226 lines
97 KiB
Plaintext
226 lines
97 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#--------------------
|
|
# PROTOCOL-RPC RULES
|
|
#--------------------
|
|
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC Solaris TCP portmap sadmin port query request attempt"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:bugtraq,8615; reference:cve,2003-0722; classtype:rpc-portmap-decode; sid:12458; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,7123; reference:cve,2003-0028; reference:nessus,11420; classtype:rpc-portmap-decode; sid:2093; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy integer overflow attempt UDP"; flow:to_server; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,36564; reference:bugtraq,7123; reference:cve,2003-0028; reference:nessus,11420; classtype:rpc-portmap-decode; sid:2092; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1922; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy attempt UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1923; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1280; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1949; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap SET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1950; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap UNSET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,1892; reference:cve,2011-0321; classtype:rpc-portmap-decode; sid:2015; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:599; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC portmap listing UDP 32771"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1281; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cachefsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; reference:nessus,10951; classtype:rpc-portmap-decode; sid:1746; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; reference:nessus,10951; classtype:rpc-portmap-decode; sid:1747; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rwalld request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0181; classtype:rpc-portmap-decode; sid:1732; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0181; classtype:rpc-portmap-decode; sid:1733; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap admind request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:575; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1262; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap amountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:576; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:1263; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:577; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1264; rev:21;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nisd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:cve,1999-0008; classtype:rpc-portmap-decode; sid:580; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1267; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap pcnfsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:581; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:1268; rev:19;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rexd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:582; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1269; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rusers request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:21;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap selection_svc request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,8; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:586; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:1273; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap status request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:587; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:2016; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap espd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:22;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC status GHBN format string attack"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:misc-attack; sid:1890; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC status GHBN format string attack"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:misc-attack; sid:1891; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap mountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:579; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:574; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP export request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:1924; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:1925; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP exportall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:1926; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2184; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:cve,1999-0210; classtype:attempted-recon; sid:1951; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2018; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP dump request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:2019; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2020; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP unmount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:2021; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2022; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP unmountall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:attempted-recon; sid:2023; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1906; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1953; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP pid request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1954; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1955; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP version request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:1956; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cmsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:578; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1265; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,36615; reference:bugtraq,524; reference:cve,1999-0696; reference:cve,2009-3699; classtype:attempted-admin; sid:1907; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1908; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,36615; reference:bugtraq,5356; reference:cve,2002-0391; reference:cve,2009-3699; reference:nessus,11418; classtype:attempted-admin; sid:2094; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5356; reference:cve,2002-0391; reference:nessus,11418; classtype:attempted-admin; sid:2095; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1272; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap sadmind request UDP attempt"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:585; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1957; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1958; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rstatd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:583; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1270; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1913; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1914; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1915; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1916; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1959; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1960; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1961; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1962; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC RQUOTA getquota overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 AB|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2024; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:26;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC tooltalk UDP overflow attempt"; flow:to_server; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-admin; sid:1964; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; reference:cve,2001-0717; classtype:attempted-admin; sid:1965; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth:32; offset:16; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:589; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1275; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd old password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2027; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2028; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd username overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; reference:nessus,10684; classtype:rpc-portmap-decode; sid:2025; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; reference:nessus,10684; classtype:rpc-portmap-decode; sid:2026; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd new password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2029; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2030; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd user update UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2031; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2032; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypserv request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:21;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypserv maplist request UDP"; flow:to_server; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; reference:nessus,13976; classtype:rpc-portmap-decode; sid:2033; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2034; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap network-status-monitor request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:2035; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:2036; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC network-status-monitor mon-callback request UDP"; flow:to_server; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:rpc-portmap-decode; sid:2037; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:2038; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nlockmgr request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,1372; reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmap-decode; sid:2079; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,1372; reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmap-decode; sid:2080; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rpc.xfsmd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2081; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2082; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP"; flow:to_server; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2083; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2084; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap kcms_server request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; metadata:ruleset community; classtype:misc-attack; sid:2255; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC sadmind query with root credentials attempt UDP"; flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; metadata:ruleset community, service sunrpc; classtype:misc-attack; sid:2256; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC UNIX authentication machinename string overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:8; byte_test:4,>,255,8,relative; isdataat:264,relative; reference:bugtraq,20941; reference:cve,2006-5780; classtype:attempted-user; sid:9623; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC UNIX authentication machinename string overflow attempt UDP"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:8; byte_test:4,>,255,8,relative; isdataat:264,relative; reference:bugtraq,20941; reference:cve,2006-5780; classtype:attempted-user; sid:9624; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap HP-UX Single Logical Screen SLSD udp request"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 5C E0|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:bugtraq,22551; reference:cve,2007-0915; classtype:rpc-portmap-decode; sid:10411; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap HP-UX Single Logical Screen SLSD udp request"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:" |00 00 01|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:bugtraq,22551; reference:cve,2007-0915; classtype:rpc-portmap-decode; sid:10409; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap HP-UX Single Logical Screen SLSD tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:" |00 00 01|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:bugtraq,22551; reference:cve,2007-0915; classtype:rpc-portmap-decode; sid:10408; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap HP-UX Single Logical Screen SLSD tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 5C E0|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:service sunrpc; reference:bugtraq,22551; reference:cve,2007-0915; classtype:rpc-portmap-decode; sid:10410; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 191 attempt"; flow:to_server; content:"|00 06 09|~"; depth:4; offset:12; content:"|00 00 00 BF|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:policy max-detect-ips drop; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:10485; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 