41 lines
8.7 KiB
Plaintext
41 lines
8.7 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#------------------
|
|
# OS-SOLARIS RULES
|
|
#------------------
|
|
|
|
# alert udp $EXTERNAL_NET 513 -> $HOME_NET 513 (msg:"OS-SOLARIS Oracle Solaris in.rwhod hostname denial of service attempt"; flow:to_server; content:"|01 01 00 00|"; depth:4; isdataat:40,relative; content:!"|00|"; within:32; distance:8; reference:bugtraq,13401; reference:cve,2004-1351; classtype:attempted-dos; sid:20725; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"OS-SOLARIS Oracle Solaris username overflow authentication bypass attempt"; flow:to_server,established; content:"c c c c c c c c c"; metadata:service telnet; reference:cve,2001-0797; classtype:attempted-admin; sid:13613; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris printd arbitrary file deletion vulnerability"; flow:to_server,established; content:"|0A|U"; content:"../.."; fast_pattern:only; content:"|0A|"; reference:bugtraq,14510; reference:cve,2005-4797; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; classtype:misc-attack; sid:12080; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris lpd unlink file attempt"; flow:to_server,established; flowbits:isset,lp.controlfile; content:"|02|"; depth:1; content:"dfA"; nocase; pcre:"/^\x02\d+ dfA/smi"; metadata:service printer; reference:bugtraq,14510; reference:cve,2005-4797; classtype:misc-attack; sid:10418; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"OS-SOLARIS Oracle Solaris login environment variable authentication bypass attempt"; flow:to_server,established; content:"|FF FA|"; rawbytes; content:"USER|01|-f"; distance:0; rawbytes; metadata:service telnet; reference:bugtraq,22512; reference:cve,2007-0882; classtype:attempted-admin; sid:10136; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris LPD overflow attempt"; flow:to_server,established; content:"|02|//////////"; depth:11; dsize:>1000; reference:bugtraq,3274; reference:cve,2001-1583; classtype:attempted-admin; sid:3527; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"OS-SOLARIS Oracle Solaris npls x86 overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; metadata:ruleset community; reference:bugtraq,2319; reference:cve,1999-1588; classtype:attempted-admin; sid:300; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:267; rev:13;)
|
|
# alert udp $EXTERNAL_NET 67 -> $HOME_NET 68 (msg:"OS-SOLARIS Oracle Solaris DHCP Client Arbitrary Code Execution attempt"; flow:to_server; content:"|63 82 53 63|"; content:"|35 01 05|"; distance:0; fast_pattern; content:"|0F|"; distance:0; content:"|20|"; within:100; metadata:policy max-detect-ips drop, service dhcp; reference:bugtraq,14687; reference:cve,2005-2870; classtype:attempted-user; sid:17433; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris printd Daemon Arbitrary File Deletion attempt"; flow:to_server,established; flowbits:isset,lp.controlfile; content:"|0A 55|"; content:"|2F|"; distance:0; metadata:policy max-detect-ips drop, service printer; reference:bugtraq,14510; reference:cve,2005-4797; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; classtype:misc-attack; sid:17353; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris lpd control file upload attempt"; flow:to_server,established; flowbits:isset,lp.cascade; content:"|02|"; depth:1; content:"cfA"; nocase; pcre:"/^\x02\d+ cfA/smi"; flowbits:set,lp.controlfile; metadata:policy max-detect-ips drop, service printer; classtype:misc-attack; sid:4144; rev:12;)
|
