snort2-docker/docker/etc/rules/server-mssql.rules
2020-02-24 08:56:30 -05:00

92 lines
30 KiB
Plaintext

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#--------------------
# SERVER-MSSQL RULES
#--------------------
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-MSSQL Microsoft SQL Server Reporting Services cross site scripting attempt"; flow:established,to_client; file_data; content:"href=|22|/Reports/Pages/Report.aspx?"; nocase; content:"SelectedSubTabId="; distance:0; nocase; content:"script"; within:50; nocase; pcre:"/SelectedSubTabId=[^>]*?([\x22\x27]|%22|%27)\s*?>\s*?<[^>]*?script/i"; metadata:service http; reference:cve,2012-2552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-070; classtype:attempted-user; sid:24356; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-MSSQL Microsoft SQL Server Reporting Services cross site scripting attempt"; flow:established,to_server; content:"/Reports/Pages/Report.aspx"; fast_pattern:only; http_uri; content:"SelectedSubTabId="; nocase; http_uri; pcre:"/[?&]SelectedSubTabId=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|onload|src)/iU"; metadata:service http; reference:cve,2012-2552; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-070; classtype:web-application-attack; sid:24355; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1024:5000 (msg:"SERVER-MSSQL MSSQL CONVERT function unicode buffer overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; content:"C|00|O|00|N|00|V|00|E|00|R|00|T|00|"; distance:0; nocase; pcre:"/C\x00O\x00N\x00V\x00E\x00R\x00T[^\x28]*\x28[^\x2c]*\x2c([^\x2c]*\x2c)?[^\d]*\d\x00\d\x00\d\x00\d\x00\d\x00\d/i"; metadata:policy max-detect-ips drop; reference:cve,2008-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-040; classtype:attempted-admin; sid:21085; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1024:5000 (msg:"SERVER-MSSQL MSSQL CONVERT function buffer overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; content:"CONVERT"; distance:0; nocase; pcre:"/CONVERT[^\x28]*\x28[^\x2c]*\x2c([^\x2c]*\x2c)?[^\d]*\d{6,}/i"; metadata:policy max-detect-ips drop; reference:cve,2008-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-040; classtype:attempted-admin; sid:21084; rev:3;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [445,1433] (msg:"SERVER-MSSQL sp_replwritetovarbin vulnerable function attempt"; flow:to_server,established; content:"sp_replwritetovarbin"; fast_pattern:only; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15144; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL Convert function style overwrite "; flow:to_server, established; content:"Convert"; nocase; pcre:"/select\s+convert\s*\(\w+(\(\d+\))?\s*,\s*((\w+|\w+\(.*\)|\w+\.\w+|\([^\)]*\))|(\w+|\w+\(.*\)|\w+\.\w+|\([^\)]*\))\s*(ALL|AND|ANY|BETWEEN|EXISTS|IN|LIKE|NOT|OR|SOME|=|\+|>|<|\/|%|\*|-||&|\||\^|~|>=|<>|<=|\!=|\!<|\!>)\s*(\w+|\w+\(.*\)|\w+\.\w+|\([^\)]*\)))\s*,\s*\d{5,}\s*\)/smi"; metadata:policy max-detect-ips drop; reference:cve,2008-0086; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-040; classtype:attempted-admin; sid:13892; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL Memory page overwrite attempt "; flow:to_server,established; content:"insert"; nocase; content:"null"; distance:1; nocase; content:"select"; distance:1; nocase; pcre:"/insert\s+into\s+(\w+)\s+values\s*\(\s*null\s*\).*select\s+isnull\s*\(\s*\w+\s*,\s*(\x27\x27|\x22\x22)\s*\)\s*from\s+\1/smi"; metadata:policy max-detect-ips drop; reference:cve,2008-0106; reference:url,technet.microsoft.com/en-us/security/bulletin/MS08-040; classtype:attempted-admin; sid:13891; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433:1500 (msg:"SERVER-MSSQL Microsoft SQL Server 2000 Server hello buffer overflow attempt"; flow:to_server,established; isdataat:514; content:"|12 01|"; depth:2; content:!"|00|"; within:512; distance:35; reference:bugtraq,5411; reference:cve,2002-1123; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-056; classtype:attempted-admin; sid:11264; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_updatecolvbm vulnerable function attempt"; flow:to_server,established; content:"xp_updatecolvbm"; fast_pattern:only; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8540; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_updatecolvbm unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; fast_pattern:only; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8539; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_updatecolvbm unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; fast_pattern:only; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8538; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_sqlinventory unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|q|00|l|00|i|00|n|00|v|00|e|00|n|00|t|00|o|00|r|00|y|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8537; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_sqlinventory vulnerable function attempt"; flow:to_server,established; content:"xp_sqlinventory"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8536; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_sqlinventory unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|q|00|l|00|i|00|n|00|v|00|e|00|n|00|t|00|o|00|r|00|y|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8535; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_sqlagent_monitor unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|q|00|l|00|a|00|g|00|e|00|n|00|t|00|_|00|m|00|o|00|n|00|i|00|t|00|o|00|r|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8534; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_sqlagent_monitor vulnerable function attempt"; flow:to_server,established; content:"xp_sqlagent_monitor"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8533; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_sqlagent_monitor unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|q|00|l|00|a|00|g|00|e|00|n|00|t|00|_|00|m|00|o|00|n|00|i|00|t|00|o|00|r|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8532; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_showcolv vulnerable function attempt"; flow:to_server,established; content:"xp_showcolv"; fast_pattern:only; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8531; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_showcolv unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; fast_pattern:only; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8530; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_showcolv unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; fast_pattern:only; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8529; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_SetSQLSecurity