debian/0000775000000000000000000000000012317404426007173 5ustar debian/snort-pgsql.prerm0000664000000000000000000000275612317374213012545 0ustar #! /bin/sh # prerm script for snort # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `upgrade' # * `failed-upgrade' # * `remove' `in-favour' # * `deconfigure' `in-favour' # `removing' # # for details, see /usr/doc/packaging-manual/ case "$1" in remove|upgrade|deconfigure) if [ -x "/etc/init.d/snort" ] ; then if [ -x "`which invoke-rc.d >/dev/null 2>&1`" ] ; then invoke-rc.d snort stop || exit $? else /etc/init.d/snort stop || exit $? fi else start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/snort fi rm -f /var/run/snort_*.pid # Older versions of snort just kill every process with 'snort' in the # name, so also 'snort.prerm'. This fixes that. ps cax | grep ' snort$' | awk '{print $1}' | xargs --no-run-if-empty kill -s KILL >/dev/null || true ;; failed-upgrade) ;; *) echo "prerm called with unknown argument \`$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/README.Debian0000664000000000000000000001613212317374526011246 0ustar SNORT INIT.D ------------------------------ The Debian provided init.d script tries to provide many features unavailable upstream: - run Snort on demand, when there is no permanent interface to the network (i.e. ppp serial lines) - run multiple instances of Snort in different network interfaces and allow for different configuration for each of these instances (see below for more on this) - start or stop specific Snort instances (i.e those listening in different network interfaces) This makes the provied init.d script somewhat complex and with different ways in which the administrator can change its behavior. In order to change the behavior of the init.d script you can use: - /etc/default/snort: to configure the parameters for the Snort daemon. This is done similarly to other packages (exim4, ntp, etc.) so that users do not have to modify the init.d script only for parameter tweaking (which would produce issues when upgrading packages if the init.d changes). - /etc/snort/snort.debian.conf, this configuration file holds generic configuration information and is handled by Debian's configuration management system Debconf. If you want to modify its contents run "dpkg-reconfigure snort" - /etc/snort.conf, this configuration file handles Snort itself. It is possible to have different configuration file for different interfaces by adding the interface name (e.g. /etc/snort.eth0.conf for the 'eth0' interface) If you have issues with the behaviour in the init.d script please provide a bug report with the following information: - the contents of /etc/default/snort - the contents of /etc/snort/snort.debian.conf - the contents of /etc/snort/snort.conf, and any other /etc/snort/snort.*.conf files - the output of running the init.d script when started ('sh -x /etc/init.d/snort start'), stopped ('sh -x /etc/init.d/snort start'), requesting the status of the Snort instances ('sh -x /etc/init.d/snort status') and checking its configuration ('sh -x /etc/init.d/snort config-check') SNORT ON MULTIPLE INTERFACES ------------------------------ There is no provision upstream to have multiple instances of Snort running in the same system. If you want to setup a sensor in more than one network interface (for example, you are setting up an IDS listening to multiple network segments) then upstream's scripts are not useful. This package of snort is capable of managing multiple interfaces. The current init.d script is capable of launching more than one snort instance. You just need to answer the debconf question "On which interface(s) should snort listen on" with a list (separated by spaces of interafes you want to use). This actually modifies the value of DEBIAN_SNORT_INTERFACE definition in /etc/snort/snort.debian.conf. Afterwards, you need to create different /etc/snort/snort.$INTERFACE.conf configuration files (where $INTERFACE is your interface names, e.g., eth0 or eth1) for each interface you want Snort to listen on. All sensors can use the same rule set so it's easy to update them and all your sensors simultaneously. If no /etc/snort/snort.$INTERFACE.conf file exists for a given interface, then the regular /etc/snort/snort.conf file is used. Notice, however, that the same HOME_NET definition will be used for all interfaces (the answer to the "address range snort will listen on"). The debconf scripts don't currently support a way to give different HOME_NET definitions to different interfaces. This is still work in progress. Please file bugs to the snort package. ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- FREQUENT QUESTIONS AND ANSWERS --------------------------------- Q. I want to use FLEXRESP rules, but snort won't start with those rules enabled! What is wrong, what should I do? A. FLEXRESP rules need root-priviledges to access raw ethernet interface. To resolve this, start snort as root. Q0. I can reconfigure snort as often as I want but it won't ask me any questions! A0. You are probably victim of a bug in an older version of debconf. Just do: dpkg-reconfigure --priority=low debconf; dpkg-reconfigure snort Q1. How can I test snort without having an ethernet card or a connection to other computers ? A1. You have to use routing between two dummy devices: # modprobe -a dummy (The dummy device has to be build by the kernel) # ifconfig dummy0 192.168.0.1 # ifconfig dummy0:0 192.168.0.2 # telnet 192.168.0.3 12345 It's important that the second IP is on the same interface and not e.g. dummy1 or dummy2 and that the IP you try to access is *not* one of those you put on the interfaces. Use snort's ability to hear in promiscuous mode on an IP address range. (HOMEDIR=192.168.0.0/16) Q2. I saw that syslog logging is enabled, but I can't see any warnings in /var/log/syslog ? A2. That's because /etc/syslog.conf directs every output for the syslog facility LOG_AUTH to the /var/log/auth.log file. You can still find detail information about every logged scan in /var/log/snort/. Q3. You told me about the files in /var/log/snort, but I can't read them! A3. For performance reasons they are logged in tcpdump-binary format. You can read them with "tcpdump -r /var/log/snort/snort.log" or mkdir /tmp/dir cd /etc/snort . snort.conf snort -r /var/log/snort/snort.log \ -S "HOME_NET=$DEBIAN_SNORT_HOME_NET" \ -c /etc/snort/snort.conf-lib \ -l /tmp/dir The "-l /tmp/dir" creates the files in the /tmp/dir directory which MUST be existing. You can use -s instead for logging to /var/log/auth.log. Q4. It seems you disabled some checks and modified snort-lib, why? A4. Because they either generated too many false positives or generate too much noise for harmless things like traceroutes or nmap fingerprint attempts. These modifications are marked by a leading #debian#. For more information see /usr/share/doc/snort/README.Maintainer. Q5. How can I update my rule database with the Debian packages? (Hint: I'm running stable) A5. Signature updates are provided by the snort-rules-default package but if you are using stable, you will not see any changes in that package since they are not allowed for stable releases. If you want to keep your ruleset up-to-date you have two options: - Use the snort-rules-default from the unstable distribution, this might work as long as it does not belong to a different Snort release since in between releases snort rules might be updated in such a way that they are not backwards compatible. - Use a script to manage rule updates, such as 'oinkmaster' (currently provided as a Debian package) or 'updateSnort' - Use a backported version of Snort which includes these signatures. Always make sure that your new rules will be loaded fine by the sensor by using 'snort -T' See also upstreams Snort FAQ item 3.18 -- Javier Fernandez-Sanguino Pen~a Wed, 23 Sep 2009 02:02:25 +0200 debian/snort-rules-default.README.Debian0000664000000000000000000000562112317374526015165 0ustar README for snort-rules-default ----------------------------- A common question by Snort users is: why is the default ruleset provided by the snort-rules-default package outdated? The answer is simple: starting with the 2.4 release of Snort, Sourcefire, the company developing the program, decided to stop distributing any ruleset with the Snort software itself. At the same time, the company changed the license of the IDS ruleset provided introducing "Sourcefire VRT Certified rules" ruleset which is considered the official ruleset for Snort. This ruleset is: - provided only to registered users through the snort.org site - distributed under a non-free license which prohibits redistribution by other sources (including this package) However, since providing a network IDS such as Snort without *any* ruleset makes it completely useless, for the benefit of those users with no Internet connection, the Debian maintainer continued provided the the free (GPLv2) ruleset that was provided with the Snort back in 2005. This ruleset was later increased with the rulese provided in "Community" ruleset later on (in 2007). This rulesets is provided for testing purposes. It can be useful to define new (local) rules using the provided rules as a basis. Please note that, since network threats are constantly changing, a network intrusion detection system using rules developed in 2007 cannot be considered to "protect" a network and detect recent network attacks. No more than an anti-virus program using a 5-year-old database can be considered an "effective" measure to detect and remove new virii. Users that want to use Snort in production environments are recommended to either: - Obtain additional/updated rulesets from Open Source projects such as "Emerging Threats". For more information see http://www.emergingthreats.net/ For rulesets seet http://rules.emergingthreats.net/open/ - Obtain additional/updated rulesets from Sourcefire or any other companies providing non-free content. For Sourcefire, this requires registration at their site. For more information see http://www.snort.org/snort-rules/ - Develop their own ruleset To automatically download rules and keep their Snort system up-to-date users can use the 'oinkmaster' package. This program will automatically update the rulesets once configured to download from an appropriate location. In any case, should you find any issues (such as false positives, performance problems), please file a bug against the Debian 'snort-rules-default' package. The Debian package maintainers will do their best to keep the ruleset bug-free though not necessarily up-to-date. You can find the list of known problems at http://bugs.debian.org/snort-rules-default -- Javier Fernandez-Sanguino Pen~a Wed, 08 Aug 2012 01:23:41 +0200 debian/snort-doc.doc-base.manual0000664000000000000000000000052512317374526013767 0ustar Document: snort-manual Title: Snort Users Manual Author: Martin Roesch Abstract: Users manual to the Snort NIDS The users manual to the Snort network intrusion detection system, providing an overview of snort and how to write rule files for it. Section: Network/Monitoring Format: pdf Files: /usr/share/doc/snort-doc/snort_manual.pdf.gz debian/snort-doc.doc-base.paper0000664000000000000000000000140712317374526013621 0ustar Document: snort-paper Title: Snort - Lightweight Intrusion Detection for Networks Author: Martin Roesch Abstract: An overview of Snort NIDS Network intrusion detection systems (NIDS) are an important part of any network security architecture. They provide a layer of defense which monitors network traffic for predefined suspicious activity or patterns, and alert system administrators when potential hostile traffic is detected. Commercial NIDS have many differences, but Information Systems departments must face the commonalities that they share such as significant system footprint, complex deployment and high monetary cost. Snort was designed to address these issues. Section: Network/Monitoring Format: text Files: /usr/share/doc/snort-doc/lisapaper.txt.gz debian/snort-common.manpages0000664000000000000000000000002412317374526013346 0ustar debian/snort-stat.8 debian/NEWS0000664000000000000000000000745212317374526007711 0ustar snort (2.9.2.2-3) experimental; urgency=medium The database output plugins have been removed by the upstream maintainers in Snort 2.9.3. These output plugins were already deprecated as of Snort 2.9.2. These have been removed alongside the Aruba and Prelude outputs. After the upgrade to a Snort 2.9.3.x release, systems using the database output should move to full unified2 logging and use barnyard2 to read those unified2 files and input them into their database. For more information see http://blog.snort.org/2012/07/database-output-is-dead-rip.html http://blog.snort.org/2012/05/two-things-you-should-know-about-snort.html and http://blog.snort.org/2011/06/snorts-output-methods.html -- Javier Fernández-Sanguino Peña Wed, 08 Aug 2012 21:13:42 +0200 snort (2.8.5.2-3) unstable; urgency=low The database information used by Snort to log alerts into a database (and configured automatically through Debconf) has now been moved to the /etc/snort/database.conf file. Note that this file might be empty if you are not logging to a database -- Javier Fernandez-Sanguino Pen~a Mon, 20 Dec 2010 15:31:24 +0100 snort (2.7.0-15) unstable; urgency=low The Database schema changed in Snort from 2.6 to the 2.7 release, if you are upgrading from an older release please see the document README-database-upgrade.Debian (available in the Snort documentation directory /usr/share/doc/snort-{mysql,pgsql}) and take the appropriate steps to update your Database schema. -- Javier Fernandez-Sanguino Pen~a Thu, 01 May 2008 22:38:46 +0200 snort (2.7.0-1) unstable; urgency=low Sourcefire changed the license of the IDS ruleset in 2.4 introducing the "VRT Certified rules" ruleset which is the official ruleset for Snort. This ruleset, however, is provided only through a non-free license which prohibits redistribution within this package. As a consequence this package provides only free (GPL) rules. No rule with a sid in the 3,465-1,000,000 range (VRT Certified) is included here. The rules provided on this package are based on the official ruleset for Snort 2.4 (updated 7/27/05) and the Community ruleset. Certified rules download require users either to pay (if they want the latest rules) or register (for rules provided with a 30-delay period). Users wishing to go this way can use the 'oinkmaster' package to auomatically update their rulesets once they have registered at snort.org's site. -- Javier Fernandez-Sanguino Pen~a Tue, 31 Jul 2007 23:42:44 +0200 snort (2.3.2-1) unstable; urgency=medium * In Snort version 2.3.0 and later the preferred configuration method uses /etc/default/snort rather than /etc/snort/snort.common.parameters. The new approach makes it possible to introduce improvements in the init.d script, such as sanity checks for common misconfigurations. * Upgrading automatically generates the file /etc/default/snort from /etc/snort/snort.common.parameters. * Since the automatically generated file may not be correct, you should inspect it or create a new one to your liking. If the configuration file is correct, delete /etc/snort/snort.common.parameters and restart the server to use the new file. The system will run Snort with the old configuration file until you do so. -- Javier Fernandez-Sanguino Pen~a Tue, 8 Feb 2005 23:55:57 +0100 snort (2.9.2.2-3) unstable; urgency=medium The database information used by Snort to log alerts into a database (and configured automatically through Debconf) has now been moved to the /etc/snort/database.conf file. Note that this file might be empty if you are not logging to a database -- Javier Fernandez-Sanguino Pen~a Mon, 20 Dec 2010 15:31:24 +0100 debian/snort-common.docs0000664000000000000000000000001612317374526012504 0ustar RELEASE.NOTES debian/control.inline0000664000000000000000000001520212317374526012062 0ustar Source: snort Section: net Priority: optional Maintainer: Javier Fernandez-Sanguino Pen~a Uploaders: Pascal Hakim Build-Depends: libnet1-dev, libpcap0.8-dev, libpcre3-dev, debhelper (>= 4.1.13), libmysqlclient15-dev | libmysqlclient-dev, libpq-dev, po-debconf (>= 0.5.0), texlive, texlive-latex-base, gs-common, libprelude-dev, iptables-dev Standards-Version: 3.5.6 Package: snort Architecture: any Pre-Depends: adduser (>= 3.11) Depends: snort-rules-default (>= ${Source-Version}), debconf (>= 0.2.80) | debconf-2.0, syslogd | system-log-daemon, ${shlibs:Depends}, snort-common (>= ${Source-Version}), logrotate, coreutils Conflicts: snort-mysql, snort-pgsql Replaces: snort-common (<< 2.0.2-3) Recommends: snort-doc Description: Flexible Network Intrusion Detection System Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. . This package provides the plain-vanilla snort distribution and does not provide database (available in snort-pgsql and snort-mysql) or inline (available in snort-inline) support. . Homepage: http://www.snort.org Package: snort-inline Provides: snort Architecture: any Priority: optional Depends: snort-rules-default (>= ${Source-Version}), debconf (>= 0.2.80) | debconf-2.0, adduser (>= 3.11), syslogd | system-log-daemon, ${shlibs:Depends}, snort-common (>= ${Source-Version}), logrotate, coreutils Conflicts: snort, snort-mysql Description: Flexible Network Intrusion Detection System [Inline] Distribution of Snort with inline support. . Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. . Homepage: http://www.snort.org Package: snort-common Architecture: all Pre-Depends: adduser (>= 3.11) Depends: perl-modules, debconf (>= 0.2.80) | debconf-2.0, syslogd | system-log-daemon, ${shlibs:Depends} Conflicts: snort (<< ${Source-Version}) Replaces: snort (<< 1.8.4beta1-1) Suggests: snort-doc Description: Flexible Network Intrusion Detection System [common files] Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. . This is a common package which holds cron jobs, tools and config files used by all Snort-based packages. . Homepage: http://www.snort.org Package: snort-doc Architecture: all Priority: optional Section: doc Description: Documentation for the Snort IDS [documentation] Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. . Homepage: http://www.snort.org Package: snort-mysql Provides: snort Architecture: any Priority: extra Pre-Depends: adduser (>= 3.11) Depends: snort-rules-default (>= ${Source-Version}), debconf (>= 0.2.80) | debconf-2.0, syslogd | system-log-daemon, ${shlibs:Depends}, snort-common (>= ${Source-Version}), logrotate, coreutils Conflicts: snort, snort-pgsql Description: Flexible Network Intrusion Detection System [MySQL] Distribution of Snort with support for logging to a MySQL database. . Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. . Homepage: http://www.snort.org Package: snort-pgsql Provides: snort Architecture: any Priority: optional Depends: snort-rules-default (>= ${Source-Version}), debconf (>= 0.2.80) | debconf-2.0, adduser (>= 3.11), syslogd | system-log-daemon, ${shlibs:Depends}, snort-common (>= ${Source-Version}), logrotate, coreutils Conflicts: snort, snort-mysql Description: Flexible Network Intrusion Detection System [PostgreSQL] Distribution of Snort with support for logging to a PostgreSQL dbase. . Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. . Homepage: http://www.snort.org Package: snort-rules-default Provides: snort-rules Architecture: all Depends: debconf (>= 0.2.80) | debconf-2.0, adduser (>= 3.11), syslogd | system-log-daemon, ${shlibs:Depends} Suggests: snort (>= 2.2.0) | snort-pgsql (>= 2.2.0) | snort-mysql (>= 2.2.0) Recommends: oinkmaster Description: Flexible Network Intrusion Detection System ruleset Snort default ruleset which provides a common set of accepted and test network intrusion detection rules developed by the Snort community. . These rules can be used as a basis for development of additional rules. . Homepage: http://www.snort.org/rules/ debian/snort.templates0000664000000000000000000001023612317374526012271 0ustar # These templates have been reviewed by the debian-l10n-english # team # # If modifications/additions/rewording are needed, please ask # debian-l10n-english@lists.debian.org for advice. # # Even minor modifications require translation updates and such # changes should be coordinated with translators and reviewers. Template: snort/startup Type: select __Choices: boot, dialup, manual Default: boot _Description: Snort start method: Please choose how Snort should be started: automatically on boot, automatically when connecting to the net with pppd, or manually with the /usr/sbin/snort command. Template: snort/interface Type: string Default: eth0 _Description: Interface(s) which Snort should listen on: This value is usually "eth0", but this may be inappropriate in some network environments; for a dialup connection "ppp0" might be more appropriate (see the output of "/sbin/ifconfig"). . Typically, this is the same interface as the "default route" is on. You can determine which interface is used for this by running "/sbin/route -n" (look for "0.0.0.0"). . It is also not uncommon to use an interface with no IP address configured in promiscuous mode. For such cases, select the interface in this system that is physically connected to the network that should be inspected, enable promiscuous mode later on and make sure that the network traffic is sent to this interface (either connected to a "port mirroring/spanning" port in a switch, to a hub, or to a tap). . You can configure multiple interfaces, just by adding more than one interface name separated by spaces. Each interface can have its own specific configuration. Template: snort/address_range Type: string Default: 192.168.0.0/16 _Description: Address range for the local network: Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 addresses or 192.168.1.42/32 for just one. Multiple values should be comma-separated (without spaces). . Please note that if Snort is configured to use multiple interfaces, it will use this value as the HOME_NET definition for all of them. Template: snort/disable_promiscuous Type: boolean Default: false _Description: Should Snort disable promiscuous mode on the interface? Disabling promiscuous mode means that Snort will only see packets addressed to the interface it is monitoring. Enabling it allows Snort to check every packet that passes the Ethernet segment even if it's a connection between two other computers. Template: snort/invalid_interface Type: error _Description: Invalid interface Snort is trying to use an interface which does not exist or is down. Either it is defaulting inappropriately to "eth0", or you specified one which is invalid. Template: snort/send_stats Type: boolean Default: true _Description: Should daily summaries be sent by e-mail? A cron job can be set up to send daily summaries of Snort logs to a selected e-mail address. . Please choose whether you want to activate this feature. Template: snort/stats_rcpt Type: string Default: root _Description: Recipient of daily statistics mails: Please specify the e-mail address that should receive daily summaries of Snort logs. Template: snort/options Type: string _Description: Additional custom options: Please specify any additional options Snort should use. Template: snort/stats_treshold Type: string Default: 1 _Description: Minimum occurrences before alerts are reported: Please enter the minimum number of alert occurrences before a given alert is included in the daily statistics. Template: snort/please_restart_manually Type: note _Description: Snort restart required As Snort is manually launched, you need to run "service snort restart" for the changes to take place. Template: snort/config_parameters Type: error _Description: Obsolete configuration file This system uses an obsolete configuration file (/etc/snort/snort.common.parameters) which has been automatically converted into the new configuration file format (at /etc/default/snort). . Please review the new configuration and remove the obsolete one. Until you do this, the initialization script will not use the new configuration and you will not take advantage of the benefits introduced in newer releases. debian/compat0000664000000000000000000000000212317374526010400 0ustar 5 debian/snort.default0000664000000000000000000000221412317374526011714 0ustar # Parameters for the daemon # Add any additional parameteres here. PARAMS="-m 027 -D -d " # # Snort user # This user will be used to launch snort. Notice that the # preinst script of the package might do changes to the user # (home directory, User Name) when the package is upgraded or # reinstalled. So, do *not* change this to 'root' or to any other user # unless you are sure there is no problem with those changes being introduced. # SNORTUSER="snort" # # Logging directory # Snort logs will be dropped here and this will be the home # directory for the SNORTUSER. If you change this value you should # change the /etc/logrotate.d/snort definition too, otherwise logs # will not be rotated properly. # LOGDIR="/var/log/snort" # # Snort group # This is the group that the snort user will be added to. # SNORTGROUP="snort" # # Allow Snort's init.d script to work if the configured interfaces # are not available. Set this to yes if you configure Snort with # multiple interfaces but some might not be available on boot # (e.g. wireless interfaces) # # Note: In order for this to work the 'iproute' package needs to # be installed. ALLOW_UNAVAILABLE="no" debian/snort-stat.80000664000000000000000000000134212317374526011411 0ustar .Dd January 3, 1999 .Dt SNORT-STAT 8 .Os Gnu/Linux .Sh NAME .Nm snort-stat .Nd generates statistic of scans detected by snort .Sh SYNOPSIS .Nm cat /var/log/auth.log | /usr/sbin/snort-stat .Sh DESCRIPTION .Nm snort-stat is a small script that generates a nice statistic on the port scans that were detected by snort and reported via /var/log/snort/alert.log. The output of this script is mailed to a user that is setup in /etc/snort/snort.debian.conf. The cron script /etc/cron.daily/5snort uses this script. .Sh SEE ALSO .Xr snort 8 .Sh AUTHORS The script is mostly based on the snort-stat from Yen-Ming Chen . The hostname resolving, the big shrinkage and this manpage were done by Christian Hammers . debian/snort-common.templates0000664000000000000000000000327612317374526013565 0ustar # These templates have been reviewed by the debian-l10n-english # team # # If modifications/additions/rewording are needed, please ask # debian-l10n-english@lists.debian.org for advice. # # Even minor modifications require translation updates and such # changes should be coordinated with translators and reviewers. Template: snort/deprecated_config Type: note _Description: Deprecated options in configuration file The Snort configuration file (/etc/snort/snort.conf) uses deprecated options no longer available for this Snort release. Snort will not be able to start unless you provide a correct configuration file. Either allow the configuration file to be replaced with the one provided in this package or fix it manually by removing deprecated options. . The following deprecated options were found in the configuration file: ${DEP_CONFIG} Template: snort/config_error Type: error _Description: Configuration error The current Snort configuration is invalid and will prevent Snort starting up normally. Please review and correct it. . To diagnose errors in your Snort configuration you can run (as root) the following: "/usr/sbin/snort -T -c /etc/snort/snort.conf" Template: snort/deprecated_file Type: note _Description: Deprecated configuration file Your system has deprecated configuration files which should not be used any longer and might contain deprecated options. If included through the standard configuration file (/etc/snort/snort.conf), they might prevent Snort from starting up properly. . Please remove these files as well as any existing references to them in the /etc/snort/snort.conf configuration file. . The following deprecated configuration files were found: ${DEP_FILE} debian/snort-inline.debian.conf0000664000000000000000000000066712317374213013715 0ustar # This file is used for options that are changed by Debian to leave # the original lib files untouched. # You have to use "dpkg-reconfigure snort(-flavour)?" to change them. # # Replace (-flavour)? by pgsql, mysql or keep it empty depending on # what flavour of Snort you run. # DEBIAN_SNORT_STARTUP=boot DEBIAN_SNORT_HOME_NET="192.168.0.0/16" DEBIAN_SNORT_OPTIONS="-i eth0" DEBIAN_SNORT_STATS_RCPT="root" DEBIAN_SNORT_STATS_THRESHOLD="1" debian/snort-mysql.dirs0000664000000000000000000000025612317374213012371 0ustar etc/cron.daily etc/init.d etc/logrotate.d etc/default etc/ppp/ip-down.d etc/ppp/ip-up.d etc/snort usr/sbin usr/share/doc/snort usr/share/man/man8 var/log/snort var/lib/snort debian/my/0000775000000000000000000000000012317374213007620 5ustar debian/my/snort.ip-down.d0000664000000000000000000000473612317374526012527 0ustar #!/bin/sh -e test $DEBIAN_SCRIPT_DEBUG && set -v -x # Initial configuration :) DAEMON=/usr/sbin/snort NAME=snort DESC="Network Intrusion Detection System" CONFIG=/etc/snort/snort.debian.conf test -x $DAEMON || exit 0 test -f $CONFIG && . $CONFIG test "$DEBIAN_SNORT_STARTUP" = "dialup" || exit 0 if ! [ "$DEBIAN_SNORT_RECURSIVE" ]; then # Acquire lock... trap 'rm -f /var/run/snort.ppp.lock' 0 for tries in $(seq 1 10); do mkfifo /var/run/snort.ppp.lock 2>/dev/null && break sleep 1 done # Now it's locked or timed out. # In the latter case we assume stale lock. fi # If we are started with ppp environment set... if [ "$PPPD_PID" -a "$PPP_IFACE" -a "$PPP_LOCAL" ]; then echo -n "Stopping $DESC: $NAME($PPP_IFACE)" PIDFILE=/var/run/snort_$PPP_IFACE.pid ENVFILE=/var/run/snort_$PPP_IFACE.env test -f "$PIDFILE" && pid=$(cat "$PIDFILE") # We remove the saved environment, if we are not asked to # keep them. DEBIAN_SNORT_KEEPENV is not set, if we're # called by pppd, thus we always remove stale environments. test $DEBIAN_SNORT_KEEPENV || rm -f "$ENVFILE" /sbin/start-stop-daemon --stop --retry 5 --quiet --oknodo \ --pidfile "$PIDFILE" --exec $DAEMON >/dev/null rm -f "$PIDFILE" echo "." exit 0 fi # Else, we are started without ppp environment set... DEBIAN_SNORT_RECURSIVE=1 export DEBIAN_SNORT_RECURSIVE # We keep the environments, thus the instances are restartable DEBIAN_SNORT_KEEPENV=1 export DEBIAN_SNORT_KEEPENV # If we have saved environments, check and probably stop them... envpattern=/var/run/snort_*.env # If we are requested to stop one special environment... test "$1" -a -z "$2" && envpattern=/var/run/snort_"$1".env myret=0 got_instance=0 for env in $envpattern; do # This check is also needed, if the above pattern doesn't match test -f "$env" || continue; . "$env" # Prevent endless recursion because of damaged environments # Check, if the environment is still valid... if [ "$PPPD_PID" -a "$PPP_IFACE" -a "$PPP_LOCAL" ] && kill -0 $PPPD_PID 2>/dev/null && ps -p $PPPD_PID | grep -q pppd; then got_instance=1 export PPPD_PID PPP_IFACE PPP_LOCAL # Because the stop of this particular environment could # fail, we guard it set +e $0 "$@" ret=$? set -e case "$ret" in 0) ;; *) myret=$(expr "$myret" + 1) ;; esac else rm -f "$env" fi done # If we found no saved environments, we don't need to stop anything if [ "$got_instance" = 0 ]; then echo "No snort instance found to be stopped!" >&2 fi exit $myret debian/my/FAQ.txt0000664000000000000000000037266512317374526011022 0ustar The Snort FAQ The Snort Core Team Suggestions for enhancements of this document are always welcome. Please email them to erek@snort.org . If you have contributed to this document and don't see your name listed, email us. Many people have contributed to this FAQ: Marty Roesch Fyodor Yarochkin Dragos Ruiu Jed Pickel Max Vision Michael Davis Joe McAlerney Joe Stewart Erek Adams Roman Danyliw Christopher Cramer Frank Knobbe Phil Wood Toby Kohlenberg Ramin Alidousti Jim Hankins Dennis Hollingworth Paul Howell Stef Mit Ofir Arkin Jason Haar Blake Frantz Lars Norman Sndergaard Brent Erickson Brian Caswell Scot Wiedenfeld Chris Green Jeff Wirth Edin Dizdarevic Detmar Liesen Don Ng Matt Kettler Joe Lyman Jim Burwell Jed Haile Andrew Hutchinson Jeff Nathan Alberto Gonzalez Jason Haar Dragos Ruiu: This version of this guide has been brought to you by the kind generosity and sponsorship of Wiley and Sons publishers whose support let myself, and other snort developers Jeff Nathan and Jed Haile take the time to work on this document and other tutorials for Snort due out in our upcoming book. (route++) Contents * Contents * 1 Background + 1.1 How do you pronounce the names of some of these guys who work on snort? + 1.2 Is Fyodor Yarochkin the same Fyodor who wrote nmap? + 1.3 Where do I get more help on snort? + 1.4 Where can I get more reading and courses about IDS? + 1.5 Does Snort handle IP defragmentation? + 1.6 Does Snort perform TCP stream reassembly? + 1.7 Does Snort perform stateful protocol analysis? + 1.8 I'm on a switched network, can I still use Snort? + 1.9 Is snort vulnerable to IDS noise generators like "Stick" and "Snot"? + 1.10 Can snort be evaded by the use of polymorphic mutators on shellcode? + 1.11 Does Snort log the full packets that it generates alerts? * 2 Getting Started + 2.1 Where do I find binary packages for BlueHat BSD-Linux-RT? + 2.2 How do I run snort? + 2.3 Where are my log files located? What are they named? + 2.4 Why does snort complain about /var/log/snort? + 2.5 Where's a good place to physically put a Snort sensor? + 2.6 Libpcap complains about permissions problems, what's going on? + 2.7 I've got RedHat and .... + 2.8 Where do I get the latest version of libpcap? + 2.9 Where do I get the latest version of Winpcap? + 2.10 What version of Winpcap do I need? + 2.11 Why does building snort complain about missing references? + 2.12 Why does building snort fail with errors about yylex and lex_init? + 2.13 I want to build a snort box. Will this handle traffic? + 2.14 What are CIDR netmasks? + 2.15 What is the use of the "-r" switch to read tcpdump files? * 3 Configuring Snort + 3.1 How do I setup snort on a 'stealth' interface? + 3.2 How do I setup a receive-only ethernet cable? + 3.3 What are HOME_NET and EXTERNAL_NET? + 3.4 My network spans multiple subnets. How do I define HOME_NET? + 3.5 How do I set EXTERNAL_NET? + 3.6 How can I run snort on multiple interfaces simultaneously. + 3.7 My IP address is assigned dynamically to my interface, can I use snort with it? + 3.8 I have one network card and two aliases, how can I force snort to "listen" on both addresses ? + 3.9 How do I ignore traffic coming from a particular host or hosts? + 3.10 How do I get Snort to log the packet payload as well as the header? + 3.11 Why are there no subdirectories under /var/log/snort for IP addresses? + 3.12 Why does the portscan plugin log "stealth" packets even though the host is in the portscan-ignorehosts list? + 3.13 What the heck is a ``Stealth scan''? + 3.14 What the heck is a SYNFIN scan? + 3.15 Which takes precedence, commandline or rule file ? + 3.16 How does rule ordering work? + 3.17 How do I configure stream4? + 3.18 Where does one obtain new/modified rules? How do you merge them in? + 3.19 How do you get the latest snort via cvs? + 3.20 How do I use a remote syslog machine? + 3.21 How do I build this ACID thing? * 4 Rules and Alerts + 4.1 Errors loading rules files + 4.2 Snort says "Rule IP addr ("1.1.1.1") didn't x-late, WTF?" + 4.3 Snort is behind a firewall and awfully quiet... + 4.4 Does snort see packets filtered by IPTables/IPChains/IPF/PF? + 4.5 I'm getting large amounts of . What should I do? Where can I go to find out more about it? + 4.6 What about all these false alarms? + 4.7 What are all these ICMP files in subdirectories under /var/log/ snort? + 4.8 Why does the program generate alerts on packets that have pass rules? + 4.9 What are all these "ICMP destination unreachable" alerts? + 4.10 Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set? + 4.11 Snort says BACKDOOR SIGNATURE... does my machine have a Trojan? + 4.12 What about "CGI Null Byte attacks"? + 4.13 Why do certain alerts seem to have 'unknown' IPs in ACID? + 4.14 Can priorities be assigned to Alerts using ACID? + 4.15 What about 'SMB Name Wildcard' alerts? + 4.16 What the heck is a SYNFIN scan? + 4.17 I am getting too many "IIS Unicode attack detected" and/or "CGI Null Byte attack detected" false positives. How can I turn this detection off? + 4.18 How do I test snort alerts and logging? + 4.19 What is the difference between ``Alerting'' and ``Logging''? + 4.20 Are rule keywords ORed or ANDed together? + 4.21 Can snort trigger a rule by MAC addresses? + 4.22 How can I deactivate a rule? + 4.23 How can I define an address to be anything except some hosts? + 4.24 After I add new rules or comment out rules how do I make snort reload? + 4.25 Where do the distance and within keywords work from to modify content searches in rules ? + 4.26 How can I specify a list of ports in a rule? + 4.27 How can I protect web servers running on ports other than 80? + 4.28 How do I turn off "spp:possible EVASIVE RST detection" alerts? + 4.29 Is there a private SID number range so my rules don't conflict? + 4.30 How long can Address Lists, Variables, or Rules be? * 5 Getting Fancy + 5.1 I hear people talking about ``Barnyard''. What's that? + 5.2 How do I process those snort logs into reports? + 5.3 How do I log to multiple databases or output plugins? + 5.4 How can I test snort without having an ethernet card or a connection to other computers? + 5.5 How to start snort as a win32 service? + 5.6 Is it possible with snort to add a ipfilter/ipfw rule to a firewall? + 5.7 What is the best way to use snort to block attack traffic? + 5.8 Snort complains about the "react" keyword... + 5.9 How do I get snort to e-mail me alerts? + 5.10 How do I log a specific type of traffic and send alerts to syslog? + 5.11 Is it possible to have snort call an external program when an alert is raised? + 5.12 How can I use snort to log http urls or smtp traffic ? + 5.13 How can I move data from the snort db to snort_archive db like ACID does? + 5.14 What are some resources that I can use to understand more about source addresses logged and where they are coming from? + 5.15 How do I understand this traffic and do IDS alert analysis? + 5.16 How can I examine logged packets in more detail? * 6 Problems + 6.1 I think I found a bug in snort. Now what? + 6.2 SMB alerts aren't working, what's wrong? + 6.3 Snort says "Garbage Packet with Null Pointer discarded!". Huh? + 6.4 Snort says "Ran Out Of Space". Huh? + 6.5 My ACID db connection times-out when performing long operations (e.g. deleting a large number of alerts) + 6.6 Why does ACID keep changing my sensor number and how do I keep it consistent? + 6.7 Why does snort report "Packet loss statistics are unavailable under Linux"? + 6.8 My /var/log/snort directory get very large..... + 6.9 Why does the 'error deleting alert' message occur when attempting to delete an alert with ACID? + 6.10 ACID appears to be broken in Lynx + 6.11 I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings, what's wrong. + 6.12 On HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argument + 6.13 I am getting snort dying with 'can not create file' error and I have plenty of diskspace, what's wrong? + 6.14 I am using Snort on Windows and receive an ``OpenPcap() error upon startup: ERROR: OpenPcap() device open: Error opening adapter'' What's wrong? + 6.15 Snort is not logging to my database! + 6.16 Portscans are not being logged to my database + 6.17 Snort is not logging to syslog + 6.18 I am still getting bombarded with spp_portscan messages even though the IP that I am getting the portscan from is in my $DNS_SERVERS var + 6.19 Why chrooted snort die when I send it a SIGHUP? + 6.20 My snort crashes, how do I restart it? + 6.21 Why can't snort see one of the 10Mbps or 100Mbps traffic on my autoswitch hub + 6.22 Trying to install snort it says: "bad interpreter: No such file or directory" + 6.23 I'm not seeing any interfaces listed under Win32. + 6.24 It's not working on Win32, how can I tell if my problem is snort or WinPcap? + 6.25 I just downloaded a new ruleset and now snort fails complaining about the rules. + 6.26 How do I speed up ACID and MySQL ? + 6.27 Why am I seeing so many "SMTP RCPT TO overflow" alerts ? + 6.28 I'm getting lots of *ICMP Ping Speedera*, is this bad? + 6.29 Why are my unified alert times off by +/- N hours? + 6.30 I try to start snort and it gives an error like "ERROR: Unable to open rules file: /root/.snortrc or /root//root/.snortrc". What can I do to fix this? * 7 Development + 7.1 How do you put snort in debug mode? * 8 Miscellaneous + 8.1 What's this about a snort drinking game? 1 Background 1.1 How do you pronounce the names of some of these guys who work on snort? For the record, 'Roesch' is pronounced like 'fresh' without the 'f'. Additionally, 'Ruiu' is pronounced like 'screw you' without the 'sc' (think of the sound your car makes when it doesn't start on a cold morning). Jed's last name is like "pick-el", not "pickle". 