|
# alert udp $EXTERNAL_NET 177 -> $HOME_NET any (msg:"OS-SOLARIS XMDCP double-free attempt"; flow:to_client; content:"|00 1C|"; depth:2; offset:17; reference:cve,2004-0368; classtype:attempted-admin; sid:37511; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"OS-SOLARIS XMDCP double-free attempt"; flow:to_server,established; content:"|00 01 00 07|"; depth:4; content:!"|00 00|"; within:2; distance:5; reference:cve,2004-0368; classtype:attempted-admin; sid:39936; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [111,32768:] (msg:"OS-SOLARIS Solaris RPC XDR overflow code execution attempt"; flow:to_server,established; content:"|80 00 04 E8|"; depth:4; content:"|00 00 00 00 00 00 00 02 00 01|"; within:10; distance:4; content:"|00 00 55 DE|"; within:4; distance:10; byte_jump:4,0,relative,post_offset 8; isdataat:288,relative; reference:cve,2017-3623; reference:url,seclists.org/dailydave/2016/q4/15; classtype:attempted-admin; sid:42226; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-SOLARIS Solaris dtappgather local privilege escalation attempt"; flow:to_server,established; file_data; content:"|68 FF 83 2A CF 8D 85 94 EB FF FF 50 8D 85 94 EB FF FF 50 E8 E1 F3 FF FF 83 C4 0C 8B 45 08 3D 01 00 00 00 0F 85 20 00 00 00 6A 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,packetstormsecurity.com/files/142120/Solaris-x86-SPARC-EXTREMEPARR-dtappgather-Privilege-Escalation.html; classtype:attempted-admin; sid:42254; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-SOLARIS Solaris dtappgather local privilege escalation attempt"; flow:to_client,established; file_data; content:"|68 FF 83 2A CF 8D 85 94 EB FF FF 50 8D 85 94 EB FF FF 50 E8 E1 F3 FF FF 83 C4 0C 8B 45 08 3D 01 00 00 00 0F 85 20 00 00 00 6A 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,packetstormsecurity.com/files/142120/Solaris-x86-SPARC-EXTREMEPARR-dtappgather-Privilege-Escalation.html; classtype:attempted-admin; sid:42253; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"|5C|63|5C|300|5C|120|5C|260|5C|33|5C|350|5C|41|5C|0|5C|0|5C|0|5C|350|5C|0|5C|0|5C|0|5C|0|5C|137|5C|213|5C|307|5C|5|5C|44|5C|0|5C|0|5C|0|5C|120|5C|203|5C|307|5C|157|5C|127|5C|63|5C|300|5C|260|5C|13|5C|350|5C|6|5C|0|5C|0|5C|0|5C|63|5C|300|5C|120|5C|120|5C|260|5C|1|5C|232|5C|0|5C|0|5C|0|5C|0|5C|47|5C|0|5C|303"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42283; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"|5C|63|5C|300|5C|353|5C|6|5C|137|5C|210|5C|107|5C|6|5C|353|5C|55|5C|350|5C|365|5C|377|5C|377|5C|377|5C|232|5C|172|5C|121|5C|114|5C|37|5C|47|5C|5|5C|303|5C|63|5C|322|5C|130|5C|215|5C|170|5C|24|5C|122|5C|127|5C|120|5C|253|5C|222|5C|253|5C|210|5C|102|5C|10|5C|260|5C|73|5C|350|5C|342|5C|377|5C|377|5C|377|5C|63|5C|300|5C|120|5C|260|5C|1|5C|350|5C|330|5C|377|5C|377|5C|377|5C|350|5C|333|5C|377|5C|377|5C|377|5C|57|5C|142|5C|151|5C|156|5C|57|5C|153|5C|163|5C|150|5C|"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42282; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"|5C|100|5C|0|5C|0|5C|2|5C|220|5C|20|5C|0|5C|0|5C|202|5C|20|5C|40|5C|33|5C|221|5C|320|5C|40|5C|10|5C|220|5C|3|5C|340|5C|176|5C|222|5C|3|5C|340|5C|54|5C|202|5C|20|5C|40|5C|13|5C|221|5C|320|5C|40|5C|10|5C|220|5C|20|5C|0|5C|0|5C|202|5C|20|5C|40|5C|1|5C|221|5C|320|5C|40|5C|10|5C|0|5C|2"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42281; rev:1;)
|