snort2-docker/docker/etc/rules/os-linux.rules
2020-02-24 08:56:30 -05:00

80 lines
26 KiB
Plaintext

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#----------------
# OS-LINUX RULES
#----------------
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel SCTP duplicate cookie denial of service attempt"; ip_proto:132; content:"|0A 00|"; depth:2; offset:12; fast_pattern; byte_extract:4,0,chunk_length_plus_cookie_crumb,relative; content:"|0A 00|"; distance:0; byte_test:4,=,chunk_length_plus_cookie_crumb,0,relative; reference:bugtraq,60715; reference:cve,2013-2206; classtype:attempted-dos; sid:30326; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux kernel IA32 out-of-bounds system call attempt"; flow:to_server,established; file_data; content:"kernelmodecode"; fast_pattern:only; content:"commit_creds"; nocase; content:"prepare_kernel_cred"; distance:0; metadata:service smtp; reference:cve,2010-3301; classtype:attempted-admin; sid:24371; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux kernel IA32 out-of-bounds system call attempt"; flow:to_client,established; file_data; content:"kernelmodecode"; fast_pattern; content:"commit_creds"; distance:0; nocase; content:"prepare_kernel_cred"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2010-3301; classtype:attempted-admin; sid:24370; rev:5;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Red Hat Enterprise Linux DNS resolver buffer overflow attempt"; flow:to_client; content:"|D3 A9 85 80 00 01 00|2"; metadata:service dns; reference:bugtraq,6186; reference:cve,2002-0029; classtype:attempted-admin; sid:15963; rev:5;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt"; ip_proto:33; content:"|22|"; depth:1; offset:29; byte_test:1,<,4,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,30704; reference:cve,2008-3276; classtype:denial-of-service; sid:15907; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"OS-LINUX ntalkd x86 Linux overflow"; flow:to_server; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-LINUX Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-LINUX x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; metadata:ruleset community; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:265; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; metadata:ruleset community, service dns; classtype:attempted-admin; sid:264; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:262; rev:15;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux kernel ARM put_user write outside process address space privilege escalation attempt"; flow:to_server,established; file_data; content:"|02 98 2A 1C 01 F0 4C EE A8 42 02 D0 1B 48 78 44 17 E0 E2 19 01 98 19 49 08 F0 81 FA 01 30 04 D1|"; fast_pattern:only; metadata:service smtp; reference:bugtraq,63734; reference:cve,2013-6282; classtype:attempted-admin; sid:28999; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux kernel ARM put_user write outside process address space privilege escalation attempt"; flow:to_client,established; file_data; content:"|02 98 2A 1C 01 F0 4C EE A8 42 02 D0 1B 48 78 44 17 E0 E2 19 01 98 19 49 08 F0 81 FA 01 30 04 D1|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:bugtraq,63734; reference:cve,2013-6282; classtype:attempted-admin; sid:28998; rev:2;)
# alert ip any any -> any any (msg:"OS-LINUX Linux kernel IGMP queries denial of service attempt"; ip_proto:2; content:"|11|"; depth:1; content:"|00|"; within:1; metadata:policy max-detect-ips drop; reference:cve,2012-0207; classtype:denial-of-service; sid:25314; rev:8;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel sctp_rcv_ootb invalid chunk length DoS attempt"; ip_proto:132; content:"|00 00|"; depth:2; offset:14; metadata:policy max-detect-ips drop; reference:bugtraq,38857; reference:cve,2010-0008; classtype:attempted-dos; sid:18997; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel SCTP Unknown Chunk Types denial of service attempt"; ip_proto:132; dsize:>12; byte_test:1,>,14,12; metadata:policy max-detect-ips drop; reference:bugtraq,24376; reference:bugtraq,54797; reference:cve,2007-2876; classtype:attempted-dos; sid:17302; rev:8;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel sctp_process_unk_param SCTPChunkInit buffer overflow attempt"; ip_proto:132; content:"|01|"; depth:1; offset:12; byte_test:2,>,0xC000,19,relative; pcre:!"/^.{19}\xC0[\x05\x06\x09\x0B\x0C]/sR"; byte_jump:2,21,relative,align,post_offset -4; byte_test:2,>,0xC000,0,relative; pcre:!"