1.2 Is Fyodor Yarochkin the same Fyodor who wrote nmap? Nope. fyodor@insecure.org is the author of nmap, and he uses the same pseudonym as other snort Fyodor's real surname. Yeah, messes up my mailbox too, but I think it's too late to change either of them :-). 1.3 Where do I get more help on snort? Check the website, http://www.snort.org/ . Other good resources are are available in the source distribution, including the Snort Users Manual and the USAGE file. There is also a excellent mailing list, snort-users. You can find info on how to signup at http://www.snort.org/lists.html . You can also join # snort on irc.freenode.het. 1.4 Where can I get more reading and courses about IDS? All of the following offer courses on Intrusion Detection: * SANS - http://www.sans.org * Usenix - http://www.usenix.org/event/ * Networld/Interop - http://www.key3media.com/interop/ * CanSecWest - http://www.cansecwest.com There are some books about Snort that are about to be published: +--------------------------------------------------------------------------------------------------------+ | | | | | | |----------------------------------+---------------------------+----------------+--------------+---------| | Snort: The Complete Guide | Jeff Nathan, Dragos Ruiu, | Wiley&Sons | 0471455970 | 06/2003 | |----------------------------------+---------------------------+----------------+--------------+---------| | to Intrusion Detection | Jed Haile | | | | |----------------------------------+---------------------------+----------------+--------------+---------| | Intrusion Detection with Snort: | Rafeeq Rehman | Prentice Hall | I0131407333 | 05/2003 | |----------------------------------+---------------------------+----------------+--------------+---------| | Advanced IDS Techniques | | | | | |----------------------------------+---------------------------+----------------+--------------+---------| | Snort Intrusion Detection | Ryan Russell | Syngress Media | 1931836744 | 02/2003 | |----------------------------------+---------------------------+----------------+--------------+---------| | Snort Intrusion Detection | Jack Koziol | New Riders | 157870281X | 04/2003 | |----------------------------------+---------------------------+----------------+--------------+---------| | | | | | | +--------------------------------------------------------------------------------------------------------+ Many good books on Intrusion detection are available. Included are just a few: +-------------------------------------------------------------------------------------+ | | | | |---------------------------------------------------+--------------------+------------| | Network Intrusion Detection An Analyst's Handbook | Stephen Northcutt | 0735708681 | |---------------------------------------------------+--------------------+------------| | Intrusion Signatures and Analysis | Stephen Northcutt | 0735710635 | |---------------------------------------------------+--------------------+------------| | TCP/IP Illustrated, Volume 1 The Protocols | W. Richard Stevens | 0201633469 | |---------------------------------------------------+--------------------+------------| | Intrusion Detection | Rebecca G. Bace | 1578701856 | |---------------------------------------------------+--------------------+------------| | | | | +-------------------------------------------------------------------------------------+ 1.5 Does Snort handle IP defragmentation? Yes, use "preprocessor frag2" 1.6 Does Snort perform TCP stream reassembly? Yes, check out the stream4 preprocessor (see FAQ 3.17) that does stateful analysis session loggin, tcp reassembly and much much more. 1.7 Does Snort perform stateful protocol analysis? Yes. (see FAQ 3.17) does this as well. 1.8 I'm on a switched network, can I still use Snort? Short version: Being able to sniff on a switched network depends on what type of switch is being used. If the switch can mirror traffic, then set the switch to mirror all traffic to the snort machine's port. Extended version: There are several ways of deploying NIDS in switched environments which all have their pros and cons. Which method applies to your needs depends on what kind of segments you want to monitor and on your budget. Here are the most common methods: 1. Switch Mirror - if the switch can mirror traffic, then set the switch to mirror all traffic to the snort machine's port. + Advantages: - Simple method, works with most decent switches. + Drawbacks: - if the switch is a fast ethernet switch, you can mirror 100Mbit/s max. Since each switch port is capable of handling 100Mbit/s for each direction, the bandwidth per port sums up to 200Mbit/s, so the switch will not be able to mirror all packets at high network utilization. - some switches suffer from performance degradation through port mirroring. 2. Hub - inserting a hub in line, so you can simply tap all traffic. Works fine for home networks, will lose data due to collisions at loads greater than 50% - so a 10Mbps hub should be fine for T1/E1, DSL or cablemodem. If you have a DS3 or greater, you should investigate taps. + Advantages: -Simple method -No impact on switch performance and no config changes -low cost + Drawbacks: -loss of full-duplex capabilities -additional single point of failure - collision loss at above 50% load levels 3. Network Taps - using network taps (e.g. Shomiti/Finisar^[*] and Netoptics^ [*]). You can find some rather good information in the papers by Jeff Nathan. You can find the papers at http://www.snort.org/docs/#deploy . + Advantages: - no impact on switch performance and no special configuration - stealth, i.e. sending data back to the switch is disabled - no single point of failure, "fail-open" if the tap power fails + Drawbacks: - the datastream is split into TX and RX, so you need two NICs - the two datastreams have to be recombined, i.e. merged, if you don't want to lose the capability of doing stateful analysis. This can be done by using channel bonding. Information can be found at http:// sourceforge.net/projects/bonding . - cost 4. Throw money at it - tapping all switch ports (using the forementioned network taps) but only tapping all incoming packets (RX lines of the switch ports), connecting those tap ports to a dedicated gigabit switch, which is capable of mirroring up to ten RX taplines to one single dedicated gigabit port, which is connected to a gigabit IDS machine. + Advantages: -maximum coverage (i.e. monitor all switchports) -no performance degradation or re-configuration of the switch + Drawbacks: -mucho $$$ 1.9 Is snort vulnerable to IDS noise generators like "Stick" and "Snot"? It is now possible to defeat these kinds of noise generators with the (see FAQ 3.17) preprocessor. Even without the stream4 preprocessor enabled, snort will weather the alert storm without falling over or losing a lot of alerts due to its highly optimized nature. Using tools that generate huge amounts of alerts will warn a good analyst that someone is trying to sneak by their defenses. 1.10 Can snort be evaded by the use of polymorphic mutators on shellcode? Yes, and this could defeat some of the NOP sled detection signatures but the ordinary exploit rules should not be affected by this kind of obfuscation. The fnord preprocessor attempts to detect mutated or obfuscated long strings of NOP equivalent sleds. 1.11 Does Snort log the full packets that it generates alerts? Yes, the packets should be in the directory that has the same IP address as the source host of the packet which generated the alert. If you are using binary logging, there will be a packet capture file (.pcap) in the logging directory instead. 2 Getting Started 2.1 Where do I find binary packages for BlueHat BSD-Linux-RT? Repeat after me: wget http://www.snort.org/downloads/snort-stable.tgz tar zxvf snort-stable.tgz cd snort-stable ./configure make su make install mkdir /var/log/snort cd etc vi snort.conf snort -D -c snort.conf exit ...and if you want to use our binary package uninstaller :-): cd snort-stable; make uninstall and if you must, you can find some binaries at http://www.snort.org/dl/binaries / . You can also find Snort in most BSD ports trees. 2.2 How do I run snort? Run Snort in sniffer mode and make sure it can see the packets. snort -dv Then run it with the HOME_NET set appropriately for the network you're defending in your rules file. A default rules file comes with the snort distribution and is called "snort.conf" You can run this basic ruleset with the following command line: snort -A full -c snort.conf If it's all set right, make sure the interface is in promiscuous mode by running the command from another window: ifconfig -a The output from ifconfig should show if the interface is in promiscuous mode. If it's not, there should be a way to set it manually. Note that the default output mode (-A full) of snort should not be used except in very controlled environments. It is the slowest way to run snort and presents several hard to recover from problems with inode creation on filesystems. For people doing real IDS work, use something like (-A fast -b) to combine fast alert mode with tcpdump binary log files or use the unified format coupled with (see FAQ [*]). 2.3 Where are my log files located? What are they named? The default location for logs is /var/log/snort. If snort is started with "-l ", then the logs will be located in the directory specified. In the past, running Snort in daemon mode (-D) produced a file named "snort.alert". For consistency sake, this has been changed. Running Snort in both standard or daemon modes (-D) will produce a file named "alert". Note the log file naming convention changed between 1.8 and 1.9. That funny alphanumeric soup at the end of the new names is a UNIX timestamp. This helps avoid file conflicts. 2.4 Why does snort complain about /var/log/snort? It requires this directory to log alerts to it. Try running the command: mkdir -p /var/log/snort Make sure the logging directory is owned by the user snort is running as. 2.5 Where's a good place to physically put a Snort sensor? This is going to be heavily influenced by your organizations policy, and what you want to detect. One way of looking at it is determining if you want to place it inside or outside your firewall. Placing an IDS outside of your firewall will allow you monitor all attacks directed at your network, regardless of whether or not they are stopped at the firewall. This almost certainly means that the IDS will pick up on more events than an IDS inside the firewall, and hence more logs will be generated. Place an IDS inside your firewall if you are only interested in monitoring traffic that your firewall let pass. If resources permit, it may be best to place one IDS outside and one IDS inside of your firewall. This way you can watch for everything directed at your network, and anything that made it's way in. ADDENDA AD NAUSEUM Note: So this one still gets a lot of traffic even though it's in the FAQ. Erek Adams has noted this comprehensive and authoritative discussion of this perpetual discussion item - mildly edited, also see faq question about switches hubs and taps -dr If your router/switch can do port mirroring then just connecting a network IDS to it would be fine. Else a hub could be another option. Most of network IDS can have a NIC that acts as a passive sniffer anyway. As to where to place the sensor. I would go for both, one to monitor the external, one for the internal. I work in a distributor for security products, so over instrumentation is fun :) And in any case, if the traffic do not pass by the Sensor it will not get monitored. So some people deploy IDS on their internal segments too I believe. In ``front'' of the firewall(s): Pro: Higher state of alert you know what attacks you are facing. Con: Wall to Wall of data, boring? If your firewall has NAT turned on, tracking the sources originating from your internal network is difficult. ``Behind'' the firewall(s): Pro: Only what gets through the firewall gets monitored? Less load on the IDS analyst. You get to see what hosts are sending traffic to the internet. Con: Less idea of the state of the environment, false sense of safety. Where should IDS be placed relative to firewalls? Explore the pros and cons off placing IDS inside or outside firewall. What are the drawbacks of each? * MARCUS RANUM from NFR Security: "I'd put mine inside. Why should I care if someone is attacking the outside of my firewall? I care only if they succeed, which my IDS on the inside would ideally detect. Placing the IDS on the outside is going to quickly lull the administrator into complacency. I used to have a highly instrumented firewall that alerted me whenever someone attacked it. Two weeks later I was deleting its alert messages without reading them. Another important factor arguing for putting it inside is that not all intrusions come from the outside or the firewall. An IDS on the inside might detect new network links appearing, or attackers that got in via another avenue such as a dial-in bank.'' * CURRY from IBM: ``The IDS should be placed where it will be able to see as much of the network traffic you're concerned about as possible. For example, if you're concerned about attacks from the Internet, it makes the most sense to put the IDS outside the firewall. the most sense to put the IDS outside the firewall. This gives it an "unobstructed" view of everything that's coming in. If you put the IDS inside the firewall, then you're not seeing all the traffic the bad guys are sending at you, and this may impact your ability to detect intrusions.'' * SUTTERFIELD from Wheel Group: ``IDS ideally plays an important role both inside and outside a firewall. Outside a firewall, IDS watches legitimate traffic going to public machines such as e-mail and Web servers. More importantly IDS outside a firewall will see traffic that would typically be blocked by a firewall and would remain undetected by an internal system. This is especially important in detecting network sweeping which can be a first indication of attack. External systems will also give you the benefit of monitoring those services that firewalls determine are legitimate. Putting an IDS inside the firewall offers the added benefit of being able to watch traffic internal to the protected network. This adds an important element of protection against insider threats. The major drawback of IDS inside a firewall is that it cannot see a good deal of important traffic coming from untrusted networks and may fail to alert on obvious signals of an impending attack.'' * CHRIS KLAUS from ISS: ``Outside the firewall is almost always a good idea-it protects the DMZ devices from attack and dedicates an additional processor to protecting the internal network. Just inside the firewall is also useful-it detects attempts to exploit the tunnels that exist through the firewall and provides an excellent source of data for how well your firewall is working. Throughout your intranet may be the best place for IDS deployment, however. Everyone agrees that attacks aren't the only things we're worried about-there's internal mischief, fraud, espionage, theft, and general network misuse. Intrusion detection systems are just as effective inside the network as outside, especially if they're unobtrusive and easy to deploy.'' * GENE SPAFFORD: ``The IDS must be inside any firewalls to be able to detect insider abuse and certain kinds of attacks through the firewall. IDS outside the firewall may be useful if you want to monitor attacks on the firewall, and to sample traffic that the firewall doesn't let through. However, a true IDS system is likely to be wasted there unless you have some follow-through on what you see.'' * Bottom Line: DRAGOS RUIU: ``just pick a spot you're likely to look at the logs for :-)'' 2.6 Libpcap complains about permissions problems, what's going on? You are not running snort as root or your kernel is not configured correctly. 2.7 I've got RedHat and .... Check your version of libpcap. If it's not >= 0.5, then you should update. 2.8 Where do I get the latest version of libpcap? You can find the most current version at: http://www.tcpdump.org/ You might also want to have a look at Phil Wood's patches to libpcap for Linux. http://public.lanl.gov/cpw/ 2.9 Where do I get the latest version of Winpcap? http://winpcap.polito.it/ 2.10 What version of Winpcap do I need? It depends. If you only have one processor, you can use the most current version (3.x). If you have a SMP box, you'll have to use either an older version (< 2.3) or the 3.x version plus a patch from http://www.ntop.org/ winpcap.html . 