metadata:impact_flag red; reference:cve,2013-1570; classtype:denial-of-service; sid:32651; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt"; flow:to_server, established,no_stream; content:"@@"; fast_pattern:only; content:"set"; depth:3; detection_filter:track by_src, count 50, seconds 5; metadata:impact_flag red; reference:cve,2013-1570; classtype:denial-of-service; sid:32650; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt"; flow:to_server, established,no_stream; content:"@@"; fast_pattern:only; content:"get"; depth:3; detection_filter:track by_src, count 50, seconds 5; metadata:impact_flag red; reference:cve,2013-1570; classtype:denial-of-service; sid:32649; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt"; flow:to_server, established,no_stream; content:"|80|"; depth:1; content:"@@"; distance:2; detection_filter:track by_src, count 50, seconds 5; metadata:impact_flag red; reference:cve,2013-1570; classtype:denial-of-service; sid:32648; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11211 (msg:"SERVER-MYSQL Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt"; flow:to_server, established,no_stream; content:"bind"; detection_filter:track by_src, count 50, seconds 5; metadata:impact_flag red; reference:cve,2013-1570; classtype:denial-of-service; sid:32647; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query object integer overflow attempt"; flow:to_server,established; content:"geometryn("; fast_pattern; nocase; content:"0x"; distance:0; byte_test:8,>=,65535,54,relative,string,hex; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:33637; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL Database unique set column denial of service attempt"; flow:to_server,established; content:"select |2A| from A join B on |27|val|27| like colA"; fast_pattern:only; metadata:policy max-detect-ips drop, service mysql; reference:bugtraq,42646; reference:cve,2010-3677; classtype:attempted-dos; sid:19094; rev:12;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL Database unique set column denial of service attempt"; flow:to_server,established; content:"select 1 from |60|t2|60| join |60|t1|60| on 1 like |60|a|60|"; fast_pattern:only; metadata:policy max-detect-ips drop, service mysql; reference:bugtraq,42646; reference:cve,2010-3677; classtype:attempted-dos; sid:19093; rev:12;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL IN NULL argument denial of service attempt"; flow:to_server,established; content:"|03|"; depth:1; offset:4; content:"SELECT"; distance:0; nocase; content:"IN"; distance:0; nocase; content:"NULL"; within:10; fast_pattern; nocase; pcre:"/IN\s*\x28\s*NULL\s*\x2C\s*[0-9a-z\x24\x5F\x60]/i"; metadata:policy max-detect-ips drop, service mysql; reference:bugtraq,42596; reference:cve,2010-3678; classtype:attempted-dos; sid:19001; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL Database CASE NULL argument denial of service attempt"; flow:to_server,established; content:"|03|select|20 28|case|20 28 60|a|60 29 20|when"; depth:30; content:"group|20|by|20 60|a|60 0A|with|20|rollup"; within:100; metadata:policy max-detect-ips drop, service mysql; reference:bugtraq,42596; reference:cve,2010-3678; classtype:attempted-dos; sid:19000; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL yaSSL SSL Hello Message Buffer Overflow attempt"; flow:to_server,established; content:"|20 00 00 01|"; depth:4; content:"|8D|"; within:2; content:"|00 00 00 00 00 40 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 03 01 00 00 00 00 0F FF|"; within:42; metadata:policy max-detect-ips drop, service mysql; reference:cve,2008-0226; reference:url,aluigi.altervista.org/adv/yasslick-adv.txt; reference:url,bugs.mysql.com/bug.php?id=33814; classtype:attempted-admin; sid:18513; rev:13;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL create function mysql.func arbitrary library injection attempt"; flow:to_server,established; content:"|03|"; depth:5; content:"mysql.func"; distance:0; nocase; pcre:"/(INSERT|UPDATE)\s*[\s\w]*((mysql\.)?func)[^\r\n]+values\s*\([^\)]+\x2c[\x22\x27][^\x22\x27]*\x2f/i"; metadata:policy max-detect-ips drop, service mysql; reference:bugtraq,12781; reference:cve,2005-0710; classtype:attempted-user; sid:17412; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL Database COM_FIELD_LIST Buffer Overflow attempt"; flow:to_server,established; content:"|04|"; depth:1; offset:4; pcre:"/^[^\x0D\x0A\x00]{512}/iR"; metadata:policy max-detect-ips drop, service mysql; reference:cve,2010-1850; classtype:attempted-user; sid:16703; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL login handshake information disclosure attempt"; flow:to_server,established; content:"|01 0D A6 03 00 00 00 00 01 08|"; fast_pattern:only; metadata:policy max-detect-ips drop, service mysql; reference:bugtraq,17780; reference:cve,2006-1516; classtype:misc-activity; sid:16020; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"SERVER-MYSQL MaxDB Webtool GET command overflow attempt"; flow:to_server,established; content:"GET /%AAAAAAAA"; depth:14; metadata:policy max-detect-ips drop, service http; reference:bugtraq,13368; reference:cve,2005-0684; classtype:attempted-user; sid:15951; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL XML Functions UpdateXML Scalar XPath denial of service attempt"; flow:to_server,established; content:"|03|"; depth:1; offset:4; content:"SELECT"; distance:0; nocase; content:"UpdateXML"; distance:1; nocase; pcre:"/^.