45 lines
11 KiB
Plaintext
45 lines
11 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#----------------------
|
|
# PROTOCOL-OTHER RULES
|
|
#----------------------
|
|
|
|
alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"I|00|P|00|C|00|$|00 00 00|"; fast_pattern:only; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; classtype:misc-activity; sid:43003; rev:5;)
|
|
alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"IPC$|00|"; fast_pattern:only; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; classtype:misc-activity; sid:43002; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt"; flow:to_server; content:"|01 02 00|"; depth:3; content:"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-recon; sid:40907; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt"; flow:to_server; dsize:>336; content:"|01 01 00|"; depth:3; byte_test:4,>=,0x0264,4,big; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-user; sid:40866; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-OTHER Websocket upgrade request without a client key detected"; flow:to_server,established; content:"Upgrade: ws"; fast_pattern:only; http_header; content:!"Sec-WebSocket-Key"; http_header; metadata:service http; reference:cve,2015-8027; classtype:misc-activity; sid:37028; rev:1;)
|
|
alert tcp $HOME_NET 1900 -> $HOME_NET any (msg:"PROTOCOL-OTHER MiniUPNP rootdesc.xml buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rootdesc; file_data; content:"<?xml"; content:"<specVersion"; isdataat:100,relative; content:!">"; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6031; reference:url,www.talosintelligence.com/reports/TALOS-2015-0035; classtype:attempted-user; sid:35690; rev:4;)
|
|
# alert tcp $HOME_NET 1900 -> $HOME_NET any (msg:"PROTOCOL-OTHER MiniUPNP rootdesc.xml buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rootdesc; file_data; content:"<?xml"; content:"<"; isdataat:100,relative; content:!">"; within:100; pcre:"/<\s*[^\s]{100}/"; metadata:service http; reference:cve,2015-6031; reference:url,www.talosintelligence.com/reports/TALOS-2015-0035; classtype:attempted-user; sid:35689; rev:4;)
|
|
alert tcp $HOME_NET any -> $HOME_NET 1900 (msg:"PROTOCOL-OTHER MiniUPNP rootdesc.xml file request"; flow:to_server,established; content:"/rootDesc.xml HTTP/1."; fast_pattern:only; flowbits:set,file.rootdesc; flowbits:noalert; metadata:service http; reference:cve,2015-6031; reference:url,www.talosintelligence.com/reports/TALOS-2015-0035; classtype:misc-activity; sid:35688; rev:5;)
|
|
# alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP invalid MCS serverRandomLen out of bounds read attempt"; flow:to_client,established; content:"|03 00|"; content:"|02 F0 80 7F 66|"; within:5; distance:2; content:"|03 0C 08 00 EB 03 00 00 02 0C|"; byte_test:4,>,0x7FFFFFFF,10,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2837; reference:url,www.talosintelligence.com/reports/TALOS-2017-0339/; classtype:attempted-user; sid:42998; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP invalid EncryptedPlatformChallenge null pointer dereference attempt"; flow:to_client,established; content:"|03 00|"; byte_extract:2,0,pktlen,relative; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; content:"|80 00|"; within:2; distance:2; content:"|02|"; within:1; distance:2; byte_test:2,>,pktlen,9,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2839; reference:url,www.talosintelligence.com/reports/TALOS-2017-0341/; classtype:attempted-user; sid:42975; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP invalid cbCompanyName out of bounds read attempt"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; distance:2; content:"|80 00|"; within:2; distance:2; content:"|01|"; within:1; distance:2; byte_test:4,>,0xFFFFFFFB,39,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2838; reference:url,www.talosintelligence.com/reports/TALOS-2017-0340/; classtype:attempted-user; sid:42974; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP RSA modulus length integer underflow attempt"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; distance:2; content:"|01 00 00 00 01 00 00 00 06 00|"; content:"RSA1"; within:4; distance:2; byte_test:4,<,8,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2836; reference:url,www.talosintelligence.com/reports/TALOS-2017-0338/; classtype:attempted-user; sid:42973; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP PER length integer underflow attempt"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; distance:2; byte_test:1,<,4,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2834; reference:cve,2017-2835; reference:url,www.talosintelligence.com/reports/TALOS-2017-0336/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0337/; classtype:attempted-user; sid:42941; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"PROTOCOL-OTHER ARM mbed TLS x509 invalid public key remote code execution attempt"; flow:to_client,established; content:"|04 08 30 06 01 01 FF 02 01 0A 30 22 06 03 55 1D 0E 04 1B 04 63 6F C0 C0 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.talosintelligence.com/reports/TALOS-2017-0274; classtype:attempted-user; sid:41364; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [445,139] (msg:"PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt"; flow:to_server,established,no_stream; dsize:4; content:"|00 01|"; depth:2; byte_test:2,>=,0x2710, 0, relative; detection_filter:track by_src, count 25, seconds 1; metadata:service netbios-ssn; reference:url,smbloris.com/; classtype:attempted-dos; sid:43928; rev:2;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-OTHER STCP heartbeat chunk denial of service attempt"; ip_proto:132; content:"|04 00|"; byte_jump:2,0,relative,post_offset -4; content:"|04 00|"; within:2; byte_jump:2,0,relative,post_offset -4; content:"|04 00|"; within:2; byte_jump:2,0,relative,post_offset -4; content:"|04 00|"; within:2; reference:url,ietf.org/rfc/rfc5062.txt; classtype:denial-of-service; sid:44015; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"ScMM"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46124; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"MMcS"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46123; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"ScMM"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46122; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"MMcS"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46121; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 520 (msg:"PROTOCOL-OTHER Routing Information Protocol version 1 potential amplified distributed denial of service attempt"; flow:to_server; content:"|01 01 00 00 00|"; depth:5; fast_pattern; content:"|00 00|"; within:2; distance:1; detection_filter:track by_src, count 50, seconds 1; reference:url,blogs.akamai.com/2015/07/ripv1-reflection-ddos-making-a-comeback.html; classtype:attempted-dos; sid:46098; rev:1;)
|
|
# alert udp $EXTERNAL_NET 389 -> $HOME_NET any (msg:"PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt"; flow:to_server; content:"|30 84 00 00 00|"; depth:5; dsize:>2000; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; classtype:attempted-dos; sid:46374; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt"; flow:to_server; content:"|30 84 00 00 00|"; depth:5; detection_filter:track by_src, count 5, seconds 60; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; classtype:attempted-dos; sid:46373; rev:1;)
|