2.11 Why does building snort complain about missing references? You must configure libpcap with the -install-incl option. (On RedHat, install the libpcap-devel rpm.) 2.12 Why does building snort fail with errors about yylex and lex_init? You need the lex and yacc tools or their gnu equivalents flex and bison installed. 2.13 I want to build a snort box. Will this handle traffic? That depends. Lower the number of rules is a standard performance increase. Disable rules that you don't need or care about. There have been many discussions on 'tweaking performance' with lots of 'I handle XX mb with a ___ machine setup.' being said. Look at some of the discussions on the snort-users mailing lists. Here is an oft quoted bit on the subject from Marty: "Hardware/OS recommendations" Ok, here are the guidelines and some parameters. Intrusion detection is turning into one of the most high performance production computing fields that is in wide deployment today. If you think about the requirements of a NIDS sensor and the constraints that they are required to operate within, you'll probably start to realize that it's not too hard to find the performance wall with a NIDS these days. The things a NIDS needs are: 1. MIPS (Fast CPU) 2. RAM (More is *always* better) 3. I/O (Wide, fast busses and high performance NIC) 4. AODS (Acres Of Disk Space) A NIDS also needs to be pretty quick internally at doing its job. Snort's seen better days in that regard (when 1.5 came out the architecture was a lot cleaner) but it's still considered to be one of the performance leaders available. As for OS selection, use what you like. When we implement Data Acquisition Plugin's in Snort 2.0 this may become more of a factor, but for now I'm hearing about a lot of people seeing alot of success using Snort on Solaris, Linux, *BSD and Windows 2000. Personally, I develop Snort on FreeBSD and Sourcefire uses OpenBSD for our sensor appliance OS, but I've been hearing some good things about the RedHat Turbo Packet interface (which would require mods for Snort to use, not to mention my general objection to RedHat's breaking stuff all the time). (ed note: take a drink, see FAQ 7.2 -dr) 2.14 What are CIDR netmasks? (Excerpt from url: http://public.pacbell.net/dedicated/cidr.html ) CIDR is a new addressing scheme for the Internet which allows for more i efficient allocation of IP addresses than the old Class A, B, and C address scheme. CIDR Block Equivalent Class C IP Addresses Usable Addresses Subnet Mask /32 1/256th of a Class C 1 1 255.255.255.255 /30 1/64th of a Class C 4 2 255.255.255.252 /29 1/32nd of a Class C 8 6 255.255.255.248 /28 1/16th of a Class C 16 14 255.255.255.240 /27 1/8th of a Class C 32 30 255.255.255.224 /26 1/4th of a Class C 64 62 255.255.255.192 /25 1/2 of a Class C 128 126 255.255.255.128 /24 1 Class C 256 254 255.255.255.0 /23 2 Class C 512 510 255.255.254.0 /22 4 Class C 1,024 1022 255.255.252.0 /21 8 Class C 2,048 2046 255.255.248.0 /20 16 Class C 4,096 4094 255.255.240.0 /19 32 Class C 8,192 8190 255.255.224.0 /18 64 Class C 16,384 16,382 255.255.192.0 /17 128 Class C 32,768 32,766 255.255.128.0 /16 256 Class C 65,536 65,534 255.255.0.0 /15 512 Class C 131,072 131,070 255.254.0.0 /14 1,024 Class C 262,144 262,142 255.252.0.0 /13 2,048 Class C 524,288 524,286 255.248.0.0 For more detailed technical information on CIDR, check out the following RFCs: * RFC 1517: Applicability Statement for the Implementation of CIDR * RFC 1518: An Architecture for IP Address Allocation with CIDR * RFC 1519: CIDR: An Address Assignment and Aggregation Strategy * RFC 1520: Exchanging Routing Information Across Provider Boundaries in the CIDR Environment RFCs are available at http://www.rfc-editor.org/rfcsearch.html 2.15 What is the use of the "-r" switch to read tcpdump files? Used in conjunction with a snort rules file, the tcpdump data can be analyzed for hostile content, port scans, or anything else Snort can be used to detect. Snort can also display the packets in a decoded format, which many people find is easier to read than native tcpdump output. 3 Configuring Snort 3.1 How do I setup snort on a 'stealth' interface? *BSD and Linux: ifconfig eth1 up Solaris: ifconfig eth1 plumb ifconfig eth1 up NT/W2K/XP: NOTE: You are at your own risk if you follow these instructions. Editing your registry is DANGEROUS and should be done with extreme caution. Follow these steps at your OWN risk. 1. Get your device's hex value. ('snort -W' works for this) 2. open Regedt32 3. Navigate out to: HKEY_LOCAL_MACHINE\( \backslash \)SYSTEM\( \backslash \) CurrentControlSet\( \backslash \)Services\( \backslash \)Tcpip\( \backslash \)Parameters\( \backslash \)Interfaces\( \backslash \) {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} 4. Select the network card you wish to setup as the monitoring interface (this will be the {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX} value). 5. Set IPAddress:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK) 6. Set SubnetMask:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK) 7. Set DefaultGateway:REG_MULTI_SZ: to null (Double click on the string, delete data in the Multi-String Editor, then click OK) 8. Close the Registry Editor, your changes will be saved automatically. 9. In a command prompt, run 'ipconfig' to verify the interface does not have an IP bound to it. If you do not receive an IP address listing from the interface you modified, you are good to go. To run snort with the specified interface, use the -i flag such as 'snort -v -d -p -i1' 3.2 How do I setup a receive-only ethernet cable? Use an ethernet tap, or build your own 'receive-only' ethernet cable. Anyway, here is the cable I use: * []LAN Sniffer 1 ---\ /- 1 2 --\ | \- 2 3 --+-*--- 3 4 - | - 4 5 - | - 5 6 --*---- 6 7 - - 7 8 - - 8 Basically, 1 and 2 on the sniffer side are connected, 3 and 6 straight through to the LAN. 1 and 2 on the LAN side connect to 3 and 6 respectively. This fakes a link on both ends but only allows traffic from the LAN to the sniffer. It also causes the 'incoming' traffic to be sent back to the LAN, so this cable only works well on a hub. You can use it on a switch but you will get ...err... interesting results. Since the switch receives the packets back in on the port it sent them out, the MAC table gets confused and after a short while devices start to drop off the switch. Works like a charm on a hub though. Another method which uses a capacitor and should work on 100mbs links: http://www.geocities.com/samngms/sniffing_cable And another: The UTP Y-Cable specified by Joe Lyman: A less noisy option: it involves a couple of cat 5 cables and a single speed hub. The idea is to use the rcv cables for the wire going to the sniffer box and use the xmit cables from another hub port. This will give you a link light and allow your sniffer to rcv only. Cannot xmit because the xmit cables are not connected. This has been successfully used on netgear single speed hubs. It wont work on dual speed hubs due to the negotiation of speed. Pin outs. They are reversed in the picture in order to prevent lines from crossing, and I only included the pins used. * []HUB PORT 1 HUB PORT 2 ----- ----- x x r r r r x x 6 3 2 1 1 2 3 6 | | | | | | | | | ----------- | | | ------------- | | | | | | | | 6 3 2 1 r r x x ---- SNIFFER x = xmit r = rcv You could make it a single cable by adding a battery to simulate the voltage from the xmit cables on the nic, but batteries die. It's not recommended to cut the transmit side, shunt it to ground (pin 2). Some OS's will disable the interface if PIN 1 does not indicate a completed circuit. 3.3 What are HOME_NET and EXTERNAL_NET? HOME_NET and EXTERNAL_NET are standard variable names that all of the Snort.Org rules use. HOME_NET refers to the network(s) that you want to protect, where EXTERNAL_NET is the network(s) that you think attacks would come from. 3.4 My network spans multiple subnets. How do I define HOME_NET? Snort 1.7 supports IP lists. You can assign a number of addresses to a single variable. For example: var HOME_NET [10.1.1.0/24,192.168.1.0/24] Note: Not all preprocessors support IP lists at this time. Unless otherwise stated, assume that any preprocessor using an IP list variable will use the first value as the HOME_NET. The portscan preprocessor is an example. To catch all detectable portscans, pass 0.0.0.0/0 in as the first parameter. preprocessor portscan: 0.0.0.0/0 5 3 portscan.log Use the portscan-ignorehosts preprocessor to fine tune and ignore traffic from noisy, trusted machines. 3.5 How do I set EXTERNAL_NET? Many people set EXTERNAL_NET to ``any''. var EXTERNAL_NET any By setting it to ``any'' Snort will alert you on any traffic matching a rule coming into or leaving your network. To cut down on the work that Snort has to do, many people set it to ``not HOME_NET''. var EXTERNAL_NET !$HOME_NET This tells Snort to define EXTERNAL_NET as everything except HOME_NET. For most people this is the best thing to set it to. 3.6 How can I run snort on multiple interfaces simultaneously. LINUX: If you aren't running snort on linux 2.1.x/2.2.x kernel (with LPF available) the only way is to run multiple instances of snort, one instance per interface (with the -i option specifying the interface). However for linux 2.1.x/2.2.x and higher you can use libpcap library with S. Krahmer's patch which allows you to specify 'any' as interface name. In this case snort will be able to process traffic coming to all interfaces. *BSD: Use the ``bridge'' interface to combine your nics into a logical interface (bridge0). 3.7 My IP address is assigned dynamically to my interface, can I use snort with it? Yes. With snort 1.7 and later, _ADDRESS variable is available. The value of this variable will be always set to IP address/Netmask of the interface which you run snort at. if interface goes down and up again (and an IP address is reassigned) you will have to restart Snort. For earlier versions of snort numerous scripts to achieve the same result are available. 3.8 I have one network card and two aliases, how can I force snort to "listen" on both addresses ? Since version 1.7, you can specify an IP list like this: var HOME_NET [ 192.168.10.0/24, 10.1.1.1/16 ] 3.9 How do I ignore traffic coming from a particular host or hosts? There are two basic ways to ignore traffic from a host: * Pass Rules * BPF Filters Details: 1. Pass Rules: + Advantages: Gives you rule based control over the packets. Puts all your changes into 'one place'-snort.conf. + Disadvantages: Reverses the Rule order, can cause some headaches in tracking down problems. One poorly written pass rule can 'blind' your whole network. The more specific the pass rule is, the more CPU snort needs to process it which may be important on loaded nets. + Example: For example to ignore ALL ICMP traffic from host using a pass rule: pass icmp any -> $HOME_NET any 2. BPF Filters: + Advantages: Drops the packet at the BPF interface, which saves on processing. Speeds up Snort since it 'never sees' those packets. + Disadvantages: Poorly constructed filters can 'blind-side' you. + Example: To ignore all traffic from 192.168.0.1: snort not host 192.168.0.1 To ignore all ICMP ECHO-REQUESTS (pings) and ICMP-ECHO REPLY's (ping reply) from host : snort ``not ( (icmp[0] = 8 or icmp[0] = 0) and host )'' 3.10 How do I get Snort to log the packet payload as well as the header? Use the "-d" command line option to log packet payload, or use the ``-b'' option to log the full binary packet. 3.11 Why are there no subdirectories under /var/log/snort for IP addresses? It depends on how your Snort configuration logs. If it logs in binary format, you'll have to process the binary log in order to get cleartext. You also might have ``-A '' on the command line. Command line options always take override the .conf file. 3.12 Why does the portscan plugin log "stealth" packets even though the host is in the portscan-ignorehosts list? These types of TCP packets are inherently suspicious, no matter where they are coming from. The portscan detector was built with the assumption that stealth packets should be reported, even from hosts which are not monitored for portscanning. An option to ignore "stealth" packets may be added in the future. 3.13 What the heck is a ``Stealth scan''? A Stealth scan can refer to more than one type of scan. * Half-Open or SYN scan-Instead of completing the full TCP three-way-handshake a full connection is not made. A SYN packet is sent to the system and if a SYN/ACK packet is received it is assumed that the port on the system is active. In that case a RST/ACK will be sent which will determined the listening state the system is in. If a RST/ACK packet is received, it is assumed that the port on the system is not active. * FIN scan-According to RFC 793 a system should send back an RST for all TCP ports closed when they receive a FIN packet for a specific port. * XMAS tree scan-According to RFC 793 a system should send back an RST for all TCP ports closed when they receive a FIN/URG/PUSH packet for a specific port. * NULL scan-According to RFC 793 a system should send back an RST for all TCP ports closed when they receive a packet without any specified IP flags for a specific port. * Slow scan-Any of the above scans could be used as a slow scan. A slow scan is when the attacker sends packets at a _very_ slow rate. Sometimes these scans can be conducted over hours, days, or weeks. The idea is since they are so slow, the victim's security measures won't ``notice'' the scan. 3.14 What the heck is a SYNFIN scan? SYNFIN scans got their name because there are both the SYN and FIN flags set. 3.15 Which takes precedence, commandline or rule file ? The command line always gets precedence over the rules file. If people want to try stuff out quickly without having to manually edit the rules file, they should be able to override many things from the command line. 3.16 How does rule ordering work? FOR 2.0 =>: Please see the documents on v2.0 at: myquotehtmladdnormallinkhttp://www.snort.org/docs/#devel http://www.snort.org/ docs/#devel FOR <= 1.9.X: Marty has answered this many times on the snort-users mailing list. Here is an excerpt from a post on Thu, 22 Feb 2001 00:31:53 -0500, titled "Re: [Snort-users] order of evaluation of rules" Currently, the data structures that store Snort rule data are the RuleTreeNodes (RTN) and the OptTreeNodes (OTN). These data structs are stored in a two dimensional linked list structure with the RTNs forming the top row of the "Array" and the OTNs forming the columns under the RTNs. Here's an ASCII illustration from the infamous "lisapaper": * []RTN RTN RTN ------- ------- --- | Chain Header | | Chain Header | | Chai | | | | | | Src IP | | Src IP | | Src | Dst IP |--->| Dst IP |--->| Dst | Src Port | | Src Port | | Src | Dst Port | | Dst Port | | Dst | | | | | ------- ------- --- | | | | | | OTN \|/ OTN \|/ ----V--- ----V---- | Chain Option | | Chain Option | | | | : | | Content | : | TCP Flags | : | ICMP Data | | Payload Size | | etc. | | | -------- | | | OTN \|/ ----V--- | Chain Option | | | | Content | | TCP Flags | | ICMP data | | Payload Size | | etc. | | | ------- | | Rules with similar rule headers (i.e. all the CGI rules, the old stealth port scan detection rules, most of the rules that focus on any single service, etc) are grouped under a single RTN for the sake of efficiency and the applicable OTNs are hung below them. For instance, if you have three rules like this: alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";) alert tcp any any -> $HOME 80 (content: "bar"; msg: "bar";) alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";) They all get grouped under the same RTN and the OTNs are "hung" beneath them like this: * [] RTN RTN ---------- ---------- | SIP: any | | SIP: any | | SP: any |---->| SP: any | | DIP: $HOME | | DIP: $HOME | | DP: 80 | | DP: 1-1024 | ---------- ---------- | | | | OTN \|/ \|/ -----v----- -----v----- | content: foo | | flags: S | | msg: foo | | msg: example | ---------- ---------- | | OTN \|/ -----v----- | flags: S | | msg: Port 80 SYN! | ---------- | | OTN \|/ -----v----- | content: baz | | msg: baz | ---------- This is an efficient way to do things because we only need to check the data in the RTN once with this method. There is actually another dimension to this array: the function pointer list. Each node in the "array" has a linked list of function pointers attached to it. The functions in this list are the tests that need to be done to determine whether the data in the current packet matches the current rule node's information. Having this function pointer list gives us great efficiency and flexibility: we don't need to perform tests for things the current rule doesn't contain (e.g. "any" ports/IPs, packet content on non-content rules, etc). It also allows us to analyze the packet with any function without having to make major modifications to the whole program (which was the case in versions prior to version 1.5). There are a couple of implications of this architecture. For the sake of this discussion on rules ordering, the one we're interested in is that rule order is tricky to figure out. For instance alert tcp any any -> $HOME 80 (content: "foo"; msg: "foo";) alert tcp any any -> $HOME 1:1024 (flags: S; msg: "example";) alert tcp any any -> $HOME 80 (flags: S; msg: "Port 80 SYN!";) alert tcp any any -> $HOME 80 (content: "baz"; msg: "baz";) gets built like this: * []\begin{verbatim} RTN RTN ---------- ---------- | SIP: any | | SIP: any | | SP: any |---->| SP: any | | DIP: \$HOME | | DIP: \$HOME | | DP: 80 | | DP: 1-1024 | ---------- ---------- | | | | OTN \|/ \|/ -----v----- -----v----- | content: foo | | flags: S | | msg: foo | | msg: example | ---------- ---------- | | OTN \|/ -----v----- | flags: S | | msg: Port 80 SYN! | ---------- | | OTN \|/ -----v----- | content: baz | | msg: baz | ---------- Note that all three of the port 80 rules will be checked before the "1:1024" rule due to the order in which the applicable RTN has been created. This is because the rules parser builds the first chain header for port 80 traffic and sticks it on the rules list, then on the next rule it sees that a new chain header is required, so it gets built and put in place. In this case you would intuitively expect to get the "example" message and never see the "Port 80 SYN! ", but the opposite is true. 3.17 How do I configure stream4? Stream4 is an entirely new preprocessor that performs two functions: * Stateful inspection of TCP sessions * TCP stream reassembly Marty implemented stream4 out of the desire to have more robust stream reassembly capabilities and the desire to defeat the latest "stateless attacks" that have been coming out against Snort (c.f. stick and snot). Stream4 is written with the intent to let Snort be able to handle performing stream reassembly for "enterprise class" users, people who need to track and reassemble more than 256 streams simultaneously. Marty optimized the code fairly extensively to be robust, stable, and fast. The testing and calculations I've performed lead me to be fairly confident that stream4 can provide full stream reassembly for several thousand simultaneous connections and stateful inspection for upwards of 64,000 simultaneous sessions. Stream4 is a large and complex piece of code (almost 2000 lines) and there are a lot of options associated with its runtime configuration, so I'll go over them here. preprocessor stream4: [noinspect], [keepstats], [timeout ], [memcap] stream4_reassemble defaults: Reassemble client: ACTIVE Reassemble server: INACTIVE Reassemble ports: 21 23 25 53 80 143 110 111 513 Reassembly alerts: ACTIVE There is a new command line switch that is used in concert with the stream4 code, "-z". If the -z switch is specified, Snort will only alert (for TCP traffic) on streams that have been established via a three way handshake or streams where cooperative bidirectional activity has been observed (i.e. where some traffic went one way and something other than a RST or FIN was seen going back to the originator). With "-z" turned on, Snort completely ignores TCP-based stick/snot "attacks". 