/^\xC0[\x05\x06\x09\x0B\x0C]/R"; metadata:policy max-detect-ips drop; reference:bugtraq,39794; reference:cve,2010-1173; classtype:attempted-admin; sid:16724; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"OS-LINUX Linux Kernel NFSD Subsystem overflow attempt"; flow:to_server; content:"|00 00 00 22|"; content:"|00 00 00 01 00 00 10 00 00 00 03|D|00 00 00 1A|"; within:16; distance:16; metadata:policy max-detect-ips drop; reference:bugtraq,31133; reference:cve,2008-3915; classtype:attempted-dos; sid:16352; rev:7;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux Kernel DCCP Protocol Handler dccp_setsockopt_change integer overflow attempt"; ip_proto:33; content:" "; depth:1; offset:29; byte_test:1,<,4,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,30704; reference:cve,2008-3276; classtype:denial-of-service; sid:15906; rev:8;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux SCTP malformed forward-tsn chunk arbitrary code execution attempt"; ip_proto:132; content:"|C0 00|"; depth:2; offset:12; byte_test:2,>,500,0,relative,big; metadata:policy max-detect-ips drop; reference:bugtraq,33113; reference:cve,2009-0065; classtype:attempted-admin; sid:15490; rev:9;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX kernel SCTP chunkless packet denial of service attempt"; ip_proto:132; dsize:12; metadata:policy max-detect-ips drop; reference:bugtraq,18755; reference:cve,2006-2934; classtype:attempted-dos; sid:7021; rev:9;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel SCTP Unknown Chunk Types denial of service attempt"; ip_proto:132; dsize:>12; content:"|C1|"; depth:1; offset:12; byte_test:2,&,3,18,relative; reference:cve,2014-3673; classtype:attempted-dos; sid:34802; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux Kernel keyring object exploit download attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"libkeyutils"; content:"keyctl"; within:200; content:"|B8 FC FF FF FF 48 39 45 E8|"; content:"|BA 88 00 00 00|"; content:"|48 83 7D E8 3F|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0728; classtype:attempted-admin; sid:37438; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux Kernel keyring object exploit download attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"libkeyutils"; content:"keyctl"; within:200; content:"|83 7D E4 FC|"; content:"|68 88 00 00 00|"; content:"|83 7D E4 3F|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-0728; classtype:attempted-admin; sid:37437; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux Kernel keyring object exploit download attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"libkeyutils"; content:"keyctl"; within:200; content:"|B8 FC FF FF FF 48 39 45 E8|"; content:"|BA 88 00 00 00|"; content:"|48 83 7D E8 3F|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0728; classtype:attempted-admin; sid:37436; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux Kernel keyring object exploit download attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"libkeyutils"; content:"keyctl"; within:200; content:"|83 7D E4 FC|"; content:"|68 88 00 00 00|"; content:"|83 7D E4 3F|"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-0728; classtype:attempted-admin; sid:37435; rev:2;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel SCTP handshake COOKIE ECHO Chunks denial of service attempt"; ip_proto:132; content:"|01|"; depth:1; offset:12; fast_pattern; content:"|80 00|"; depth:2; offset:40; content:!"|C0 00|"; within:6; distance:2; content:!"|0F|"; depth:1; offset:48; reference:bugtraq,65943; reference:cve,2014-0101; classtype:attempted-dos; sid:37654; rev:1;)
alert tcp $EXTERNAL_NET 3240 -> $HOME_NET any (msg:"OS-LINUX Linux Kernel USBIP out of bounds write attempt"; flow:to_client,established; file_data; content:"|00 00 00 03|"; depth:4; content:"|00 00 00 01|"; within:4; distance:8; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4,>,0x78,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-3955; reference:url,kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.3; classtype:attempted-dos; sid:39894; rev:2;)
