71 lines
26 KiB
Plaintext
71 lines
26 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#--------------------
|
|
# SERVER-SAMBA RULES
|
|
#--------------------
|
|
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba username map script command injection attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; content:"|00 00|"; within:3; distance:2; content:"|00|"; within:1; distance:25; content:"|00 00 00 00|"; within:4; distance:16; byte_extract:2,-8,ansi_pw_len,relative,little; byte_jump:2,0,relative,little,post_offset 10; content:"/="; within:2; distance:ansi_pw_len; pcre:"/^[\x21-\x2f\x3a-\x3f\x5b-\x60\x7b-\x7e]/R"; metadata:service netbios-ssn; reference:cve,2007-2447; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=534 ; classtype:attempted-admin; sid:21164; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [445,139] (msg:"SERVER-SAMBA Samba wildcard filename matching denial of service attempt"; flow:to_server,established; content:"|FF|SMB2"; depth:5; offset:4; content:"|01 00|"; depth:2; offset:65; content:"*"; distance:0; pcre:"/((\x3c\x00?)*\x2a\x00?[^\x2a\x3c]*){5}/R"; reference:bugtraq,11624; reference:cve,2004-0930; classtype:attempted-dos; sid:15581; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba name mangling buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB"; fast_pattern; byte_test:2,>,1024,67,little; byte_extract:2,67,bcc,little; content:"~"; within:bcc; pcre:"/^\x00.{3}\xffSMB[\x02\x03\x06\x07\x08\x09\x0f\x29\x2a\x2d\x82\x83\x84\xa2\xa5].{61}[\x5c\x2f]\x00?(.\x00?)+?[\x5c\x2f]\x00?(.\x00?){5}\x7e\x00?(.\x00?){2}\x2E\x00?(.\x00?){3}(?!\x00\x00?)/"; metadata:service netbios-ssn; reference:bugtraq,10781; reference:cve,2004-0686; classtype:attempted-admin; sid:21370; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"SERVER-SAMBA Samba DCERPC NCACN-IP-TCP lsarpc LsarLookupSids lsa_io_trans_name heap overflow attempt"; flow:to_server,established; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:15; dce_stub_data; content:"|05 00 00 00 88 88 88 88 09 00 00 00|"; depth:12; offset:52; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,24196; reference:cve,2007-2446; classtype:protocol-command-decode; sid:18319; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba malicious user defined array size and buffer attempt"; flow:to_server,established; dce_iface:82273fdc-e32a-18c3-3f78-827929dc23ea; dce_opnum:11; dce_stub_data; byte_extract:2,32,array_elements,multiplier 1,dce; byte_test:4,<,array_elements,2,relative,dce; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1182; reference:url,www.samba.org/samba/security/CVE-2012-1182; classtype:attempted-admin; sid:23240; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba malicious user defined array size and buffer attempt"; flow:to_server,established; dce_iface:82273fdc-e32a-18c3-3f78-827929dc23ea; dce_opnum:11; dce_stub_data; byte_extract:4,40,array_elements,multiplier 4,dce; byte_test:2,<,array_elements,-8,relative,dce; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1182; reference:url,www.samba.org/samba/security/CVE-2012-1182; classtype:attempted-admin; sid:22008; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba malicious user defined array size and buffer attempt"; flow:to_server,established; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:3; dce_stub_data; byte_extract:4,44,num_stores,dce; byte_test:4,<,num_stores,4,relative,dce; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1182; reference:url,www.samba.org/samba/security/CVE-2012-1182; classtype:attempted-admin; sid:22012; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba malicious user defined array size and buffer attempt"; flow:to_server,established; dce_iface:4fc742e0-4a10-11cf-8273-00aa004ae673; dce_opnum:5; dce_stub_data; byte_extract:4,24,array_count,dce; byte_test:4,<,array_count,4,relative,dce; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1182; reference:url,www.samba.org/samba/security/CVE-2012-1182; classtype:attempted-admin; sid:22011; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba malicious user defined array size and buffer