191 attempt"; flow:to_server,established; content:"|00 06 09|~"; depth:4; offset:16; content:"|00 00 00 BF|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:policy max-detect-ips drop; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:10484; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve udp request"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09|~"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:10483; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap 2112 udp request"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 08|@"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,24653; reference:cve,2007-2798; reference:url,attack.mitre.org/techniques/T1097; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=548; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt; classtype:rpc-portmap-decode; sid:12186; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET [749,1024:] (msg:"PROTOCOL-RPC portmap 2112 udp rename_principal attempt"; flow:to_server; content:"|00 00 08|@"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,8192,4,relative; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,24653; reference:cve,2007-2798; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt; classtype:rpc-portmap-decode; sid:12188; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap 2112 tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 08|@"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,24653; reference:cve,2007-2798; reference:url,attack.mitre.org/techniques/T1097; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=548; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt; classtype:rpc-portmap-decode; sid:12185; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap walld udp format string attack attempt"; flow:to_server; content:"|00 01 86 A8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%"; reference:bugtraq,4639; reference:cve,2002-0573; classtype:rpc-portmap-decode; sid:12609; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC Solaris UDP portmap sadmin port query request attempt"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:bugtraq,8615; reference:cve,2003-0722; classtype:rpc-portmap-decode; sid:12626; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC Solaris UDP portmapper sadmin port query attempt"; flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; reference:bugtraq,8615; reference:cve,2003-0722; classtype:rpc-portmap-decode; sid:12628; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap walld udp request"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:service sunrpc; reference:bugtraq,4639; reference:cve,2002-0573; classtype:rpc-portmap-decode; sid:12608; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC Solaris TCP portmapper sadmin port query attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; reference:bugtraq,8615; reference:cve,2003-0722; classtype:rpc-portmap-decode; sid:12627; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"PROTOCOL-RPC MIT Kerberos kadmind auth buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 00 00 01|"; within:4; distance:16; byte_test:4,>,2147483647,8,relative,big; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24657; reference:cve,2007-2443; reference:url,attack.mitre.org/techniques/T1097; classtype:rpc-portmap-decode; sid:12708; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap 390113 udp request"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13251; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 04 93 E1 00 00 00 00|"; within:8; distance:16; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,24655; reference:cve,2007-2442; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt; classtype:attempted-admin; sid:13223; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 390113 udp procedure 4 attempt"; content:"|00 05 F3 E1|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst"; within:11; distance:12; byte_test:4,>,234,5,relative; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13253; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 390113 udp procedure 5 attempt"; content:"|00 05 F3 E1|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst"; within:11; distance:12; byte_test:4,>,234,5,relative; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13257; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap 390113 tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F3 E1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13250; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 390113 tcp procedure 5 attempt"; flow:to_server,established; content:"|00 05 F3 E1|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst"; within:11; distance:12; byte_test:4,>,234,5,relative; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13256; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 232 attempt"; flow:to_server,established; content:"|00 06 09|~"; depth:4; offset:16; content:"|00 00 00 E8|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:policy max-detect-ips drop; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:13716; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 232 attempt"; content:"|00 06 09|~"; depth:4; offset:12; content:"|00 00 00 E8|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:policy max-detect-ips drop; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:13717; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 234 attempt"; flow:to_server,established; content:"|00 06 09|~"; depth:4; offset:16; content:"|00 00 00 EA|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:policy max-detect-ips drop; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:13805; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve udp procedure 234 attempt"; flow:to_server; content:"|00 06 09|~"; depth:4; offset:12; content:"|00 00 00 EA|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; metadata:policy max-detect-ips drop; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:13806; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap 395650 udp request"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09 82|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:cve,2008-2242; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798; classtype:rpc-portmap-decode; sid:16084; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 395650 tcp xml buffer overflow attempt"; flow:to_server,established; content:"|00 06 09 82|"; depth:4; offset:16; content:"|00 00 00|y"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,28,relative,align; byte_jump:4,32,relative,align; byte_test:4,>,1988,240,relative; metadata:policy