3.18 Where does one obtain new/modified rules? How do you merge them in? New rules can be downloaded via CVS or alternatively may be found at http:// www.snort.org . There is a mailing list dedicated to snort rules, called snort-sigs hosted at Sourceforge. There are some scripts/programs to help you with rule management: * oinkmaster: It is a simple Perl script to update the ruleset for you. http://www.algonet.se/~nitzer/oinkmaster/ * IDS Policy Manager: It is a win32 application that updates the ruleset using a gui then upload your rulesets via scp. http://www.activeworx.com/idspm * snortpp: a program to merge multiple files into one master file sorted by SID. http://dragos.com/snortpp.tgz There is also this script that might be useful: * []#!/bin/sh ########################################################################### #### # # Das Skript zum Herunterladen und installieren neuer IDS-Signaturen. # ########################################################################### #### MAILTO="admin@mydomain.de" MACHINE="machine1" #set -x SIGS_URL1="http://www.snort.org/dl/signatures/snortrules-stable.tar.gz" MD5_URL1="http://www.snort.org/dl/signatures/snortrules-stable.tar.gz.md5" WGET="/usr/bin/wget" #WGET_PARAMS="-N" WGET_PARAMS="-t 3 -T 5 -N -a /etc/snort/snort.log -P /etc/snort" # Wget parameters: # # -t : Retries (here 3) # -N : Get the file only if newer # -a : Append the log messages to the specified file # -P : Save the file to the specified directory # -T : Timeout ECHO="/bin/echo" TAR="/bin/tar" KILL="/bin/kill" PIDOF="/sbin/pidof" SNORT="/usr/local/bin/snort" SNORTUSER="snort" SNORTGROUP="snort" KILLSIG="SIGUSR1" SERVICE="/sbin/service" # Where is the Snort configuration dir: RULESPATH="/etc/snort/snortrules" SNORTCFGPATH="/etc/snort" MD5SUM="/usr/bin/md5sum" MD5SUM_PARAMS="" # The list of sensor interfacec divided by blanks IFACES="eth0" ########################################################################### #### # F U N C T I O N S # ########################################################################### #### ########################################################################### #### # Die Funktion, die Snort fuer alle def. Interfaces auf dem System startet # # # # Um sie zu erweitern muss man zwei Dinge tun: # # 1. Die Parameterliste von Interfaces erweitern # # 2. Das Konfigurationsfile unter /etc/snort/ snort.conf_ethX anlegen # # # ########################################################################### #### restartsnort() { # Restarting Snort for all interfaces for i in $IFACES; do "$ECHO" "Setting up Snort for interface "$i"" $ECHO "Restarting Snort..." #/usr/bin/killall snort if [ -f /var/run/snort_"$i".pid ] then PID=$("$PIDOF" "$SNORT") if [ -z "$PID" ] then "$SERVICE" snort restart else #`cat /var/run/snort_"$i".pid` "$ECHO" "Restarting Snort running with PID "$PID" and reloading the rules..." "$KILL" -s "$KILLSIG" "$PID" fi else "$ECHO" "No PID file for interface "$i" found under /var/ run" fi "$ECHO" "Starting Snort" "$SNORT" -a -b -c "$SNORTCFGPATH""/snort.conf_""$i" -I -D -v -i $i -u "$SNORTUSER" -g "$SNORTGROUP" PID=`cat /var/run/snort_"$i".pid` "$ECHO" "Snort running now with PID "$PID"" done } ########################################################################### #### # Die Funktion zum ueberpruefen, ob und wie Snort auf dem System laeuft # ########################################################################### #### checksnort() { SNORTS=$("$PIDOF" "$SNORT" | wc -w | awk '{print $1}') SNORT_PIDS=$(/usr/bin/find /var/run -name snort\_eth[0-9]\.pid -ls | wc -l | awk '{print $1}') "$ECHO" "Snort instances counted: $SNORTS" "$ECHO" "Snort PID files found: $SNORT_PIDS" # 1. Fall: Snort laeuft nicht oder PID-File nicht da: if [ "$SNORTS" = "0" -o "$SNORT_PIDS" = "0" ] then "$ECHO" "Snort seems to be down or no PID file there..." "$ECHO" "Restarting Snort for all Interfaces..." "$SERVICE" snort restart fi # 2. Fall: Anzahl der Instanzen ungleich der Anzahl der PID-Files if [ "$SNORTS" -gt "$SNORT_PIDS" ] then "$ECHO" "More Snort instances than found PID files..." "$ECHO" "Something is wrong outthere..." "$ECHO" "Stopping all Snort processes..." # /usr/bin/killall -9 snort "$SERVICE" snort stop "$ECHO" "Hold on... Restarting Snort now..." "$SERVICE" snort restart fi # 3. Fall: Anzahl der Instanzen stimmt mit der Anzahl der PID-files ueberein } ########################################################################### #### ########################################################################### #### getrules() { # Get the rules, since we know that they are newer... $WGET $WGET_PARAMS $SIGS_URL1 $WGET $WGET_PARAMS $MD5_URL1 "$ECHO" "Readout the checksum..." # MD5-Summe auslesen if [ -f /etc/snort/snortrules-stable.tar.gz.md5 ] then MD5SUM1=`grep MD5 \ /etc/snort/snortrules-stable.tar.gz.md5|awk '{print $4}'` else "$ECHO" "Error! No MD5-file found" exit 1 fi "$ECHO" "Generating our own checksum..." # MD5-Summe bilden if [ -f /etc/snort/snortrules-stable.tar.gz ] then MD5SUM2=`md5sum /etc/snort/snortrules-stable.tar.gz|awk '{print $1}'` else "$ECHO" "Error! No rules file found" exit 1 fi if [ "$MD5SUM1" = "$MD5SUM2" ] then "$ECHO" "The MD5-Checksum fits!" "$ECHO" "$MD5SUM1" "$ECHO" "$MD5SUM2" "$ECHO" "$MD5SUM1" >> /etc/snort/snort.log "$ECHO" "$MD5SUM2" >> /etc/snort/snort.log "$ECHO" "Proceeding..." # /bin/sleep 1 else "$ECHO" "Error! Wrong checksum! Aborting!" "$ECHO" "Install rules manually!" "$ECHO" "$MD5SUM1" >> /etc/snort/snort.log "$ECHO" "$MD5SUM2" >> /etc/snort/snort.log exit 1 fi # Extract the new rules if [ -f "/etc/snort/snortrules-stable.tar.gz" ] then "$ECHO" "Extracting Snort rules..." "$TAR" -xzvf /etc/snort/snortrules-stable.tar.gz -C /etc/snort else "$ECHO" "Lost the file! Something is wrong!" "$ECHO" "Aborting!!" exit 1 fi # Deleting old rules # Existiert das Verzeichnis ueberhaupt? if [ -d "$RULESPATH" ] then # /bin/rm "$RULESPATH"/*.rules /bin/mv -f /etc/snort/rules/*.rules "$RULESPATH" /bin/cp -f /etc/snort/rules/classification.config "$SNORTCFGPATH" else "$ECHO" "Missing rules-directory!" "$ECHO" "Aborting!" exit 1 fi # Cleaning up... /bin/rm -rf /etc/snort/rules # Give everything to root /bin/chown root:root ${RULESPATH}/* } ########################################################################### #### # M A I N # ########################################################################### #### # Error handling first FCHK=$(/usr/bin/wget -spider -N -t 3 -T 5 "$SIGS_URL1" -P /etc/snort 2>&1) ERR_MSG=$("$ECHO" "$FCHK" | egrep -oi "failed error") # Log the error message explicitly "$ECHO" "$FCHK" >> /etc/snort/snort.log # If there is a word "failed" or "error" we break.. if [ "$("$ECHO" "$FCHK"| grep -i "failed")" ] || \ [ "$("$ECHO" "$FCHK"| grep -i "error")" ] then "$ECHO" "Error getting the files. The server seems to be not available." "$ECHO" "Error message:" "$ECHO" "$FCHK" "$ECHO" "Aborting!" exit 0 fi "$ECHO" "Checking/getting files..." # First extract the wget message FCHK=$(/usr/bin/wget -spider -N -t 3 -T 5 "$SIGS_URL1" \ -P /etc/snort 2>&1 | grep "not retrieving") /bin/date >> /etc/snort/snort.log "$ECHO" "Wget-output:" "$ECHO" $FCHK # Logging what we've done and when "$ECHO" "$FCHK" >> /etc/snort/snort.log if [ -z "$FCHK" ] then "$ECHO" "The files on the server seem to be newer." "$ECHO" "We will get them now..." getrules # Reload rules "$SERVICE" snort reload # restartsnort else # "$ECHO" "The signature files on the server are older or not newer." "$ECHO" "Doing nothing for now..." "$ECHO" "Checking if Snort is running...." checksnort exit 0 fi # Send Email "$ECHO" -e "`ls -lA "$RULESPATH"`\n\nSnort running with PID $("$PIDOF"\ "$SNORT")" | mail -s "Reloaded Snort signatures on $MACHINE"\ "$MAILTO" ########################################################################### #### ########################################################################### #### exit 0 #EOF 3.19 How do you get the latest snort via cvs? The Snort project's SourceForge CVS repository can be checked out through anonymous (pserver) CVS with the following instruction set. The module you wish to check out must be specified as the modulename. When prompted for a password for anonymous, simply press the Enter key. cvs -d:pserver:anonymous@cvs.snort.sourceforge.net:/cvsroot/snort login cvs -z3 -d:pserver:anonymous@cvs.snort.sourceforge.net:/cvsroot/snort co snort Updates from within the module's directory do not need the -d parameter. 3.20 How do I use a remote syslog machine? Add the syslog switch, -s, and put this statement syslog.conf auth.alert @managmentserverIP Look at your snort.conf file for more info on the facility and Priority settings. Make sure you have syslogd on management server configured to allow syslog over UDP. Under RedHat, you can do this by editing /etc/sysconfig/syslog and adding the following line: SYSLOGD_OPTIONS="-r -m 0" This will start syslogd with the mark interval set to 0 (turning it off) and set it to receive network connections. Then restart syslog. ``man syslogd'' for more info. You might also want to investigate syslog-ng^[*]. Example invocation of snort: /usr/local/bin/snort -c /etc/snort/snort.conf -I -A full -s 192.168.0.2:514 -i rl0 Note for Win32 users: Frank Knobbe wrote a patch for Snort to allow you to use '-s ' on the command line under Windows without nullifying the snort.conf. In other words, Snort still uses all settings from snort.conf but in addition uses the host from '-s' to send syslog alerts to. You can find the patch at http://www.snort.org/dl/contrib/patches/win32syslog/ 3.21 How do I build this ACID thing? Read carefully through all the docs for each package. Getting ACID to work is a lot of work, since it depends on many packages. You need a working Apache, a working PHP, a working GD (and the many libraries GD depends on), the ADODB package, and Phplot. This is a lot of stuff to configure. A typical sequence to get this all working on Solaris 8: Use some binary packages from a trusted Sun freeware site (sunfreeware.com). The most problems were with PHP and the GD library. GD itself needs a bunch of packages and libraries to work also. It needs the libpng stuff, the libjpeg stuff (if you want jpeg), etc, etc. Read through the readme for GD. So you either need to get these and compile them also, or get some binary packages. PHP is the most difficult thing to get compiled correctly. The PHP package needs to be compiled with lots of "-with" flags for GD to work properly, otherwise it gets lots of run-time unresolved reference errors. Just using a "with" for GD isn't sufficient. You also need to "with" each library which GD uses also, or PHP can't find the functions it needs. Here's the "configure" line you can use to get PHP working: ./configure --with-mysql --with-apxs=/usr/apache/bin/apxs --with-gd --enable-sockets --with-jpeg-dir=/usr/local/lib --with-png-dir=/usr/local/ lib --with-zlib-dir=/usr/local/lib --with-xpm-dir=/usr/local/lib These 'with' statements basically have the effect of the Makefile including -L and -R statements for each library so that both the compile and run time linkers can find all the functions needed to find in the Apache module environment. Apache doesn't seem to consult the LD_LIBRARY_PATH when running a module (or PHP doesn't, or there's some config item in the Apache conf files, but you can just use the "withs"). Basically, you need to work from the bottom up. So you need to obtain/compile any libraries that GD needs and install them, and any libraries/packages those packages need. Then once you get GD compiled properly and installed, compile PHP. Then make a PHP script that calls phpinfo() (this is referenced in the ACID install) and carefully examine the page produced. Once satisfied PHP is working, then the 'foundation' is ready for the other stuff. Install PHplot and run a few of the tests. If they succeed, then install ADODB and ACID, tweak the config files, and it should all work. (heh, heh) Also make sure you read the ACID FAQ on the web site. There's some stuff not in the ACID install guide that should probably be there. Namely the fact that the PHP "register_globals" option must be turned on in the php.ini file (it's off in the default PHP configurations). ACID FAQ: http://www.andrew.cmu.edu/~rdanyliw/snort/acid_faq.html 4 Rules and Alerts 4.1 Errors loading rules files Some common ones: * ERROR telnet.rules:YYY => Port value missing in rule! * ERROR telnet.rules:YYY => Bad port number: "(msg:"blah" * ERROR telnet.rules:YYY => Couldn't resolve hostname blah What's going on? ``telnet.rules'' is the file where the syntax error occurred, and ``YYY'' is the line number it occurred on. There are a couple of possibilities: 1. The rule is missing a port value, has an invalid port number, or a bad hostname - in which case the ruleset author/maintainer should be notified. 2. More often, the rule is just fine, but a variable in it was not declared. Open the rules file, look at the rule on the line number provided, and confirm that the variables it uses have been declared. You can read more about variables from http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.1.2 4.2 Snort says "Rule IP addr ("1.1.1.1") didn't x-late, WTF?" Get rid of the quotes around the IP address and try again. 4.3 Snort is behind a firewall and awfully quiet... Your firewall rules will also block traffic to the snort processes. Note: This does not apply if Snort is installed _on_ the firewall box. 4.4 Does snort see packets filtered by IPTables/IPChains/IPF/PF? Snort operates using libpcap. In general it sees everything the network adapter driver sees before the network stack munges it. Linux IPTables, Linux IPChains, BSD PF and IPF and other packet filters do not prevent snort from seeing a packet that is present on the network wire. Even if an inbound packet is denied by the packet filter Snort will still see and analyze the packet if it is listening to that interface. Snort/pcap sees whatever comes out of or goes into the network adapter. Note however that Snort is affected to the extent that the stream of data on the network wire is affected. Thus Snort will not see outbound packets which were denied while being sent since they will never reach the network adapter. Under OpenBSD you can snort just the PF rejects by using the /dev/pflogN interface. 4.5 I'm getting large amounts of . What should I do? Where can I go to find out more about it? Some rules are more prone to producing false positives than others. This often varies between networks. You first need to determine if it is indeed a false positive. Some rules are referenced with ID numbers. The following are some common identification systems, and where to go to find more information about a particular alert. +---------------------------------------------------------------------------------------+ | System | Example | URL | |---------+---------------+-------------------------------------------------------------| | IDS | IDS182 | http://www.whitehats.com/IDS/182 | |---------+---------------+-------------------------------------------------------------| | CVE | CVE-2000-0138 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0138 | |---------+---------------+-------------------------------------------------------------| | Bugtraq | BugtraqID 1 | http://www.securityfocus.com/vdb/bottom.html?vid=1 | |---------+---------------+-------------------------------------------------------------| | McAfee | Mcafee 10225 | http://vil.nai.com/vil/dispVirus.asp?virus_k=10225 | |---------+---------------+-------------------------------------------------------------| | Nessus | Nessus 11073 | http://cgi.nessus.org/plugins/dump.php3?id=11073 | +---------------------------------------------------------------------------------------+ It may be necessary to examine the packet payload to determine if the alert is a false positive. The packet payload is logged using the -d option. If you determine the alerts are false positives, you may want to write pass rules for machines that are producing a large number of them. If the rule is producing an unmanageable amount of false positives from a number of different machines, you could pass on the rule for all traffic. This should be used as a last resort. 4.6 What about all these false alarms? Most think that a pile of false positives is infinitely preferable. Then people can turn off what they don't want. The reverse, having a small rule set, can lure people into complacency thinking that Snort is doing "its thing" and there is nothing to worry about. 4.7 What are all these ICMP files in subdirectories under /var/log/snort? Most of them are likely destination unreachable and port unreachables that were detected by snort when a communications session attempt fails. 4.8 Why does the program generate alerts on packets that have pass rules? The default order that the rules are applied in is alerts first, then pass rules, then log rules. This ordering ensures that you don't write 50 great alert rules and then disable them all accidently with an errant pass rule. If you really want to change this order so that the pass rules are applied first, use the "-o" command line switch, or the ``order'' config directive. One other thing to keep in mind is that the alert might be generated from a preprocessor. If that is the case, then no pass rule will help you minimize the false positives. You will need to use a BPF filter. 