attempt"; flow:to_server,established; dce_iface:12345778-1234-abcd-ef00-0123456789ac; dce_opnum:67; dce_stub_data; byte_extract:4,44,pwd_hist_len,dce; byte_test:4,<,pwd_hist_len,24,relative,dce; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1182; reference:url,www.samba.org/samba/security/CVE-2012-1182; classtype:attempted-admin; sid:22006; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba malicious user defined array size and buffer attempt"; flow:to_server,established; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:14; dce_stub_data; byte_extract:4,20,num_names,dce; byte_test:4,<,num_names,0,relative,dce; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1182; reference:url,www.samba.org/samba/security/CVE-2012-1182; classtype:attempted-admin; sid:22007; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba malicious user defined array size and buffer attempt"; flow:to_server,established; dce_iface:6bffd098-a112-3610-9833-46c3f87e345a; dce_opnum:5; dce_stub_data; byte_extract:4,64,array_elements,multiplier 20,dce; byte_test:4,>,array_elements,-12,relative,dce; metadata:policy max-detect-ips drop, policy security-ips alert, service netbios-ssn; reference:cve,2012-1182; classtype:attempted-admin; sid:21806; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba malicious user defined array size and buffer attempt"; flow:to_server,established; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:8; dce_stub_data; byte_extract:4,32,array_count,dce; byte_test:4,<,array_count,0,relative,dce; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1182; reference:url,www.samba.org/samba/security/CVE-2012-1182; classtype:attempted-admin; sid:22005; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba malicious user defined array size and buffer attempt"; flow:to_server,established; dce_iface:12345778-1234-abcd-ef00-0123456789ab; dce_opnum:40; dce_stub_data; byte_extract:4,40,num_entries,dce; byte_test:4,>,num_entries,0,relative,dce; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1182; reference:url,www.samba.org/samba/security/CVE-2012-1182; classtype:attempted-admin; sid:22010; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba malicious user defined array size and buffer attempt"; flow:to_server,established; dce_iface:12345778-1234-abcd-ef00-0123456789ac; dce_opnum:16; dce_stub_data; byte_extract:4,20,num_sids,dce; byte_test:4,<,num_sids,4,relative,dce; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1182; reference:url,www.samba.org/samba/security/CVE-2012-1182; classtype:attempted-admin; sid:22004; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba spools RPC smb_io_notify_option_type_data request handling buffer overflow attempt"; flow:to_server,established; content:"SMB"; nocase; content:"|9C E0 0A 00 09 00 00 00 0A 00 0B 00 0D 00 03 00 14 00 15 00 10 00 17 00 16 00 00 00|P|00 00 00|"; distance:0; metadata:policy max-detect-ips drop; reference:cve,2007-2446; classtype:attempted-user; sid:16034; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unicode filename buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB-|00 00 00 00 08 01 C8 00 00 00 00 00 00 00 00 00 00 00 00 01 00 92|<d|00 07 00 0F FF 00 00 00 00 00|@|00 06 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00|%|04 00 5C 00|t|00|e|00|s|00|t|00 5C 00|A"; reference:bugtraq,11678; reference:cve,2004-0882; classtype:misc-attack; sid:15986; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"SERVER-SAMBA Samba Printer Change Notification Request DoS attempt"; flow:to_server,established; content:"|05 00 00 03 10 00 00 00 BC 00 00 00 01 00 00 00 A4 00 00 00 00 00|E|00 28 91|9|00 15 00 00 00 00 00 00 00 15 00 00 00 5C 00 5C 00|s|00|l|00|a|00|w|00|e|00|k|00|.|00|v|00|r|00|t|00 5C 00|p|00|r|00|i|00|n|00|t|00|e|00|r|00 00 00|"; fast_pattern:only; reference:bugtraq,11055; reference:cve,2004-0829; classtype:attempted-dos; sid:15984; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba arbitrary file access exploit attempt"; flow:to_server,established; content:"|5C 00|/|00|.|00|/|00|/|00|/|00|/|00|/|00|e|00|t|00|c|00|/|00|h|00|o|00|s|00|t|00|s|00|.