alert tcp $EXTERNAL_NET 3240 -> $HOME_NET any (msg:"OS-LINUX Linux Kernel USBIP out of bounds write attempt"; flow:to_client,established; file_data; content:"|00 00 00 02|"; depth:4; content:"|00 00 00 01|"; within:4; distance:8; content:"|00 00 00 00|"; within:4; distance:4; byte_test:4,>,0x78,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-3955; reference:url,kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.5.3; classtype:attempted-dos; sid:39893; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux Kernel Challenge ACK provocation attempt"; flow:to_server,no_stream; flags:R; detection_filter:track by_src, count 200, seconds 1; metadata:ruleset community; reference:bugtraq,91704; reference:cve,2016-5696; reference:cve,2017-7285; classtype:attempted-admin; sid:40063; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_server,established; file_data; content:"|7F|ELF"; depth:4; content:"procselfmemThread"; fast_pattern:only; content:"madviseThread"; content:"/proc/self/mem"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40543; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_client,established; file_data; content:"|7F|ELF"; depth:4; content:"procselfmemThread"; fast_pattern:only; content:"madviseThread"; content:"/proc/self/mem"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40542; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_client,established; content:"|5C|155|5C|141|5C|144|5C|166|5C|151|5C|163|5C|145|5C|50|5C|155|5C|141|5C|160|5C|54|5C|61|5C|60|5C|60|5C|54|5C|115|5C|101|5C|104|5C|126|5C|137|5C|104|5C|117|5C|116|5C|124|5C|116|5C|105|5C|105|5C|104|5C|51|5C|73|5C|12"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40566; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_server,established; file_data; content:"|7F|ELF"; depth:4; content:"|44 01 C1 48 63 F1 BA 04 00 00 00 E8|"; fast_pattern; content:"|FF C5 81 FD 40 42 0F 00|"; within:16; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40565; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_client,established; file_data; content:"|44 01 C1 48 63 F1 BA 04 00 00 00 E8|"; fast_pattern; content:"|FF C5 81 FD 40 42 0F 00|"; within:16; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40564; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_server,established; file_data; content:"|7F|ELF"; depth:4; content:"|8B 45 F8|"; content:"|48 8B|"; within:10; content:"|BA 04 00 00 00|"; within:10; content:"|48 89 C7 E8|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40563; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_client,established; file_data; content:"|7F|ELF"; depth:4; content:"|8B 45 F8|"; content:"|48 8B|"; within:10; content:"|BA 04 00 00 00|"; within:10; content:"|48 89 C7 E8|"; within:20; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40562; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_server,established; file_data; content:"|7F|ELF"; depth:4; content:"|BA 04 00 00 00|"; content:"|48 89 C7 E8|"; within:20; content:"|01 45 F8|"; within:10; content:"|83 45 FC 01|"; within:100; content:"|81 7D|"; within:200; byte_test:4,>=,0x050000,1,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40561; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux kernel madvise race condition attempt"; flow:to_client,established; file_data; content:"|7F|ELF"; depth:4; content:"|BA 04 00 00 00|"; content:"|48 89 C7 E8|"; within:20; content:"|01 45 F8|"; within:10; content:"|83 45 FC 01|"; within:100; content:"|81 7D|"; within:200; byte_test:4,>=,0x050000,1,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-5195; reference:url,bugzilla.redhat.com/show_bug.cgi?id=1384344; classtype:attempted-admin; sid:40560; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-LINUX Linux net af_packet.c tpacket version race condition use after free attempt"; flow:to_server,established; file_data; content:"|41 B8 04 00 00 00 48 89 D1 BA 0A 00 00 00 BE 07 01 00 00 89 C7 E8|"; fast_pattern; byte_extract:3,1,setsockoptApproxOffset,relative; content:"|00 00 00 00|"; within:30; distance:-50; content:"|C7|"; within:1; distance:-7; content:"|02 00 00 00|"; within:100; content:"|C7|"; within:1; distance:-7; content:"|41 B8 04 00 00 00 48 89 D1 BA 0A 00 00 00 BE 07 01 00 00 89 C7 E8|"; within:50; byte_test:3,=,setsockoptApproxOffset,1,relative; metadata:service smtp; reference:cve,2016-8655; classtype:attempted-user; sid:41028; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Linux net af_packet.c tpacket version race condition use after free attempt"; flow:to_client,established; file_data; content:"|41 B8 04 00 00 00 48 89 D1 BA 0A 00 00 00 BE 07 01 00 00 89 C7 E8|"; fast_pattern; byte_extract:3,1,setsockoptApproxOffset,relative; content:"|00 00 00 00|"; within:30; distance:-50; content:"|C7|"; within:1; distance:-7; content:"|02 00 00 00|"; within:100; content:"|C7|"; within:1; distance:-7; content:"|41 B8 04 00 00 00 48 89 D1 BA 0A 00 00 00 BE 07 01 00 00 89 C7 E8|"; within:50; byte_test:3,=,setsockoptApproxOffset,1,relative; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-8655; classtype:attempted-user; sid:41027; rev:1;)