4.9 What are all these "ICMP destination unreachable" alerts? ICMP is the acronym for Internet Control Message Protocol. They are failed connections. ICMP unreach packet carries first 64 bits(8bytes) or more of the original datagram and the original IP header. The ICMP Destination Unreachable (message type 3) is sent back to the originator when an IP packet could not be delivered to the destination address. The ICMP Code indicates why the packet could not be delivered. The original codes are: * 0 - net unreachable * 1 - host unreachable * 2 - protocol unreachable * 3 - port unreachable * 4 - fragmentation needed and DF bit set * 5 - source route failed As far as why... "it all depends..." ICMP Unreachable Error Messages are divided into two groups: 1. ICMP Unreachable Error Messages issued by routers (all 16 of them) 2. ICMP Unreachable Error Messages issued by a Host (only 2) What are the only 2 issued by a host? * ICMP Port Unreachable - the destination port on the targeted host is closed (a.k.a. not in a listening state). * ICMP Protocol Unreachable - the protocol we were trying to use is not being used on the targeted host. Both ICMP Type field and Code field indicates why the packets could not be delivered. Some snort ICMP alerts" are informational like the ICMP alerts found in icmp-info.rules. At this time there are no references or even classtypes associated with these rules. Other rules are more likely to be associated with untoward activity. For example, in icmp.rules you will find: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; content:"|495353504e475251|";itype:8;depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:1;) which has a reference where the importance might be determined by checking out the arachnids reference. The classtype may indicate more or less the relative importance of the event. When a destination UDP port is closed on the targeted host, a.k.a. not in a listening state, the targeted host will issue an ICMP Port Unreachable error message back to the offending packets source IP address, given in the query. Some programs use these messages, like traceroute with *nix based machines. Windows based machines (tracert) will default to ICMP Echo requests... For further information about this see * IP - ftp://ftp.isi.edu/in-notes/rfc791.txt * ICMP - ftp://ftp.isi.edu/in-notes/rfc792.txt * TCP - ftp://ftp.isi.edu/in-notes/rfc793.txt * UDP - ftp://ftp.isi.edu/in-notes/rfc768.txt and http://www.iana.org/assignments/icmp-parameters Actually, putting this URL somewhere handy is a good idea: http://www.iana.org/ There is also a good ICMP paper available at: http://www.sys-security.com/ 4.10 Why do many snort rules have the flags P (TCP PuSH) and A (TCP ACK) set? One of the reasons it alerts on a PA flags is to minimize the false positive. You will only get an alert upon successful connections. If you want to see all the attempts, you either have to modify the signatures, add you own signatures or use your firewall logs to see if an attempt to specific a port occurred. 4.11 Snort says BACKDOOR SIGNATURE... does my machine have a Trojan? If you are dumping the data part of the packet, review it. These rules are known to have high false rates as most of them are just based on numeric port numbers. 4.12 What about "CGI Null Byte attacks"? It's a part of the http preprocessor. Basically, if the http decoding routine finds a %00 in an http request, it will alert with this message. Sometimes you may see false positives with sites that use cookies with urlencoded binary data, or if you're scanning port 443 and picking up SSLencrypted traffic . If you're logging alerted packets you can check the actual string that caused the alert. Also, the unicode alert is subject to the same false positives with cookies and SSL. Having the packet dumps is the only way to tell for sure if you have a real attack on your hands, but this is true for any content-based alert. 4.13 Why do certain alerts seem to have 'unknown' IPs in ACID? The Snort database plug-in only logs packet information into the database when an alert is triggered by a rule (signature). Therefore, since alerts generated by pre-preprocessors such as portscan and mini-fragment have no corresponding rules, no packet information is logged beyond an entry indicating their occupance. As a consequence, ACID cannot display any packet-level (e.g. IP address) information for these alerts. For these particular alerts, certain statistics may show zero unique IP addresses, list the IP address as 'unknown', and will not list any packet information when decoding the alert. 4.14 Can priorities be assigned to Alerts using ACID? The quick answer to this question is no. ACID is at the mercy of the underlying database, since Snort doesn't assign priorities, ACID does not have priorities. Nevertheless, there are some work-arounds: * It is possible to enforce priorities of sort at the database level by writing alerts of different severity to separate databases. For example, critical alerts such as buffer overflows can be written to one database, while scan alerts can be written to another. Then load two different versions of ACID, each pointing to a different instance of the database. * With manual intervention Alert Groups (AG) can be used to assign priority. Essentially, this strategy entails creating an AG for each severity level and manually moving the alerts as they arrive into the appropriate group. 4.15 What about 'SMB Name Wildcard' alerts? Whitehats IDS177 http://dev.whitehats.com/cgi/test/new.pl/Show?_id= netbios-name-query specifies traffic coming from outside of your local network. Allowing netbios traffic over public networks is usually very insecure. If the rule you are using also refers to ingres traffic only, then it would explain why you don't see a lot of false positives. For anyone reading that does see a lot of false positives - if you change your rule to reflect the source address as being !$HOME (or whatever variable you use to represent your internal network), then you should see most of the false positives go away. The value of this check is that a default administrative share C$ ADMIN$ or some such has been accessed. This shouldn't happen in normal use - when people want to share files they should be implicitly defining the shares and ACL. 4.16 What the heck is a SYNFIN scan? SYNFIN scans got their name because there are both the SYN and FIN flags set. 4.17 I am getting too many "IIS Unicode attack detected" and/or "CGI Null Byte attack detected" false positives. How can I turn this detection off? These messages are produced by the http_decode preprocessor. If you wish to turn these checks off, add -unicode or -cginull to your http_decode preprocessor line respectively. preprocessor http_decode: 80 8080 -unicode -cginull Your own internal users normal surfing can trigger these alerts in the preprocessor. Netscape in particular has been known to trigger them. Instead of disabling them,try a BPF filter to ignore your outbound http traffic such as: snort -d -A fast -c snort.conf not (src net xxx.xxx and dst port 80) This has worked very well for us over a period of 5-6 months and Snort is still very able to decode actual and dangerous cgi null and unicode attacks on our public web servers. 4.18 How do I test snort alerts and logging? Try a rule that will fire off all the time like: alert tcp any any -> any any (msg:"TCP traffic";) Also take a look at sneeze at http://snort.sourceforge.net/sneeze-1.0.tar Sneeze is a false positive generator that reads snort signatures and generates packets that will trigger the rules. 4.19 What is the difference between ``Alerting'' and ``Logging''? There are two primary output facilities in Snort, logging and alerting. The alerting facility exists to let you know that something interesting has happened. The logging facility exists to log full packet information to the output format (pcap, ascii, database, etc). The "alert" action in Snort is hard coded to do two things when an event is detected by Snort, write an event to the alert facility and log as much as possible/desired to the output facility. The "log" action merely logs the current packet to the logging facility without generating an alert. This is done so you can log interesting things (telnet sessions, whatever) without having to generate an alert on every packet. The database plugin is something of an anomaly because it doesn't separate the two functionalities very much. The "log" option attaches the log facility and the "alert" option attaches it to the alert facility. What this means in practical terms is that if the db plugin is in alert mode, it will only receive output from alert rules, whereas if it's in "log" mode it will receive output from both log and alert rules. 4.20 Are rule keywords ORed or ANDed together? From Section 2.1 of the Snort Manual: All of the elements in that make up a rule must be true for the indicated rule action to be taken. When taken together, the elements can be considered to form a logical AND statement. At the same time, the various rules in a Snort rules library file can be considered to form a large logical OR statement. 4.21 Can snort trigger a rule by MAC addresses? Not exactly. Snort logs MAC addresses and other L2 info within the packets. The arpwatch pre-processor can watch for games with MAC address changes. But there is no facility for triggering Rules form the L2 information. The content search keywords and depth and offset begin from the L3 payload, though we haven't tried playing with really big offsets yet :-). 4.22 How can I deactivate a rule? Rules can be called from an included file in snort.conf, which tells Snort to follow the path to the rules file specified, and load it at initialization. Rules can also be included in snort.conf directly. If you want to deactivate a single rule within any list of rules, you can use one of these techniques: 1. Delete the rule and re-initialize Snort 2. Place a # in front of the rule, commenting it out, and re-initialize Snort 3. Write a pass rule with the same properties in local.rules (or wherever you prefer), and re-initialize Snort with the -o option. 4.23 How can I define an address to be anything except some hosts? Use the ! operator. E.g.: var EXTERNAL_NET !$HOME_NET Note that the negation operator does not work inside a list so the following will NOT work: var EXTERNAL_NET [!192.168.40.0/24,!10.14.0.0/16] but this will work: var EXTERNAL_NET ![192.168.40.0/24,10.14.0.0/16] 4.24 After I add new rules or comment out rules how do I make snort reload? Usually a kill -HUP will work just fine. But if you are running inside of a chroot setup, this will not work as expected (see FAQ 6.19). If you're running like inside of a chroot jail, your best bet would be to kill and restart the snort process instead. 4.25 Where do the distance and within keywords work from to modify content searches in rules ? The "distance" keyword gives you a relative offset from the end of the last match, so it basically acts as a wildcarding mechanism. You can also use the new "within" keyword to limit how deep into the packet from the end of the distance it'll search before it stops. 4.26 How can I specify a list of ports in a rule? You can't yet. You can specify a range of ports between X and Y With the notation X:Y. See the users manual^[*] for more info on port ranges. 4.27 How can I protect web servers running on ports other than 80? It is possible... It's a kludge, but it can work. Since the newer rules use $HTTP_PORTS variable, you simply reset it and re-run the rules for the other ports. For example: var HTTP_PORTS 80 include web.rules var HTTP_PORTS 8080 include web.rules 4.28 How do I turn off "spp:possible EVASIVE RST detection" alerts? You want to pass the ``disable_evasion_alerts'' argument to stream4 in snort.conf. 4.29 Is there a private SID number range so my rules don't conflict? Yes. Private SID starts at 1000000. 4.30 How long can Address Lists, Variables, or Rules be? The snort parser has an 8K limit on variables and rules *after* expansion. In practice this is not a major limitation. :-) 5 Getting Fancy 5.1 I hear people talking about ``Barnyard''. What's that? Barnyard is a output system for Snort. Snort creates a special binary output format called ``unified''. Barnyard reads this file, and then resends the data to a database backend. Unlike the database output plugin, Barnyard is aware of a failure to send the alert to the database, and it stops sending alerts. It is also aware when the database can accept connections again and will start sending the alerts again. 5.2 How do I process those snort logs into reports? 1. Barnyard 5.1can be used to process unified output files into a number of formats including output to a database for further analysis. 2. SnortSnarf, a tool for producing HTML out of snort alerts for navigating through these alerts. http://www.silicondefense.com/snortsnarf/ 3. If you want to set up logging to a database you could try ACID Some documentation describing the current ACID functionality: http://www.cert.org/kb/acid/ 4. You can manipulate the unified output files directly without a separate database and browse/correlate them with Cerebus: http://dragos.com/cerebus/ 5. For GUI front ends with simple log browsing look at: + HenWen (OSX) http://homepage.mac.com/nickzman http://home.attbi.com/~rickzman/software/HenWen1.0.sit.bin + IDS Center (Win32) http://www.packx.net/ + Puresecure (UNIX and Win32)-Formerly known as demarc. http://www.demarc.com/downloads/puresecure/ + SnortCenter (UNIX and Win32) http://users.pandora.be/larc/ + IDS Policy Manager (Win32) http://www.activeworx.com/IDSPM/ 5.3 How do I log to multiple databases or output plugins? Feed the unified output files through barnyard twice to separate databases, or... You can build redundancy by using multiple output plugins. Here are some examples. Multiple instantiations of the database plugin: output log_database: mysql, dbname=snort host=localhost user=xyz output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz Remote database and local tcpdump: output log_database: mysql, dbname=snort host=remote.loghost.com user=xyz output log_tcpdump: /var/log/snort.tcpdump Then you can replay the tcpdump file through snort to recreate the database. CAVEAT: just playing back the log packets might not trigger some of the state dependent pre-processors. 5.4 How can I test snort without having an ethernet card or a connection to other computers? You have to use routing between two dummy devices: modprobe -a dummy # (The dummy device has to be built by the kernel) ifconfig dummy0 192.168.0.1 ifconfig dummy0:0 192.168.0.2 telnet 192.168.0.3 12345 It's important that the second IP is on the same interface and not e.g. dummy1 or dummy2 and that the IP you try to access is not one of those you put on the interfaces. Use snort's ability to hear in promiscuous mode on an IP address range. (HOME_NET=192.168.0.0/16) 5.5 How to start snort as a win32 service? 1. Use must use complete paths for everything. This means EVERYTHING. Command line, configuration files, everything. Examples: All include statements must be full paths. WRONG: include scan-lib CORRECT: include C:\( \backslash \)snort\( \backslash \)scan-lib All Command line options must be full paths. WRONG: snort.exe -l ./log CORRECT: snort.exe -l C:\( \backslash \)snort\( \backslash \)log 2. YOU MUST ALWAYS HAVE A LOGGING DIRECTORY SET VIA THE COMMAND LINE (-l switch). If you do not set a logging directory the service will not start and, on NT/Win2k, your bootup will hang for about 4 minutes. 3. Make sure that snort runs correctly from the command line, without yet worrying about any service related issues. Test that all of your desired command line parameters are causing snort to function as you expect, such as correctly generating logging and alert output. If you can't get this part to work, then you don't have much hope of snort miraculously starting to work as a service. 4. Once you have step (3) running correctly, modify the command line parameters you used in step (3) to include the additional parameters "/ SERVICE /INSTALL". For example, if your command line in step (3) was snort -i1 -lC:\( \backslash \)snort\( \backslash \)log -cC:\( \ backslash \)snort\( \backslash \)snort.conf then you should change it to be snort /SERVICE /INSTALL -i1 -lC:\( \backslash \)snort\( \backslash \) log -cC:\( \backslash \)snort\( \backslash \)snort.conf Verify that the command line parameters were received correctly by running the command 'snort /SERVICE /SHOW'. 5. Start the service by running the command net start snortsvc Note that versions 1.9 (build 228), 2.0 (build 50), or any versions newer than these, will add entries to the Win32 event Log if there is ever a problem starting the service. Stop the service by running the command net stop snortsvc 6. The service can be uninstalled by running the command snort /SERVICE /UNINSTALL 5.6 Is it possible with snort to add a ipfilter/ipfw rule to a firewall? Yes, with additional software in the contrib directory. But this can be dangerous and is not recommended unless you know what you're doing. * SnortSam http://www.snortsam.net * You also might wat to look at inline-snort at: http://www.snort.org/dl/contrib/patches/snort-inline * Guardian is a perl script which uses snort to detect attacks, and then uses IPchains to deny any further attacks. The Guardian webpage can be found at: http://www.chaotic.org/~astevens/Guardian/index.html or you can use the mirror, http://www.cyberwizards.com/~midnite/Guardian/index.html But one caveat... running external binaries can also be a performance limiter and your should read the caution below... CHRISTOPHER CRAMER wrote: I'm sure this has been mentioned before in similar discussions, but this feels like a _really_ bad idea. What if the bad guys realize what is going on and make use of your blocking method as a DoS attack. All one would have to do start sending a series of triggering packets with spoofed IP addresses. Since I am no longer interested in breaking into your site, but rather making your life hell, I don't worry about the resulting data getting back to me. All I have to do is start proceeding up a list of IP addresses that I think you should no longer be able to talk to. When you come in the next morning, you find that you can no longer access the world. Just my $0.02. Danger Will Robinson: Conventional wisdom says that auto-blocking is inherently dangerous. However, for those that like to live at the bleeding edge of tech (and the separate process scanning logs and processing firewall commands sounds like a good way to do this...): Please remember to include an exclusion list and put on them important sites such as root servers, other important dns servers (yours, and important sites for your users), and in general any host you don't want to receive phone calls about being DoSed when they are spoofed - usually inconveniently like that first time you actually manage to get on vacation.... (i.e. imagine "Crisis: the CEO can't reach his favorite redlite.org game.... you have to fly back from the Carribean asap....") 5.7 What is the best way to use snort to block attack traffic? snort-inline > hogwash >> SnortSAM|Guardian >> flexresp 5.8 Snort complains about the "react" keyword... Rerun configure with the -enable-flexresp option and rebuild/reinstall. 5.9 How do I get snort to e-mail me alerts? You can't. Such a process would slow Snort down too much to make it of any use. Instead, log to syslog and use swatch or logcheck to parse over the plaintext logfiles. With the logsurfer docs, this might get you on the road to doing something with snort & logsurfer: http://www.obfuscation.org/emf/logsurfer/snort.txt JASON HAAR provided an example Swatch (3.1beta) config that emails alerts: http://www.theadamsfamily.net/~erek/snort/snort-swatch.conf.txt Here are some docs on swatch: * http://www.oit.ucsb.edu/~eta/swatch/ * http://www.stanford.edu/~atkins/swatch * http://rr.sans.org/sysadmin/swatch.php * http://www.enteract.com/~lspitz/swatch.html * http://www.cert.org/security-improvement/implementations/i042.01.html IDS Center (see FAQ 5) on Win32 will also mail alerts. 