{4}\x03\s*SELECT\s+UpdateXML\s*\x28.*?\x2c\s*((\x22|\x27)?[0-9].*?|(?P<q1>(\x22|\x27)?)\x28.*?\x29(?P=q1)|.*?\x24\x40.*?|\x22.*?\x27.*?|\x27.*?\x22.*?)\s*\x2c.*?\x29/siO"; metadata:policy max-detect-ips drop, service mysql; reference:bugtraq,33972; reference:cve,2009-0819; reference:url,dev.mysql.com/doc/refman/5.1/en/news-5-1-32.html; reference:url,secunia.com/advisories/34115; classtype:attempted-dos; sid:15443; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL yaSSL SSLv3 Client Hello Message Cipher Specs Buffer Overflow attempt"; flow:to_server,established; content:"|16 03 01|"; content:"|01|"; within:1; distance:2; content:"|03 01|"; within:2; distance:3; byte_jump:1,32,relative; byte_test:2,>,64,0,relative; metadata:policy max-detect-ips drop, service mysql; reference:bugtraq,27140; reference:cve,2008-0226; reference:url,bugs.mysql.com/bug.php?id=33814; classtype:attempted-user; sid:13714; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL Date_Format denial of service attempt"; flow:to_server,established; content:"DATE_FORMAT"; nocase; pcre:"/DATE_FORMAT\x28\s*(\x22[^\x22]+\x25[^\x22]*\x22|\x27[^\x27]+\x25[^\x27]*\x27)/smi"; metadata:policy max-detect-ips drop, service mysql; reference:bugtraq,19032; reference:cve,2006-3469; reference:url,dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html; classtype:attempted-dos; sid:8057; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL create function access attempt"; flow:to_server,established; content:"|03|create"; offset:4; nocase; pcre:"/\x03create\s+(aggregate\s+)*function/smi"; metadata:policy max-detect-ips drop, service mysql; reference:bugtraq,12781; reference:cve,2005-0709; classtype:misc-activity; sid:3528; rev:12;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL Multiple SQL products privilege escalation attempt"; flow:to_server,established; content:"set "; content:"global "; within:15; content:"general_log_file"; within:35; content:"/my.cnf"; within:100; pcre:"/set\s+global\s+general_log_file\s+=\s+[\x22\x27][^\x22\x27]{0,100}my\.cnf[\x22\x27]/si"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6662; classtype:attempted-admin; sid:40254; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL Multiple SQL products privilege escalation attempt"; flow:to_server,established; content:"select "; nocase; content:"malloc_lib="; within:100; nocase; content:".so"; within:50; nocase; pcre:"/select [\x22\x27][^\x22\x27]{0,100}malloc_lib=\S+\.so[\x22\x27]/si"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-6662; classtype:attempted-admin; sid:40253; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL MySQL/MariaDB Server geometry query integer overflow attempt"; flow:to_server,established; content:"geometryn("; fast_pattern; nocase; content:"0x"; distance:0; nocase; content:"0007000000010000000003000000ffffffff"; within:36; distance:8; metadata:service mysql; reference:cve,2013-1861; classtype:attempted-admin; sid:44674; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL UDF function drop attempt"; flow:to_server,established; content:"|03|drop"; offset:4; nocase; content:"sys_"; within:50; fast_pattern; pcre:"/\x03drop\s+function(\s+if\s+exists)*\s+sys_(exec|eval|get|bineval|set)/im"; metadata:policy max-detect-ips drop, policy security-ips drop, service mysql; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/mysql/mysql_udf_payload.rb; classtype:misc-activity; sid:45848; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL UDF function create attempt"; flow:to_server,established; content:"|03|create"; offset:4; nocase; content:"sys_"; within:50; fast_pattern; pcre:"/\x03create\s+function\s+sys_(exec|eval|get|bineval|set)\s+returns/im"; metadata:policy max-detect-ips drop, policy security-ips drop, service mysql; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/mysql/mysql_udf_payload.rb; classtype:misc-activity; sid:45847; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL UDF function check attempt"; flow:to_server,established; content:"|03|select"; offset:4; nocase; content:"where"; within:100; nocase; content:"sys_"; within:50; fast_pattern; pcre:"/where\s+name\s+\x3D\s+[\x22\x27]sys_(exec|eval|get|bineval|set)/m"; metadata:policy max-detect-ips drop, policy security-ips drop, service mysql; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/mysql/mysql_udf_payload.rb; classtype:misc-activity; sid:45846; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL UDF system access attempt"; flow:to_server,established; content:"|03|select"; offset:4; nocase; content:"sys_"; within:50; fast_pattern; pcre:"/\x03select\s+sys_(exec|eval|get|bineval|set)/im"; metadata:policy max-detect-ips drop, policy security-ips drop, service mysql; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/mysql/mysql_udf_payload.rb; classtype:attempted-user; sid:45845; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL into dumpfile function attempt"; flow:to_server,established; content:"into"; nocase; content:"dumpfile"; within:50; nocase; pcre:"/into\s+dumpfile/i"; metadata:policy max-detect-ips drop, policy security-ips drop, service mysql; reference:url,dev.mysql.com/doc/refman/5.7/en/select-into.html; classtype:misc-activity; sid:45844; rev:1;)