|00|d|00|e|00|n|00|y|00 00 00|"; reference:bugtraq,11281; reference:cve,2004-0815; classtype:misc-attack; sid:15983; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"SERVER-SAMBA Samba WINS Server Name Registration handling stack buffer overflow attempt"; flow:to_server,no_stream; content:" EGFCEFEECACACACACACACACACACACABM|00 00| |00 01|"; fast_pattern:only; detection_filter:track by_dst,count 97,seconds 30; metadata:policy max-detect-ips drop, service netbios-ns; reference:bugtraq,26455; reference:cve,2007-5398; classtype:attempted-user; sid:33582; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba smbd _netr_ServerPasswordSet deprecated vulnerable function access attempt"; flow:to_server,established; dce_iface:12345678-1234-abcd-ef00-01234567cffb; dce_opnum:6; metadata:service dcerpc, service netbios-ssn; reference:bugtraq,72711; reference:cve,2015-0240; reference:url,securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/; classtype:policy-violation; sid:33826; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba malicious user defined array size and buffer attempt"; flow:to_server,established; dce_iface:367abb81-9844-35f1-ad32-98f038001003; dce_opnum:19; dce_stub_data; byte_extract:4,20,num_args,dce; byte_test:4,<,num_args,4,relative,dce; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2012-1182; reference:url,www.samba.org/samba/security/CVE-2012-1182; classtype:attempted-admin; sid:22009; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba SID parsing overflow attempt"; flow:to_server,established; content:"|FF|SMB|A0|"; content:"|14|"; within:1; distance:27; content:"|07 00|"; within:2; distance:36; byte_test:1,>,15,32,relative; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,43212; reference:cve,2010-3069; classtype:attempted-admin; sid:19007; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"SERVER-SAMBA Samba send_mailslot buffer overflow attempt"; content:"|5C|MAILSLOT|5C|NET|5C|N"; content:"TLOGON|00|"; within:8; content:"|12 00|"; distance:0; content:"|00 00|"; distance:2; content:"|00 00|"; distance:0; isdataat:260,relative; content:!"|00|"; within:260; metadata:policy max-detect-ips drop, service netbios-dgm; reference:bugtraq,26791; reference:cve,2007-6015; classtype:attempted-admin; sid:17661; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba Root File System access bypass attempt"; flow:to_server,established; content:"|FF|SMB|75|"; depth:5; offset:4; byte_jump:1,27,relative,multiplier 2; byte_jump:2,-2,relative,little; content:"|5C 00 5C 00|"; within:4; distance:2; content:"|5C 00 00 00|"; within:80; pcre:"/\x5c\x00\x5c\x00[^\x5c]*?\x5c\x00\x00\x00/"; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,33118; reference:cve,2009-0022; classtype:attempted-recon; sid:17639; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba smbd flags2 header parsing denial of service attempt"; flow:to_server,established; flowbits:isset,smb.req.ascii; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; byte_test:1,!&,0x40,0,relative,little; byte_test:2,&,0x8000,1,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,40097; reference:cve,2010-1635; classtype:attempted-dos; sid:17152; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"SERVER-SAMBA Samba smbd Session Setup AndX security blob length dos attempt"; flow:established, to_server; content:"|FF|SMB|73|"; byte_test:2,>,0x8000,42,relative,little; metadata:policy max-detect-ips drop, service netbios-ssn; reference:bugtraq,40097; reference:cve,2010-1642; reference:url,samba.org/samba/history/samba-3.4.8.html; classtype:denial-of-service; sid:16684; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"SERVER-SAMBA Samba WINS Server Name Registration handling stack buffer overflow attempt"; flow:to_server,no_stream; content:" FGFEFEFGENCNFHEJEODCELFDFCFGCABM|00 00| |00 01|"; fast_pattern:only; detection_filter:track by_dst,count 40,seconds 30; metadata:policy max-detect-ips drop, service netbios-ns; reference:bugtraq,26455; reference:cve,2007-5398; classtype:attempted-user; sid:16058; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"SERVER-SAMBA Samba send_mailslot buffer overflow attempt"; content:"|5C|MAILSLOT|5C|NET|5C|NTLOGON"; fast_pattern; pcre:"/^\x00+/R"; content:"|12 00 00 00|"; within:4; pcre:"/^\x00\x00\x00\x00[^\x00]{262}/R"; metadata:policy max-detect-ips drop, service netbios-dgm; reference:bugtraq,26791; reference:cve,2007-6015; classtype:attempted-admin; sid:13291; rev:11;)
|
|
alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt"; flow:to_client,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|03 00|"; within:2; distance:6; byte_test:3, >, 200, 1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2017-0016; classtype:attempted-dos; sid:41499; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-SAMBA Samba LDAP modify dnsRecord buffer overflow attempt"; flow:to_server,established; content:"|09|dnsRecord"; byte_test:2,>,255,6,relative; metadata:policy max-detect-ips drop, service ldap; reference:cve,2016-2123; classtype:attempted-user; sid:43053; rev:1;)
|
|
alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=,0,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba unsigned connections attempt"; flow:to_server, established; content:"|FF|SMB"; depth:4; offset:4; byte_test:1,=,0x05,6,relative,bitmask 0x14; content:"|00 00 00 00 00 00 00 00|"; within:8; distance:10; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-12150; reference:url,samba.org/samba/security/CVE-2017-12150.html; classtype:attempted-user; sid:45074; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba write command memory leak attempt"; flow:to_server, established; content:"|FF 53 4D 42 0B|"; depth:5; offset:4; byte_extract:2,30,bytes_to_write,relative,little; byte_test:2,<,bytes_to_write,4,relative,little; reference:cve,2017-12163; reference:url,samba.org/samba/security/CVE-2017-12163.html; classtype:attempted-user; sid:45072; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba write and unlock command memory leak attempt"; flow:to_server, established; content:"|FF 53 4D 42 14|"; depth:5; offset:4; byte_extract:2,30,bytes_to_write,relative,little; byte_test:2,<,bytes_to_write,4,relative,little; reference:cve,2017-12163; reference:url,samba.org/samba/security/CVE-2017-12163.html; classtype:attempted-user; sid:45071; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba write and close command memory leak attempt"; flow:to_server, established; content:"|FF 53 4D 42 0B|"; depth:5; offset:4; byte_extract:2,30,bytes_to_write,relative,little; byte_test:2,<,bytes_to_write,4,relative,little; reference:cve,2017-12163; reference:url,samba.org/samba/security/CVE-2017-12163.html; classtype:attempted-user; sid:45070; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba write andx command memory leak attempt"; flow:to_server, established; content:"|FF 53 4D 42 2F|"; depth:5; offset:4; byte_extract:2,44,remaining,relative,little; byte_test:2,>,remaining,2,relative,little; reference:cve,2017-12163; reference:url,samba.org/samba/security/CVE-2017-12163.html; classtype:attempted-user; sid:45069; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba tree connect andx memory corruption attempt"; flow:to_server,established; content:"|FF|SMB|75|"; fast_pattern:only; content:"|04 75 00|"; byte_test:1,=,1,2,relative,bitmask 0x01; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-14746; classtype:attempted-user; sid:45255; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"SERVER-SAMBA Samba LDAP Server libldb denial of service attempt"; flow:to_server,established; content:"|0A 01 02 0A 01 00 02 01 00 02 01 00 01 01 00|"; fast_pattern; content:"|63|"; within:30; distance:-45; content:"|A4|"; distance:0; content:"|04|"; within:5; distance:1; pcre:"/\x0A\x01\x02\x0A\x01\x00\x02\x01\x00\x02\x01\x00\x01\x01\x00.*\xA4.{1,5}\x04.{0,1000}(\x80\x01\x00|\x81\x01\x00|\x82\x01\x00)/s"; metadata:policy max-detect-ips drop, service ldap; reference:cve,2015-3223; classtype:denial-of-service; sid:45568; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba spoolss denial of service attempt"; flow:to_server,established; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:10; content:"|FF|SMB"; depth:4; offset:4; dce_stub_data; content:"|00 00 00 00|"; depth:4; offset:12; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-1050; reference:url,samba.org/samba/security/CVE-2018-1050.html; classtype:denial-of-service; sid:46282; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba spoolss denial of service attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00 00|"; distance:75; content:"|10 00 00 00|"; within:4; distance:1; content:"|0A 00|"; within:2; distance:14; content:"|00 00 00 00|"; within:4; distance:12; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-1050; reference:url,samba.org/samba/security/CVE-2018-1050.html; classtype:denial-of-service; sid:46281; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba spoolss denial of service attempt"; flow:to_server,established; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:84; content:"|FF|SMB"; depth:4; offset:4; dce_stub_data; byte_jump:4,12,relative,multiplier 2,little; byte_jump:4,10,relative,multiplier 2,little; content:"|00 00 00 00|"; within:4; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-1050; reference:url,samba.org/samba/security/CVE-2018-1050.html; classtype:denial-of-service; sid:46280; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba spoolss denial of service attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00 00|"; distance:75; content:"|10 00 00 00|"; within:4; distance:1; content:"|54 00|"; within:2; distance:14; byte_jump:4,12,relative,multiplier 2,little; byte_jump:4,10,relative,multiplier 2,little; content:"|00 00 00 00|"; within:4; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-1050; reference:url,samba.org/samba/security/CVE-2018-1050.html; classtype:denial-of-service; sid:46279; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba spoolss denial of service attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00 00|"; distance:75; content:"|10 00 00 00|"; within:4; distance:1; content:"|0D 00|"; within:2; distance:14; byte_jump:4,12,relative,multiplier 2,little; byte_jump:4,10,relative,multiplier 2,little; content:"|00 00 00 00|"; within:4; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-1050; reference:url,samba.org/samba/security/CVE-2018-1050.html; classtype:denial-of-service; sid:46278; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba spoolss denial of service attempt"; flow:to_server,established; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:13; content:"|FF|SMB"; depth:4; offset:4; byte_jump:4,12,relative,multiplier 2,little; byte_jump:4,10,relative,multiplier 2,little; content:"|00 00 00 00|"; within:4; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-1050; reference:url,samba.org/samba/security/CVE-2018-1050.html; classtype:denial-of-service; sid:46277; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba spoolss denial of service attempt"; flow:to_server,established; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:13; content:"|FF|SMB"; depth:4; offset:4; dce_stub_data; byte_jump:4,12,relative,multiplier 2,little; content:"|00 00 00 00|"; within:4; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-1050; reference:url,samba.org/samba/security/CVE-2018-1050.html; classtype:denial-of-service; sid:46276; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba spoolss denial of service attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00 00|"; distance:75; content:"|10 00 00 00|"; within:4; distance:1; content:"|54 00|"; within:2; distance:14; byte_jump:4,12,relative,multiplier 2,little; content:"|00 00 00 00|"; within:4; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-1050; reference:url,samba.org/samba/security/CVE-2018-1050.html; classtype:denial-of-service; sid:46275; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba spoolss denial of service attempt"; flow:to_server,established; dce_iface:12345678-1234-abcd-ef00-0123456789ab; dce_opnum:84; content:"|FF|SMB"; depth:4; offset:4; dce_stub_data; byte_jump:4,12,relative,multiplier 2,little; content:"|00 00 00 00|"; within:4; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-1050; reference:url,samba.org/samba/security/CVE-2018-1050.html; classtype:denial-of-service; sid:46274; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba spoolss denial of service attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00 00|"; distance:75; content:"|10 00 00 00|"; within:4; distance:1; content:"|0D 00|"; within:2; distance:14; byte_jump:4,12,relative,multiplier 2,little; content:"|00 00 00 00|"; within:4; distance:10; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:cve,2018-1050; reference:url,samba.org/samba/security/CVE-2018-1050.html; classtype:denial-of-service; sid:46273; rev:1;)
|
|
alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=,1,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/"; within:2; content:"/"; within:len; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:49090; rev:1;)
|