5.10 How do I log a specific type of traffic and send alerts to syslog? An example addition to snort.conf: ruletype redalert { type alert output alert_syslog: LOG_LOCAL2 output database: alert, postgresql, user=user dbname=snort password=pwd } Go into your local.rules and make sure you have something like: redalert tcp any any -> any any (msg:"REDRUM REDRUM"; content:"redalerttest") Then just do a telnet and type 'redalerttest'. Presto, alerts to both. 5.11 Is it possible to have snort call an external program when an alert is raised? Calling another program from within your main IDS loop is generally a bad idea. Having your IDS block while waiting for of dubious reliability and origin nevermind timing while the packets are piling up is inviting packet loss. Especially with the already oh-so-consistent "Gee I think I'll go away for a minute" rock steady even cpu slicing Windows gives you (that's sarcasm, sorry). Go with the second approach.... process invocation is expensive on Windows. You want to keep that IDS task humming and munching packets as efficiently as possible with as few interruptions as possible, IMHO, and not be invoking the penalty of process invocation.... particularly on Windows where process invocation is much much heavier task than *nix. Even in a secondary process... You'll probably find something that stays "awake" all the time will work out much more nicely than something that gets "woken up" on a per alert basis for the aforementioned reasons. As a better alternative go check out swatch or logwatch. Also for those new to UNIX, logging alerts to syslog and then using "tail -f /var/log/messages" might be what you are looking for. 5.12 How can I use snort to log http urls or smtp traffic ? It can be done with snort, but you might find it faster to use mailsnarf and urlsnarf from Dug Song's dsniff package. Dsniff is available from http://www.monkey.org/~dsong/dsniff/ You can get a win32 port of dsniff at http://www.datanerds.net/~mike/dsniff.html 5.13 How can I move data from the snort db to snort_archive db like ACID does? Use the perl script snort_archdb.pl found in the contrib dir of the snort distribution (snort_archdb-90a.tar.gz). 5.14 What are some resources that I can use to understand more about source addresses logged and where they are coming from? * http://www.arin.org/ * http://www.caida.org/tools/utilities/netgeo/ * http://netgeo.caida.org/perl/netgeo.cgi * http://standards.ieee.org/regauth/oui/oui.txt * http://www.codito.de/manufactor_hash * http://coffer.com/mac_find/ * http://www.idefense.com/Intell/CI022702.html * http://www.idefense.com/excelfiles/All.zip also try "dig". 5.15 How do I understand this traffic and do IDS alert analysis? 1. You'll need to understand some basics of IP, TCP, and UDP. Things like destination addresses, source addresses, common ports, what TCP SYN, FIN and RST mean, etc. The same kind of basic knowledge of the internet you need to successfully configure a multi-interface router applies here, although you don't need to know router syntax. Some useful online references: + A truly basic "intro to TCP/IP" http://pclt.cis.yale.edu/pclt/COMM/ TCPIP.HTM + A reasonable looking TCP/IP FAQ: http://www.itprc.com/tcpipfaq/ default.htm + A basics of firewalls, DMZ's, etc. http://www.ibiblio.org/pub/Linux/ docs/HOWTO/other-formats/html_single/Firewall-HOWTO.html 2. You'll need to understand some basics of how network attacks work. I'd recommend skimming over "Smashing the Stack for fun and profit" by Aleph one. A deep understanding isn't necessary, but a casual read of this will give you some helpful basics in understanding the kinds of things that happen in an attack, and give you a better understanding of what to look for. http://www.insecure.org/stf/smashstack.txt 3. A good guide on securing systems is helpful, something like this one: http://www.openna.com/products/books/sol/solus.php http://www.seifried.org/lasg/ 4. You'll need to understand the basics of internet servers, ie: what DNS, HTTP, FTP, SMTP, etc. are for. Most of that should be covered in the various other references made here. 5. An excellent reference on "oddball" traffic patterns commonly seen at network borders, also very helpful: http://www.robertgraham.com/pubs/firewall-seen.html 6. Also take a look at the ``Recommended Reading'' section (see FAQ 1.4) 5.16 How can I examine logged packets in more detail? If you are using unified logging, you can use Barnyard (see FAQ 5.1) or the unified log to pcap converter written by Dragos: http://dragos.com/logtopcap.c You can then get additional decoding of the packet contents by analyzing these pcap files with either: * Tcpdump - http://www.tcpdump.org * Ethereal - http://www.ethereal.com 6 Problems 6.1 I think I found a bug in snort. Now what? Get some more diagnostic information and post it to "snort-users" at http:// lists.sourceforge.net/lists/listinfo/snort-users To get diagnostic information compile snort as either: * []make clean; make CFLAGS=-ggdb or * []make clean; make "CFLAGS=-ggdb -DDEBUG" trace coredump as: * []gdb /path/to/snort /path/to/snort/core gdb> where gdb> bt gdb> print \$varname, varname, \$\$varname etc.. or if corefile isn't generated snort should be started as * []gdb snort gdb> run snort\_args\_go\_here Then when it crashes: * []gdb> where gdb> bt gdb> print \$varname, varname, \$\$varname etc.. 6.2 SMB alerts aren't working, what's wrong? Make sure you include "-enable-smbalerts" when you run "./configure". 6.3 Snort says "Garbage Packet with Null Pointer discarded!". Huh? This was an internal diagnostic message triggered by an old bug in early versions of the defragmentation preprocessor. Upgrade to to the latest version of snort. 6.4 Snort says "Ran Out Of Space". Huh? This is an internal diagnostic message when the defragmentation preprocessor runs into its 32MB hard allocation space limit. Tell Dragos about it 6.5 My ACID db connection times-out when performing long operations (e.g. deleting a large number of alerts) PHP has an internal variable set to limit the length an script can execute. It is used to prevent poorly written code from executing indefinitely. In order to modify the time-out value, examine the 'max_execution_time' variable found in the 'php.ini' configuration file. 6.6 Why does ACID keep changing my sensor number and how do I keep it consistent? From the code in op_acid_db.c: * []/* if sensor id == 0, then we attempt attempt to determine it dynamically */ if(data-> sensor_id == 0) { data->sensor_id = AcidDbGetSensorId(data); } And AcidDbGetSensorId does the following: * []"SELECT sid FROM sensor WHERE hostname='%s' AND interface='%s' " "AND filter='%s' AND detail='%u' AND encoding='0'", pv.hostname, pv.interface, pv.filter, op_data->detail) If it gets a sensor back, it uses that sensor_id, if not, it inserts the new sensor. So from the code, to keep it consistent, don't change the hostname / interface / filter and detail. 6.7 Why does snort report "Packet loss statistics are unavailable under Linux"? The Linux IP stack doesn't report lost packet stats. This also has been recently fixed with the 2.4+ kernel in the new version of libpcap... upgrade kernels and libpcap and it should now work. 6.8 My /var/log/snort directory get very large..... Try this script to archive the files. * []#!/bin/sh # # Logfile rotation script for snort writen by jameso@elwood.net. # # This script is pretty basic. We start out by setting some vars. # Its job is tho rotate the days logfiles, e-mail you with what # it logged, keep one weeks worth of uncompressed logs, and also # keep compressed tgz files of all the logs. It is made to be run # at midnight everynight. This script expects you to have a base # dir that you keep all of your logs, rule sets etc in. You can # see what sub dirs it expects from looking at the var settings # below. # # Things to note in this script is that we run this script at 12 # every night, so we want to set the dirdate var the day the script # runs minus a day so we label the files with the correct day. We # Then create a dir for the days logs, move the log files into # todays dir. As soon as that is done restart snort so we don't miss # anything. Then delete any logs that are uncompressed and over a # week old. Then compress out todays logs and archive them away, and # end up by mailling out the logs to you. # # Define where you have the base of your snort install snortbase=/usr/snort # Define other vars # logdir - Where the logs are kept # oldlogs - Where you want the archived .tgz logs kept # weeklogs - This is where you want to keep a weeks worth of log files uncompres sed # dirdate - Todays Date in Month - Day - Year format # olddirdate - Todays date in the same format as dirdate, minus a week logdir=$snortbase/log oldlogs=$snortbase/oldlogs weeklogs=$snortbase/weeklogs # When I first wrote this script, I only ran it on BSD systems. That was a # mistake, as BSD systems have a date command that apperently lets you walk the # date back pretty easily. Well, some systems don't have this feature, so I had # to change the way that dates are done in here. I left in the old way, because # it is cleaner, and I added in a new way that should be portable. If anyone # has any problems, just let me know and I will try to fix it. # # You have to change the system var to either bsd or other. Set it to bsd if # your system supports the "-v" flag. If you are not sure, set it to other. system=bsd if [ $system = bsd ] then dirdate=`date -v -1d "+%m-%d-%y"` olddirdate=`date -v -8d "+%m-%d-%y"` elif [ $system = other ] month=`date "+%m"` yesterday=`expr \`date "+%d"\` - 1` eightday=`expr \`date "+%d"\` - 8` year=`date "+%y"` dirdate=$month-$yesterday-$year olddirdate=$month-$eightday-$year fi # Create the Dir for todays logs. if [ ! -d $weeklogs/$dirdate ] then mkdir $weeklogs/$dirdate fi # Move the log files into todays log dir. This is done with # a for loop right now, because I am afriad that if alot is # logged there may be to many items to move with a "mv *" # type command. There may a better way to do this, but I don't # know it yet. for logitem in `ls $logdir` ; do mv $logdir/$logitem $weeklogs/$dirdate done # Kill and restart snort now that the log files are moved. kill `cat /var/run/snort_fxp0.pid` # Restart snort in the correct way for you /usr/local/bin/snort -i fxp0 -d -D -h homeiprange/28 -l /usr/snort/log \ -c /usr/snort/etc/08292k.rules > /dev/null 2>&1 # Delete any uncompressed log files that over a week old. if [ -d $weeklogs/$olddirdate ] then rm -r $weeklogs/$olddirdate fi # Compress and save the log files to save for as long as you want. # This is done in a sub-shell because we change dirs, and I don't want # to do that within the shell that the script runs in. (cd $weeklogs; tar zcvf $oldlogs/$dirdate.tgz $dirdate > /dev/null 2>&1) # Mail out the log files for today. cat $weeklogs/$dirdate/snort.alert | mail -s "Snort logs" you@domain.com cat $weeklogs/$dirdate/snort_portscan.log | mail -s "Snort portscan logs" you@do main.com 6.9 Why does the 'error deleting alert' message occur when attempting to delete an alert with ACID? Most likely the DB user configure in ACID does not have sufficient privileges. In addition to those privileges granted to log the alerts into the database (INSERT, SELECT), DELETE is also required. This permission related issue can be confirmed by manually inserting a row into the database, then trying to delete it. 1. login to MySQL with the same credentials (i.e. username, password) as you use in ACID mysql -u -p 2. insert a test row into the event table mysql> INSERT INTO event (sid, cid, signature, timestamp) VALUES (1,1000000, "test", "0"); (this assumes that you don't already have a row with an event ID=1000000. If you do just choose another event id #) 3. now delete this newly inserted row: mysql> DELETE FROM event WHERE sid=1 AND cid=10000000; If you where not able to delete, this confirms that this is a permission problem. Re-login to mysql as root, and issue a GRANT command (giving the DELETE permission) to the ACID DB user. GRANT DELETE on snort.* to acid@localhost (this assumes that my alert database is 'snort', username is 'acid', and logging from the 'localhost') 6.10 ACID appears to be broken in Lynx This is a known issue. Lynx mangles some of the form arguments appended to the URL. It's resolution is being investigated, but use Netscape, Opera, or IE in the mean time. 6.11 I am getting 'snort [pid] uses obsolete (PF_INET, SOCK_PACKET)' warnings, what's wrong. You use older libpcap version with recent linux kernel. There should be no problem with it as long as your kernel supports SOCK_PACKET socket type. To get rid off the warning message however, you'll have to upgrade to some recent version of libpcap. (a copy from www.tcpdump.org is recommended). 6.12 On HPUX I get device lan0 open: recv_ack: promisc_phys: Invalid argument It's because there's another program running using the DLPI service. The HP-UX implementation doesn't allow more than one libpcap program at a time to run, unlike Linux. (from snort.c) 6.13 I am getting snort dying with 'can not create file' error and I have plenty of diskspace, what's wrong? You may run out of free inodes, which basically also means you can not create more files on the partition. The obvious solution is to rm some ;-) 6.14 I am using Snort on Windows and receive an ``OpenPcap() error upon startup: ERROR: OpenPcap() device open: Error opening adapter'' What's wrong? Either winpcap is not installed, or you are using an incompatible version. Try upgrading to the latest version (2.3 as of 01/17/03). It is available from http://netgroup-serv.polito.it/winpcap/ It might also be an issue with SMP machines see FAQ Q:### 6.15 Snort is not logging to my database! There are a number of problems that may be causing snort to fail to log to a database. You should check these: 1. You did not set up the database plugin in your configuration file. 2. You are using an older database schema, and should update it by running the create scripts from the /contrib directory of the source tarball. 3. You are using a command line option that overrides what you have in your configuration file. This is most often -A or -s. NOTE: If you wish to log to syslog as well, specify so in your configuration file rather then the command line. 4. There is a problem with your database configuration itself. Make sure the user you specify has the correct permissions, or that the database is even up and running. 6.16 Portscans are not being logged to my database You need to change the output facility to 'alert' rather then 'log'. The portscan preprocessor calls output plugins registered as 'alert' plugins rather then 'log'. output database: alert, mysql, user=snort dbname=snort host=localhost 6.17 Snort is not logging to syslog There are a number of problems that may be causing snort to fail to log to syslog. You should check these: * You are using a command line option that overrides what you have in your configuration file. This is most often -A. * It may be logging to the wrong place. Make sure syslog is configured correctly. 6.18 I am still getting bombarded with spp_portscan messages even though the IP that I am getting the portscan from is in my $DNS_SERVERS var Try adding /32 netmasks to those addresses: var DNS_SERVERS [xxx.xx.0.3/32,xxx.xxx.0.2/32] And make sure the $DNS_SERVERS variable is on the portscan-ignorehosts line: preprocessor portscan-ignorehosts: $DNS_SERVERS 6.19 Why chrooted snort die when I send it a SIGHUP? It's a known problem with permissions. Workaround, restart snort instead. But the longer answer is this: Due to the way the execv(2) call works, it "Restarts" snort from scratch. This has the odd side effect of making HUPS to a chrooted snort become recursive. For example, chroot to /snort. It now sees / snort as / . Now HUP snort. Snort now expects to have /snort/snort as /. In other words, you have to re-create your directories for your jail inside it. 4 HUPS and you will be in /snort/snort/snort/snort. 6.20 My snort crashes, how do I restart it? Try one of these two shell scripts or daemontools (refer to website to daemontools) * []#!/bin/sh #snorthup: Snort Restarter and Crash Logger #(dr@kyx..net with help from kmaxwell@superpages.com) $conf = "snort.conf" for $IFACE in fxp0 fxp1 do if [ -f /var/run/snort_$IFACE.pid ]; then if ! ps -p `cat /var/run/snort_$IFACE.pid` > /dev/null ; then /usr/bin/logger -p user.notice snorthup: removing bogus pidfile /usr/bin/ logger -p user.notice snorthup: restarting absentee snort o n $IFACE with conf file $i rm -f /var/run/snort_$IFACE.pid /usr/local/bin/snort -D -c $conf -i $IFACE fi; else /usr/bin/ logger -p user.notice snorthup: restarting snort on $IFACE with conf file $conf /usr/local/bin/snort -D -c $conf -i $IFACE fi done Another version: * []#!/bin/ksh # snortstartd: Snort (Re)Starter # Dom De Vitto (dom@devitto..com) # (original idea by dr@kyx..net & kmaxwell@superpages.com) # # Note: You'd better get CONF and INTERFACES right or # this script will just keep trying to start snort. # Path to echo, sed, test, ps, grep, logger, rm, and sleep. PATH=$PATH:/usr/bin:/usr/local/bin ; export PATH # Point this to your conf file: CONF="/usr/local/share/examples/snort/snort.conf" # Which interfaces should Snort run on, e.g.: INTERFACES="hme0 hme1" # Wait this many seconds between checks: CHECKEVERY=5 # Full path to Snort: SNORTBINARY=/usr/local/bin/snort while :; do for INT in $INTERFACES do GREPSTRING="`echo $SNORTBINARY -N -D -c $CONF -i $INT|sed 's?\/?