vulnerable function attempt"; flow:to_server,established; content:"xp_SetSQLSecurity"; fast_pattern:only; reference:bugtraq,2043; reference:cve,2000-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8528; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_SetSQLSecurity unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|S|00|e|00|t|00|S|00|Q|00|L|00|S|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; fast_pattern:only; reference:bugtraq,2043; reference:cve,2000-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8527; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_SetSQLSecurity unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|S|00|e|00|t|00|S|00|Q|00|L|00|S|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; fast_pattern:only; reference:bugtraq,2043; reference:cve,2000-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8526; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_proxiedmetadata vulnerable function attempt"; flow:to_server,established; content:"xp_proxiedmetadata"; fast_pattern:only; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8525; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_proxiedmetadata unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; fast_pattern:only; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8524; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_proxiedmetadata unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; fast_pattern:only; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8523; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_printstatements vulnerable function attempt"; flow:to_server,established; content:"xp_printstatements"; fast_pattern:only; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8522; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_printstatements unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; fast_pattern:only; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8521; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_printstatements unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; fast_pattern:only; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8520; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_peekqueue vulnerable function attempt"; flow:to_server,established; content:"xp_peekqueue"; fast_pattern:only; reference:bugtraq,2041; reference:cve,2000-1085; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8519; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_peekqueue unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; fast_pattern:only; reference:bugtraq,2041; reference:cve,2000-1085; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8518; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_peekqueue unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; fast_pattern:only; reference:bugtraq,2041; reference:cve,2000-1085; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8517; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_oasetproperty vulnerable function attempt"; flow:to_server,established; content:"xp_oasetproperty"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8516; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_oasetproperty unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|o|00|a|00|s|00|e|00|t|00|p|00|r|00|o|00|p|00|e|00|r|00|t|00|y|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8515; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_oasetproperty unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|o|00|a|00|s|00|e|00|t|00|p|00|r|00|o|00|p|00|e|00|r|00|t|00|y|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8514; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_oamethod unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|o|00|a|00|m|00|e|00|t|00|h|00|o|00|d|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8513; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_oamethod vulnerable function attempt"; flow:to_server,established; content:"xp_oamethod"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8512; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_oamethod unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|o|00|a|00|m|00|e|00|t|00|h|00|o|00|d|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8511; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_oagetproperty vulnerable function attempt"; flow:to_server,established; content:"xp_oagetproperty"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8510; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_oagetproperty unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|o|00|a|00|g|00|e|00|t|00|p|00|r|00|o|00|p|00|e|00|r|00|t|00|y|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8509; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_oagetproperty unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|o|00|a|00|g|00|e|00|t|00|p|00|r|00|o|00|p|00|e|00|r|00|t|00|y|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8508; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_oadestroy vulnerable function attempt"; flow:to_server,established; content:"xp_oadestroy"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8507; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_oadestroy unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|o|00|a|00|d|00|e|00|s|00|t|00|r|00|o|00|y|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8506; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_oadestroy unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|o|00|a|00|d|00|e|00|s|00|t|00|r|00|o|00|y|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8505; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_enumresultset vulnerable function attempt"; flow:to_server,established; content:"xp_enumresultset"; fast_pattern:only; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8504; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_enumresultset unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; fast_pattern:only; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8503; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_enumresultset unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; fast_pattern:only; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8502; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_displayparamstmt vulnerable function attempt"; flow:to_server,established; content:"xp_displayparamstmt"; fast_pattern:only; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8501; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_displayparamstmt unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; fast_pattern:only; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8500; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_displayparamstmt unicode vulnerable function attempt"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; fast_pattern:only; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8499; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL sp_oacreate unicode vulnerable function attempt"; flow:to_server,established; content:"s|00|p|00|_|00|o|00|a|00|c|00|r|00|e|00|a|00|t|00|e|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8498; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL sp_oacreate vulnerable function attempt"; flow:to_server,established; content:"sp_oacreate"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8497; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL sp_oacreate unicode vulnerable function attempt"; flow:to_server,established; content:"s|00|p|00|_|00|o|00|a|00|c|00|r|00|e|00|a|00|t|00|e|00|"; fast_pattern:only; reference:url,support.microsoft.com/kb/280380; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-092; classtype:attempted-admin; sid:8496; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SERVER-MSSQL heap-based overflow attempt"; flow:to_server; content:"|04|"; depth:1; isdataat:50,relative; content:!"|3A|"; within:50; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,11214; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-039; classtype:attempted-admin; sid:4990; rev:12;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SERVER-MSSQL heap-based overflow attempt"; flow:to_server; content:"|08|"; depth:1; isdataat:50; content:"|3A|"; pcre:"/[0-9]+/R"; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,11214; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-039; classtype:attempted-admin; sid:4989; rev:8;)
# alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"SERVER-MSSQL probe response overflow attempt"; flow:to_server; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; metadata:ruleset community; reference:bugtraq,9407; reference:cve,2003-0903; reference:nessus,11990; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-003; classtype:attempted-user; sid:2329; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SERVER-MSSQL version overflow attempt"; flow:to_server; dsize:>100; content:"|04|"; depth:1; metadata:ruleset community; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-039; classtype:attempted-admin; sid:2050; rev:18;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; metadata:ruleset community; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:1386; rev:15;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1204; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:704; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; metadata:ruleset community; reference:bugtraq,1204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:695; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:689; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:686; rev:17;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL Microsoft SQL Server TDS packet fragment handling remote denial of service attempt"; flow:to_server,established; content:"|10 00 00 10 CC CC CC CC CC CC CC CC CC CC CC CC|"; fast_pattern:only; metadata:service dcerpc; reference:bugtraq,11265; reference:cve,2004-1560; classtype:attempted-dos; sid:29029; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL Microsoft SQL Server TDS packet fragment handling remote denial of service attempt"; flow:to_server,established; content:"|10 00 00 08 41 41 41 41|"; fast_pattern:only; metadata:service dcerpc; reference:bugtraq,11265; reference:cve,2004-1560; classtype:attempted-dos; sid:29028; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL Microsoft SQL Server INSERT Statement Buffer Overflow attempt"; flow:to_server, established; content:"i|00|n|00|s|00|e|00|r|00|t|00 20 00|i|00|n|00|t|00|o|00 20 00|m|00|y|00|t|00|a|00|b|00|l|00|e|00 20 00|v|00|a|00|l|00|u|00|e|00|s|00 20 00 28 00|n|00|u|00|l|00|l|00 29|"; metadata:policy max-detect-ips drop; reference:cve,2008-0106; classtype:policy-violation; sid:17307; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-MSSQL Microsoft SQL Server Distributed Management Objects overflow attempt"; flow:to_client,established; file_data; content:"<object classid='clsid|3A|10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer'"; nocase; content:"SQLDMO.SQLServer"; nocase; pcre:"/progid\s*\x3d\s*[\x22\x27]SQLDMO\x2eSQLServer[\x22\x27]/"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,25594; reference:cve,2007-4814; classtype:attempted-user; sid:16208; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS [445,1433] (msg:"SERVER-MSSQL sp_replwritetovarbin unicode vulnerable function attempt"; flow:to_server,established; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n|00|"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:bugtraq,32710; reference:cve,2008-5416; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-004; classtype:attempted-admin; sid:15143; rev:15;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-MSSQL Microsoft SQL server MTF file download"; flow:to_client,established; file_data; content:"TAPE"; content:"|00 12|"; within:2; distance:82; metadata:policy max-detect-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2008-0085; reference:cve,2008-0107; reference:url,blogs.technet.com/swi/archive/2008/07/08/ms08-040-how-to-spot-potentially-dangerous-mtf-files-crossing-network-boundary.aspx; reference:url,technet.microsoft.com/en-us/security/bulletin/ms08-040; classtype:misc-activity; sid:13896; rev:14;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1024:5000 (msg:"SERVER-MSSQL Microsoft SQL Server transcational replication and showxmlplan enabled remote code execution attempt"; flow:to_server; content:"sp_replicationdboption"; fast_pattern:only; content:"SET SHOWPLAN_XML ON"; nocase; content:"@optname"; nocase; content:"publish"; within:20; nocase; content:"@value"; within:20; nocase; content:"true"; within:20; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-1762; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-058; classtype:attempted-user; sid:35198; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL Microsoft SQL Server sp_addsrvrolemember privilege escalation attempt"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|s|00|r|00|v|00|r|00|o|00|l|00|e|00|m|00|e|00|m|00|b|00|e|00|r"; fast_pattern:only; content:"|27 00|s|00|y|00|s|00|a|00|d|00|m|00|i|00|n|00 27|"; reference:url,msdn.microsoft.com/en-us/library/ms186320.aspx; classtype:attempted-admin; sid:39449; rev:1;)