max-detect-ips drop; reference:cve,2008-2242; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798; classtype:rpc-portmap-decode; sid:16085; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 395650 udp XDR SString buffer overflow attempt"; content:"|00 06 09 82|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"SString"; byte_test:4,>,4096,1,relative; metadata:policy max-detect-ips drop; reference:bugtraq,29283; reference:cve,2008-2242; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798; classtype:rpc-portmap-decode; sid:16082; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 395650 udp xml buffer overflow attempt"; content:"|00 06 09 82|"; depth:4; offset:12; content:"|00 00 00|y"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,28,relative,align; byte_jump:4,32,relative,align; byte_test:4,>,1988,240,relative; metadata:policy max-detect-ips drop; reference:cve,2008-2242; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798; classtype:rpc-portmap-decode; sid:16086; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 395650 tcp XDR SString buffer overflow attempt"; flow:to_server,established; content:"|00 06 09 82|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"SString"; byte_test:4,>,4096,1,relative; metadata:policy max-detect-ips drop; reference:bugtraq,29283; reference:cve,2008-2242; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798; classtype:rpc-portmap-decode; sid:16081; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC AIX ttdbserv function 15 buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 00|"; depth:32; offset:16; isdataat:256,relative; reference:bugtraq,35419; reference:cve,2009-2727; reference:url,www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4699&myns=paix52&mync=E; classtype:attempted-admin; sid:16285; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap Solaris sadmin tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,31751; reference:cve,2008-4556; classtype:rpc-portmap-decode; sid:16446; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap Solaris sadmin tcp adm_build_path overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; byte_jump:4,8,relative,align; byte_jump:4,4,relative,align; content:"ADM_METHOD"; content:"|00 00 00 09|"; within:8; byte_test:4,>,999,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,31751; reference:cve,2008-4556; classtype:rpc-portmap-decode; sid:16448; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap Solaris sadmin udp adm_build_path overflow attempt"; content:"|00 01 87 88|"; depth:4; offset:12; byte_jump:4,8,relative,align; byte_jump:4,4,relative,align; content:"ADM_METHOD"; content:"|00 00 00 09|"; within:8; byte_test:4,>,999,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,31751; reference:cve,2008-4556; classtype:rpc-portmap-decode; sid:16449; rev:4;)
|
|
# alert tcp $EXTERNAL_NET [1024:] -> $HOME_NET 2049 (msg:"PROTOCOL-RPC IBM AIX and Oracle Solaris nfsd v4 nfs_portmon security bypass attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A3 00 00 00|"; within:7; distance:4; fast_pattern; pcre:"/^.{8}\x00\x00\x00\x00\x00\x00\x00[\x01\x02\x03]\x00\x01\x86\xA3\x00\x00\x00[\x02\x03\x04]/"; reference:bugtraq,35546; reference:bugtraq,36544; reference:cve,2009-2296; reference:cve,2009-3517; classtype:misc-attack; sid:20248; rev:3;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET [1234,32778] (msg:"PROTOCOL-RPC Novell Netware xdr decode string length buffer overflow attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 B8|"; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; metadata:policy max-detect-ips drop; reference:cve,2011-4191; reference:url,download.novell.com/Download?buildid=Cfw1tDezgbw~; classtype:attempted-user; sid:21100; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP unmount path overflow attempt"; flow:to_server; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 03|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,46535; reference:bugtraq,8179; reference:cve,2003-0252; reference:cve,2010-4227; reference:nessus,11800; classtype:misc-attack; sid:32356; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [7937:] (msg:"PROTOCOL-RPC EMC NetWorker nsrindexd service buffer overflow attempt"; flow:to_server,established; content:"|00 05 F3 D9 00 00 00 05 00 00 00 09|"; depth:12; offset:16; isdataat:200,relative; byte_test:4,>,0xC8,16,relative; byte_test:4,<=,0x600,16,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,57182; reference:cve,2012-4607; classtype:attempted-admin; sid:25542; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7937:65535 (msg:"PROTOCOL-RPC EMC Networker nsrindexd.exe procedure 0x01 buffer overflow attempt"; flow:to_server,established; content:"|00 05 F3 D9|"; depth:200; fast_pattern; byte_test:4,>,4,0,big,relative; byte_test:4,<,7,0,big,relative; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00 00 00 00 00|"; within:8; byte_test:4,>=,0x100,8,big,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service sunrpc; reference:cve,2012-0395; classtype:attempted-user; sid:24696; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve tcp procedure 122 invalid function call attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 06 09 80|"; within:4; distance:4; fast_pattern; content:"|00 00 00 7A|"; within:4; distance:4; content:!"|00 00 00 05|Slist|00|"; distance:0; nocase; metadata:policy max-detect-ips drop, service sunrpc; reference:cve,2012-2971; reference:url,www.securityfocus.com/archive/1/524461; classtype:attempted-admin; sid:24639; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC xdrDecodeString caller_name stack overflow attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 B5|"; depth:12; offset:4; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,46535; reference:cve,2010-4227; classtype:misc-attack; sid:24503; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"PROTOCOL-RPC CDE Calendar Manager service memory corruption attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 0A|"; within:4; distance:4; isdataat:272,relative; metadata:policy max-detect-ips drop; reference:bugtraq,36615; reference:cve,2010-4435; classtype:attempted-admin; sid:19173; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 36890 (msg:"PROTOCOL-RPC IBM Informix Dynamic Server librpc.dll buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 75 3D|"; within:4; distance:8; fast_pattern; byte_extract:4,0,credlen,relative,big; byte_test:4,>,credlen,4,relative,big; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,38471; reference:cve,2009-2753; classtype:attempted-admin; sid:18558; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC IBM Informix Dynamic Server librpc.dll buffer overflow attempt"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 75 3D|"; within:4; distance:8; fast_pattern; byte_extract:4,0,credlen,relative,big; byte_test:4,>,credlen,4,relative,big; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,38471; reference:cve,2009-2753; classtype:attempted-admin; sid:18557; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux Kernel nfsd v4 CAP_MKNOD security bypass attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 04 00 00 00 01|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; content:"|00 00 00 06 00 00 00|"; byte_test:1,>,2,0,relative; byte_test:1,<,5,0,relative; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:17749; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [111,36890] (msg:"PROTOCOL-RPC Multiple vendors librpc.dll stack buffer overflow attempt - tcp"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:7; byte_test:1,&,0x80,8,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop; reference:bugtraq,38472; reference:cve,2009-2754; classtype:attempted-admin; sid:17206; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC Multiple vendors librpc.dll stack buffer overflow attempt - udp"; flow:to_server; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:7; byte_test:1,&,0x80,8,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,38472; reference:cve,2009-2754; classtype:attempted-admin; sid:17205; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"PROTOCOL-RPC Oracle Solaris sadmind TCP data length integer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 87 88|"; within:4; distance:4; fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; byte_test:4,>,0xFFFFFEFF,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,35083; reference:cve,2008-3870; classtype:attempted-admin; sid:16797; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"PROTOCOL-RPC Oracle Solaris sadmind UDP data length integer overflow attempt"; flow:to_server; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 87 88|"; within:4; distance:4; fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; byte_test:4,>,0xFFFFFEFF,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,35083; reference:cve,2008-3870; classtype:attempted-admin; sid:16796; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"PROTOCOL-RPC Oracle Solaris sadmind TCP array size buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 87 88|"; within:4; distance:4; fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; content:"|00 00 00 00 00 00 00 00|"; distance:0; byte_test:4,!=,0,0,relative; byte_jump:4,0,relative,big,align; content:"|00 00 00 11|"; within:4; byte_jump:4,0,relative,big,align; isdataat:7; content:!"|00 00 00 00 00 00 00 00|"; within:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,35083; reference:cve,2008-3869; classtype:attempted-admin; sid:16706; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET [1024:] (msg:"PROTOCOL-RPC Oracle Solaris sadmind UDP array size buffer overflow attempt"; flow:to_server; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 87 88|"; within:4; distance:4; fast_pattern; byte_jump:4,12,relative,big,align; byte_jump:4,4,relative,big,align; byte_jump:4,108,relative,big,align; byte_jump:4,0,relative,big,align; byte_jump:4,0,relative,big,align; content:"|00 00 00 00 00 00 00 00|"; distance:0; byte_test:4,!=,0,0,relative; byte_jump:4,0,relative,big,align; content:"|00 00 00 11|"; within:4; byte_jump:4,0,relative,big,align; isdataat:7; content:!"|00 00 00 00 00 00 00 00|"; within:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,35083; reference:cve,2008-3869; classtype:attempted-admin; sid:16705; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux Kernel nfsd v3 tcp CAP_MKNOD security bypass attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00 0B|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; byte_jump:4,0,relative,big; pcre:"/^.\x00{3}(\x03|\x04)/sR"; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16702; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux Kernel nfsd v3 udp CAP_MKNOD security bypass attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00 0B|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,0,relative,big; byte_jump:4,0,relative,big; pcre:"/^.\x00{3}(\x03|\x04)/sR"; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16701; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux Kernel nfsd v2 tcp CAP_MKNOD security bypass attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 09|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,32,relative,big; content:"|00 00|"; within:2; distance:1; byte_test:1,&,0x20,0,relative; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16700; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux Kernel nfsd v2 udp CAP_MKNOD security bypass attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 09|"; depth:28; byte_jump:4,4,relative,big; byte_jump:4,4,relative,big; byte_jump:4,32,relative,big; content:"|00 00|"; within:2; distance:1; byte_test:1,&,0x20,0,relative; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,34205; reference:cve,2009-1072; classtype:misc-attack; sid:16699; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC Solaris UDP portmap sadmin request attempt"; flow:to_client; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,31751; reference:cve,2008-4556; classtype:rpc-portmap-decode; sid:16447; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap 395650 tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09 82|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:cve,2008-2242; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798; classtype:rpc-portmap-decode; sid:16083; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap 390113 tcp procedure 4 attempt"; flow:to_server,established; content:"|00 05 F3 E1|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"sn_sub_rqst"; within:11; distance:12; byte_test:4,>,234,5,relative; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,25375; reference:cve,2007-3618; classtype:rpc-portmap-decode; sid:13252; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"PROTOCOL-RPC MIT Kerberos kadmind rpc RPCSEC_GSS buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 00 00 06|"; within:4; distance:16; byte_test:4,>,127,0,relative; metadata:policy max-detect-ips drop; reference:bugtraq,25534; reference:cve,2007-3999; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-006.txt; classtype:attempted-admin; sid:12424; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [749,1024:] (msg:"PROTOCOL-RPC portmap 2112 tcp rename_principal