alert tcp $SMTP_SERVERS any -> $HOME_NET 25 (msg:"OS-LINUX Ubuntu Apport CrashDB crash report code injection attempt"; flow:to_server,established; file_data; content:"ProblemType:"; fast_pattern:only; content:"CrashDB:"; nocase; content:"{"; within:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2016-9949; reference:url,ubuntu.com/usn/usn-3157-1/; classtype:attempted-admin; sid:41041; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-LINUX Ubuntu Apport CrashDB crash report code injection attempt"; flow:to_client,established; file_data; content:"ProblemType:"; fast_pattern:only; content:"CrashDB"; nocase; content:"{"; within:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2016-9949; reference:url,ubuntu.com/usn/usn-3157-1/; classtype:attempted-admin; sid:41040; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-LINUX cURL and libcurl set-cookie remote code execution attempt"; flow:to_client,established; content:"Set-Cookie|3A|"; fast_pattern:only; http_header; content:"path"; nocase; http_cookie; content:"|22|"; within:100; http_cookie; content:!"|22|"; within:100; http_cookie; pcre:"/path\s*\x3D\s*\x22(([^\x22]+?$)|(?!.))/Cmi"; metadata:service http; reference:bugtraq,74303; reference:cve,2015-3145; classtype:attempted-user; sid:41853; rev:3;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel SCTP invalid chunk length denial of service attempt"; ip_proto:132; content:"|09 00|"; depth:2; offset:12; byte_extract:2,0,length,relative; isdataat:!length; metadata:policy max-detect-ips drop; reference:cve,2016-9555; classtype:attempted-dos; sid:43692; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel sctp_rcv_ootb invalid chunk length DoS attempt"; ip_proto:132; content:"|00 00 00 00|"; depth:4; offset:4; content:"|01 00 00|"; within:3; distance:4; byte_test:1,<,20,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,38857; reference:cve,2010-0008; classtype:attempted-dos; sid:44309; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel sctp_rcv_ootb invalid chunk length DoS attempt"; ip_proto:132; content:"|00 00 00 00|"; depth:4; offset:4; content:"|01 00 00|"; within:3; distance:4; byte_jump:1,0,relative,align,post_offset -4; byte_test:2,>,1024,2,relative; metadata:policy max-detect-ips drop; reference:bugtraq,38857; reference:cve,2010-0008; classtype:attempted-dos; sid:44308; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,1,10,relative; byte_test:1,=,1,11,relative,bitmask 0x80; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46619; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x40; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46618; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x20; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46617; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x10; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46616; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x01; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46615; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,32,10,relative; byte_test:1,=,1,42,relative,bitmask 0x08; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46614; rev:1;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"OS-LINUX Linux systemd DNS resolver denial of service attempt"; flow:to_client; content:"|00 01 00 00 00 01|"; depth:6; offset:4; byte_jump:1,2,relative; byte_jump:1,5,relative; content:"|00 2F|"; within:2; distance:1; byte_test:1,>=,6,10,relative; byte_test:1,=,1,16,relative,bitmask 0x40; metadata:service dns; reference:cve,2017-15908; classtype:denial-of-service; sid:46613; rev:1;)
# alert udp any 67 -> $HOME_NET 68 (msg:"OS-LINUX Red Hat NetworkManager DHCP client command injection attempt"; content:"|63 82 53 63 35|"; content:"|FC|"; within:50; pcre:"/([\xfc]).{0,50}([\x27])([\x20\x26\x3b\x7c]|[\x3c\x3e\x24]\x28)+/i"; metadata:policy max-detect-ips drop, ruleset community, service dhcp; reference:cve,2018-1111; reference:url,access.redhat.com/security/cve/cve-2018-1111; classtype:attempted-user; sid:46847; rev:1;)