attempt"; flow:to_server,established; content:"|00 00 08|@"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,8192,4,relative; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,24653; reference:cve,2007-2798; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt; classtype:rpc-portmap-decode; sid:12187; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"PROTOCOL-RPC MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code execution attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 04 93 E1 00 00 00 00|"; within:8; distance:16; metadata:policy max-detect-ips drop; reference:bugtraq,24655; reference:cve,2007-2442; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt; classtype:attempted-admin; sid:12075; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"PROTOCOL-RPC MIT Kerberos kadmind RPC Library unix authentication buffer overflow attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; byte_test:4,>,0,20,relative; content:"|00 00 00 01|"; within:4; distance:16; byte_test:4,>,2147483647,8,relative; metadata:policy max-detect-ips drop; reference:bugtraq,24657; reference:cve,2007-2443; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt; classtype:attempted-admin; sid:12046; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC portmap mountd tcp zero-length payload denial of service attempt"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; pcre:"/^[\x00\x80]\x00\x00\x00/s"; metadata:policy max-detect-ips drop; reference:bugtraq,16838; reference:cve,2006-0900; classtype:rpc-portmap-decode; sid:11289; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap mountd tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,16838; reference:cve,2006-0900; classtype:rpc-portmap-decode; sid:11288; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap CA BrightStor ARCserve tcp request"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 06 09|~"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,23209; reference:cve,2007-1785; classtype:rpc-portmap-decode; sid:10482; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap BrightStor ARCserve denial of service attempt"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 00 00|"; within:4; distance:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,22365; reference:cve,2007-0816; classtype:attempted-dos; sid:10133; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap BrightStor ARCserve denial of service attempt"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 00 00 00|"; within:4; distance:4; metadata:policy max-detect-ips drop, service sunrpc; reference:bugtraq,22365; reference:cve,2007-0816; classtype:attempted-dos; sid:10132; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP mount path overflow attempt"; flow:to_server; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, service dcerpc; reference:bugtraq,46535; reference:bugtraq,8179; reference:cve,2003-0252; reference:cve,2010-4227; reference:nessus,11800; classtype:misc-attack; sid:2185; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1749; reference:cve,1999-0208; classtype:misc-attack; sid:2089; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1749; reference:bugtraq,28383; reference:cve,1999-0208; classtype:misc-attack; sid:2088; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC snmpXdmi overflow attempt UDP"; flow:to_server; content:"|00 01 87 99|"; depth:4; offset:12; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:21;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP mount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:1952; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap snmpXdmi request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:28;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypupdated request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1749; reference:bugtraq,28383; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:1277; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:598; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:31;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1749; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:591; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:25;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux kernel NFSv3 malformed WRITE arbitrary memory read attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 03 00 00 00 07|"; depth:24; offset:4; byte_jump:4,4,relative; byte_jump:4,4,relative; byte_jump:4,0,relative; byte_extract:4,8,count,relative; byte_test:4,!=,count,4,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service sunrpc; reference:cve,2017-7895; classtype:attempted-user; sid:43189; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux kernel NFSv2 malformed WRITE arbitrary memory read attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 02 00 00 00 08|"; depth:24; offset:4; byte_jump:4,4,relative; byte_jump:4,4,relative; byte_extract:4,40,count,relative; byte_test:4,!=,count,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service sunrpc; reference:cve,2017-7895; classtype:attempted-user; sid:43188; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux kernel nfsd nfsd4_layout_verify out of bounds read attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 04 00 00 00 01|"; depth:20; offset:8; byte_jump:4,4,relative; byte_jump:4,4,relative; byte_jump:4,0,relative; content:"|00 00 00 01 00 00 00 01 00 00 00 32|"; within:12; byte_test:4,>,5,4,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,99298; reference:cve,2017-8797; reference:url,access.redhat.com/security/cve/cve-2017-8797; classtype:attempted-dos; sid:44638; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"PROTOCOL-RPC Linux kernel nfsd nfsd4_layout_verify out of bounds read attempt"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A3 00 00 00 04 00 00 00 01|"; depth:20; offset:8; byte_jump:4,4,relative; byte_jump:4,4,relative; byte_jump:4,0,relative; content:"|00 00 00 01 00 00 00 01 00 00 00 2F|"; within:12; byte_test:4,>,5,16,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service sunrpc; reference:bugtraq,99298; reference:cve,2017-8797; reference:url,access.redhat.com/security/cve/cve-2017-8797; classtype:attempted-dos; sid:44637; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC XDR string allocation denial of service attempt"; flow:to_server; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; within:4; distance:4; fast_pattern; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 04 00 00 00 04|"; within:8; distance:24; byte_test:4,>,9000,0,relative; reference:bugtraq,98325; reference:cve,2017-8779; classtype:denial-of-service; sid:45108; rev:1;)
|