\\\/?g'`" PSCMDLINES=`(ps augxww 2>/dev/null||ps -ef 2>/dev/null) | grep "$GREPSTRING"|wc -l` if [ $PSCMDLINES = 0 ]; then logger -p user.notice -t "$0" "Starting Snort on $INT." $SNORTBINARY -N -D -c $CONF -i $INT 2>&1 > /dev/null fi done sleep $CHECKEVERY done 6.21 Why can't snort see one of the 10Mbps or 100Mbps traffic on my autoswitch hub Basically it's a function of the design and all autoswitching hubs will behave in this way. It's the result of just not being able to stuff all the 100 Mbps traffic into the 10Mbps CSMA/CD. One solution I use to the problem is these new cheapie four port switches... put all the 10Mbps on it's own hub/switch/ whatever and then route that to the 100Mbps hub I use for monitoring but put a cheapie switch in between that works as an adapter basically mediating the 10 up to 100 and vice versa. The bad thing about hubs that don't have this "feature", is that in order to support 10bt devices, they throttle the entire hub speed down to 10bt if there is one or more 10bt only devices hooked up to it. I have seen this behavior (and did the bandwidth tests to prove it) on old 3com office connect 10/100 hubs (newer ones do the 2 hubs with a switch thing.) So, the point of what I am saying is, since these old hubs have no switching capabilities, and they don't know which port the traffic is supposed to go to (no switch=no arp table), they have to throttle bandwidth. None of the hubs and switches have any significant amount of storage on the ethernet chip sets, and therefore any non-layer-three box that has 100 -> 10 capability can only handle small amounts of traffic before the chip set drops incoming packets on the floor. Guess one might call that throttled bandwidth, but at the expense of retransmission timeouts and retransmissions at the end nodes. If the box has a backplane, multiple cards and some network management functions, there is a higher probability the manufacturer has some additional buffering going on to keep dropped packets from happening on at least small bursts of traffic. In the most generic of terms, if a box supports 100 "full-duplex", then its a switch (regardless of what the manufacturer calls it). If it supports 100 -> 10, there is 50-50 chance the box has some MAC address awareness. If a box only supports 10 -> 10 or 100 -> 100, there is a high probability it is not MAC address aware and therefor functions like a hub. Many hubs have different back planes, ie one for 10 one for 100. From a definition standpoint, a hub segment whether it be 10 or 100 is a single broadcast/collision domain. You will not see ANY traffic between segments without a bridge or layer3 route function between them. In a switched environment, typically each port is a separate collision domain but one big broadcast domain. VLANs can be created in some to separate into separate broadcast domains and some have built in layer 3 functionality which basically connects a router into the backplane so that it can route between vlans at wire speed. Think of a switch as a bridge with many ports. (that's what it is). Some switches support port mirroring or span ports. When you want to "sniff" frames in a switched environment (beyond just broadcast/multicast traffic) you need to be able to "see" the unicast traffic (telnet,http for example). You set up a port to mirror traffic from the ports that have the devices your interested in to the port you have your analysis device plugged into. Without doing so, you don't see the unicast conversations because the traffic is getting "switched" across the backplane so pc on port 1 talks to server on port 2 and no other ports get this traffic. If server on port 2 broadcasts or multicasts, the information is flooded out all ports. (multicast can be controlled on some switches so only those ports that have listening stations get the traffic. Not all switches have these capabilities. An excellent book on the topic is Interconnections by Radia Perlman. (Bridges and Routers). Additional caveat: if you deal with full duplex on a switched port, only a tap would save you - users have successfully used Shomiti's ones on 100MB FD ports, and used two Snort instances, capturing traffic on both directions. Port mirroring didn't work in that case ... 6.22 Trying to install snort it says: "bad interpreter: No such file or directory" Usually this error comes from editing files on Windows machines. Often it shows up on the ./configure step. The configure script should be looking for the /bin /sh shell as its interpreter. If /bin/sh doesn't exist then you'll get this error. Check that whatever comes after the #! on the first line of configure is actually there. If the file has been edited on a Windows machine it can sometimes Add CR/LF (VM) characters on the end of each line, so #!/bin/sh becomes #!/bin/shVM and as the ctrl-v/ctrl-m characters are special, and hidden by default on most editors, it can create a really hard to find problem. To remove the extra CR characters that UNIXish machines don't like, simply use the dos2unix command: * []dos2unix If your OS doesn't have dos2unix, then you can use: * []cat | tr -d ``\r'' > 6.23 I'm not seeing any interfaces listed under Win32. The reason you're seeing nothing in the interface list is a WinPcap problem. In previous versions of WinPcap there is a 1K buffer, which overflows if you have many interfaces (ie. 10+). This has been replaced with an 8K buffer in more recent versions of WinPcap. The current snort distribution should already be linking against the newer WinPcap libraries, which should resolve this problem. Try obtaining a more recent build of snort. 6.24 It's not working on Win32, how can I tell if my problem is snort or WinPcap? See if WinDump will work with WinPcap. This should help you isolate which component is being bogus. 6.25 I just downloaded a new ruleset and now snort fails complaining about the rules. First, make sure you downloaded the right ruleset for your version of snort. Snort.org generally hosts a ruleset for the released version of snort, as well as rules for the development branch and sometimes copies for older versions of snort. This is generally the case for "unknown keyword in rule" type errors. If you have the rules that are correct for your version of snort be aware that the snort rules tarball contains a snort.conf file. From time to time the snort.conf included with the rules gets changed as new .rules files are added, and new variables are added to support a better ruleset. When downloading new rulesets you should always give the included snort.conf a quick look-over to see if new includes or vars have been added, or at least be aware you should consult it if things do not work as expected. This is generally the case if you get messages indicating that something is undefined in a rule. 6.26 How do I speed up ACID and MySQL ? (ACID FAQ B-10) MySQL optimizations Two things for you to check from the ACID faq: http://www.andrew.cmu.edu/~rdanyliw/snort/acid_faq.html * Compact the tables After numerous delete operations, "holes" will occur in the native files used to store the tables decreasing the speed of the all queries. The following shell script will examine all the MySQL tables and compact them. + []for table in `echo show tables|mysql snort|tail +2` do echo optimize table $table|mysql snort done * Creating indexes Some of the required indexes are not created in initial MySQL creation script. The following indexes can be added to significantly improve performance: tcphdr.tcp_sport tcphdr.tcp_dport acid_ag_alert.ag_sid + acid_ag_alert.ag_cid MySQL can be fast - you just need to have the proper indexing set up. If you need a good MySQL reference, pick up a copy of Paul DuBois' book, which is currently the bible for MySQL. O'Reilly also recently released a reference by Monty and the MySQL AB team. The way to check if the indices are already there are with the SHOW INDEX command. For instance, to check the tcphdr table, you would run: + []mysql> show index from tcphdr; +----+------+------+-------+-------+------+-------+-----+----+-----+ | Table | Non_unique | Key_name | Seq_in_index | Column_name | Collation | Cardinality | Sub_part | Packed | Comment | +----+------+------+-------+-------+------+-------+-----+----+-----+ | tcphdr | 0 | PRIMARY | 1 | sid | A | NULL | NULL | NULL | | | tcphdr | 0 | PRIMARY | 2 | cid | A | 2543146 | NULL | NULL | | | tcphdr | 1 | tcp_sport | 1 | tcp_sport | A | NULL | NULL | NULL | | | tcphdr | 1 | tcp_dport | 1 | tcp_dport | A | NULL | NULL | NULL | | | tcphdr | 1 | tcp_flags | 1 | tcp_flags | A | NULL | NULL | NULL | | +----+------+------+-------+-------+------+-------+-----+----+-----+ 5 rows in set (0.00 sec) You can see that in this case, the tcphdr.tcp_sport index is in line 3, and the tcphdr.tcp_dport is in line 4. If you need to create the index, you can run: + []CREATE INDEX idx_tcp_sport ON tcphdr(tcp_sport); To create a compound index, you would do this: + []CREATE INDEX idx_cpd_sid_cid ON acid_ag_alert(ag_sid,ag_cid); If you want to take a closer look at the table structures, you can use the DESCRIBE command, and pass it the table name: + [] mysql> DESCRIBE tcphdr; +------+-----------+---+---+-----+----+ | Field | Type | Null | Key | Default | Extra | +------+-----------+---+---+-----+----+ | sid | int(10) unsigned | | PRI | 0 | | | cid | int(10) unsigned | | PRI | 0 | | | tcp_sport | smallint(5) unsigned | | MUL | 0 | | | tcp_dport | smallint(5) unsigned | | MUL | 0 | | | tcp_seq | int(10) unsigned | YES | | NULL | | | tcp_ack | int(10) unsigned | YES | | NULL | | | tcp_off | tinyint(3) unsigned | YES | | NULL | | | tcp_res | tinyint(3) unsigned | YES | | NULL | | | tcp_flags | tinyint(3) unsigned | | MUL | 0 | | | tcp_win | smallint(5) unsigned | YES | | NULL | | | tcp_csum | smallint(5) unsigned | YES | | NULL | | | tcp_urp | smallint(5) unsigned | YES | | NULL | | +------+-----------+---+---+-----+----+ 12 rows in set (0.02 sec) 6.27 Why am I seeing so many "SMTP RCPT TO overflow" alerts ? That rule looks for a TCP frame going to your SMTP server which contains more than 800 bytes of data. Any email can easily set that off if pipelining is used. SMTP command pipelining allows several command lines lines to be sent as a single packet without waiting for an OK response. Any good high-volume mailserver will try to pipeline where possible, resulting in a single TCP frame containing a series of command lines, each of which is not very long, but in aggregate easily exceed the 800 byte threshold, particularly if there is a large recipient list. For more info on pipelining: http://www.faqs.org/rfcs/rfc1854.html If your mailservers are not vulnerable to these overflows you can disable this rule and regain some peace... 6.28 I'm getting lots of *ICMP Ping Speedera*, is this bad? Quite ordinary. Windows update uses speedera based DNS, among other things. Of course, if the speedera traffic is coming from a Dialup account (as there have been reports of) it's likely a hacker tool. ;-) 6.29 Why are my unified alert times off by +/- N hours? Unified log and alert files are stored in UTC. 6.30 I try to start snort and it gives an error like "ERROR: Unable to open rules file: /root/.snortrc or /root//root/.snortrc". What can I do to fix this? When Snort starts it looks at the command line and checks for "-c /some/path/ snort.conf". If thats not there, then it will look for the one of the following files: * /etc/snort.conf * ./snort.conf * $HOMEDIR/snort.conf * $HOMEDIR/.snortrc * ./.snortrc Make sure your .conf is in one of those locations and then snort will be able to find it or use the -c parameter to tell snort the full pathname to the snort.conf. snort -c /usr/local/etc/snort.conf 7 Development 7.1 How do you put snort in debug mode? In the 1.9 or greater, 1. ./configure -enable-debug 2. Look up the section of snort you'd like to debug ( look at src/debug.h ) and add up the constants. For example if you want to debug Portscan2, #define DEBUG_PORTSCAN2 0x00080000 /* 524288 / (+ conv2 ) 589824 */ To debug both just portscan2, export SNORT_DEBUG=524288 To debug both portscan2 and conversation: export SNORT_DEBUG=589824 3. Run snort as normal. You will need to redirect output to a file to cope with the large amounts of debug output. 8 Miscellaneous 8.1 What's this about a snort drinking game? :-) Check it out for yourself: http://www.theadamsfamily.net/~erek/snort/drinking_game.txt About this document ... The Snort FAQ This document was generated using the LaTeX2HTML translator Version 97.1 (release) (July 13th, 1997) Copyright 1993, 1994, 1995, 1996, 1997, Nikos Drakos, Computer Based Learning Unit, University of Leeds. The command line arguments were: latex2html -no_subdir -split 0 -show_section_numbers /tmp/lyx_tmpdir5901fp5901/ lyx_tmpbuf5901EF5901/faq.tex. The translation was initiated by Erek Adams on 4/9/2003 ------------------------------------------------------------------------------- Footnotes ...Shomiti/Finisar http://www.shomiti.com ...Netoptics http://www.netoptics.com/ ...syslog-ng http://www.balabit.hu/en/downloads/syslog-ng/ ...manual http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.2.4 ------------------------------------------------------------------------------- next up previous Erek Adams 4/9/2003 debian/my/snort_rules_update0000664000000000000000000000212412317374526013472 0ustar #!/bin/bash # contributed by Marcel , 2004. # and later modified by shizuma@vif.net and Javier Fernandez-Sanguino # to support oinkcodes # # Note that this script is more error-prone than the oinkmaster # scripts. It is recommended you install the 'oinkmaster' package # if you want to update Snort rules # # Example cron-entry: # # 7 0 * * * test -r /usr/local/bin/snort-update && /usr/local/bin/snort-update # vers=snapshot-CURRENT # vers=snapshot-2-7 # get your snort code at www.snort.org and enter it here oinkcode="" if [ -z "$oinkcode" ] ; then echo "You need an oinkcode to run this script!" >&2 echo "Aborting" >&2 exit 1 fi /etc/init.d/snort stop pushd /tmp wget http://www.snort.org/pub-bin/oinkmaster.cgi/${oinkcode}/snortrules-${vers}.tar.gz && ( \ tar zxf snortrules-${vers}.tar.gz; \ test "$vers" == "snapshot-2_1" && rm rules/netbios.rules; \ mv rules/*.rules /etc/snort/rules/; \ rm rules/snort.conf; \ mv rules/* /etc/snort/; \ rmdir rules; \ rm snortrules-${vers}.tar.gz; \ chown -R root.root /etc/snort/*; \ ) popd /etc/init.d/snort start debian/my/snort.ip-up.d0000664000000000000000000001210112317374526012165 0ustar #!/bin/sh -e test $DEBIAN_SCRIPT_DEBUG && set -v -x # Initial configuration :) DAEMON=/usr/sbin/snort NAME=snort DESC="Network Intrusion Detection System" CONFIG=/etc/snort/snort.debian.conf if [ -r /etc/snort/snort.common.parameters ] ; then COMMON=`cat /etc/snort/snort.common.parameters` elif [ -r /etc/default/snort ] ; then # Only read this if the old configuration is not present . /etc/default/snort COMMON="$PARAMS -l $LOGDIR -u $SNORTUSER -g $SNORTGROUP" fi test -x $DAEMON || exit 0 test -f $CONFIG && . $CONFIG test "$DEBIAN_SNORT_STARTUP" = "dialup" || exit 0 # These are the cases in which this script can run: # 1) with ppp environment set # 1.1) from ppp/ip-up # 1.2) from itself recursive # 2) without ppp environment set # 2.1) with saved ppp environment # 2.1.1) with pppd running: saved ppp environment is valid # 2.1.2) without pppd running: saved ppp environment is stale # 2.2) without saved ppp environment # 2.2.1) with pppd running # 2.2.2) without pppd running # # Behaviour: # 1.1, 1.2) # We just trust the environment, assume snort isn't already running, # overwrite any existing saved ppp environment with a new one # and leave it at that. # 2.1.1) # We start snort with the values from the saved ppp environment. # 2.1.2) # We remove the stale saved ppp environment and fall back to 2.2). # 2.2.1) # We try to figure out the values that are correct and try # to start snort. # 2.2.2) # We warn and won't start. check_log_dir() { # Does the logging directory belong to Snort? # If we cannot determine the logdir return without error # (we will not check it) # This will only be used by people using /etc/default/snort [ -n "$LOGDIR" ] || return 0 [ -n "$SNORTUSER" ] || return 0 if [ ! -e "$LOGDIR" ] ; then echo -n "ERR: logging directory $LOGDIR does not exist" return 1 elif [ ! -d "$LOGDIR" ] ; then echo -n "ERR: logging directory $LOGDIR does not exist" return 1 else real_log_user=`stat -c %U $LOGDIR` # An alternative way is to check if the snort user can create # a file there... if [ "$real_log_user" != "$SNORTUSER" ] ; then echo -n "ERR: logging directory $LOGDIR does not belong to the snort user $SNORTUSER" return 1 fi fi return 0 } if ! check_log_dir; then echo "Cannot start $DESC!" exit 1 fi if ! [ "$DEBIAN_SNORT_RECURSIVE" ]; then # Acquire lock... trap 'rm -f /var/run/snort.ppp.lock' 0 for tries in $(seq 1 10); do mkfifo /var/run/snort.ppp.lock 2>/dev/null && break sleep 1 done # Now it's locked or timed out. # In the latter case we assume stale lock. fi # If we are started with ppp environment set... if [ "$PPPD_PID" -a "$PPP_IFACE" -a "$PPP_LOCAL" ]; then echo -n "Starting $DESC: $NAME($PPP_IFACE)" PIDFILE=/var/run/snort_$PPP_IFACE.pid ENVFILE=/var/run/snort_$PPP_IFACE.env fail="failed (check /var/log/daemon.log)" /sbin/start-stop-daemon --stop --signal 0 --quiet \ --pidfile "$PIDFILE" --exec $DAEMON >/dev/null && fail="already running" cd /etc/snort CONFIGFILE=/etc/snort/snort.$PPP_IFACE.conf if [ ! -e $CONFIGFILE ]; then echo "No /etc/snort/snort.$PPP_IFACE.conf, defaulting to snort.conf" CONFIGFILE=/etc/snort/snort.conf fi # We intentionally set +e here, thus (new) environment is even # saved, if startup fails - for further startup attempts set +e /sbin/start-stop-daemon --start --quiet --pidfile "$PIDFILE" \ --exec $DAEMON -- $COMMON $DEBIAN_SNORT_OPTIONS \ -c $CONFIGFILE \ -S "HOME_NET=[$PPP_LOCAL/32]" \ -i $PPP_IFACE >/dev/null ret=$? set -e case "$ret" in 0) echo "." ;; *) echo "...$fail." ;; esac echo "PPPD_PID=$PPPD_PID" > "$ENVFILE" echo "PPP_IFACE=$PPP_IFACE" >> "$ENVFILE" echo "PPP_LOCAL=$PPP_LOCAL" >> "$ENVFILE" exit $ret fi # Else, we are started without ppp environment set... DEBIAN_SNORT_RECURSIVE=1 export DEBIAN_SNORT_RECURSIVE # If we have saved environments, check and probably start them... envpattern=/var/run/snort_*.env # If we are requested to start one special environment... test "$1" -a -z "$2" && envpattern=/var/run/snort_"$1".env myret=0 got_instance=0 for env in $envpattern; do # This check is also needed, if the above pattern doesn't match test -f "$env" || continue; . "$env" # Prevent endless recursion because of damaged environments # Check, if the environment is still valid... if [ "$PPPD_PID" -a "$PPP_IFACE" -a "$PPP_LOCAL" ] && kill -0 $PPPD_PID 2>/dev/null && ps -p $PPPD_PID | grep -q pppd; then got_instance=1 export PPPD_PID PPP_IFACE PPP_LOCAL # Because the starup of this particular environment could # fail, we guard it set +e $0 "$@" ret=$? set -e case "$ret" in 0) ;; *) myret=$(expr "$myret" + 1) ;; esac else rm -f "$env" fi done # If we found no saved environments, we don't need to start anything if [ "$got_instance" = 0 ]; then echo "No snort instance found to be started!" >&2 exit 1 fi exit $myret debian/my/snort-stat0000664000000000000000000005042112317374526011672 0ustar #!/usr/bin/perl # # snort_stat.pl is a perl script trying to generate statistical data from every # day snort log file. # # USAGE: cat | snort_stat.pl -r -f -h -t n -l # -d: debug # -r: resolve IP address to domain name # -f: use fixed rather than variable width columns # -h: produce html output # -t: threshold # -a: scan whole file (no date limit) # -l: limit to entries # # or put it in the root's crontab file: #59 10 * * * root cat /var/log/authlog | /etc/snort_stat.pl | sendmail root # # Changelog: # 2003-01-07, Christian Hammers # * added option "-l" # * filtered for yesterdays lines # * renamed "attacks to events" # * slightly reformatted. # 2002-03-20, Yen-Ming Chen # * initial release # use Getopt::Std; # use Getopt for options use Socket; # use socket for resolving domain name from IP use vars qw($opt_r $opt_f $opt_d $opt_h $opt_t $opt_a); %HOSTS = (); # Hash for IP <-> domain name mapping getopts('darfht:l:') || die "Could not getopts"; # get options in command line $saddr_len = 15; $daddr_len = 15; $timeout = 3; # for name resolver $th = $opt_t || 0; # default threshold $maxlines = $opt_l || 99999; # no more than opt_l lines per statistic # used to filter yesterdays lines as auth.log is rotate weekly only chomp($yesterday_date_string = `/bin/date -d yesterday +'\%m/\%d-'`); if ($opt_d) { $yesterday_date_string = "."; } # process whatever comes in while (<>) { my $alert = {}; chomp; # is this line an alert message if ( $_ =~ /^\[\*\*\]/ ) { $line = <>; chomp($line); unless ( $line eq "" ) { # strip off the [**] from either end. s/\s*\[\*\*\]\s*//og; s/\s*\[[0-9:]+\]\s*//o; if ($_ =~ /^spp_anomsensor\:[\D]+\:\s([\d\.]+)/ox) { $alert->{PLUGIN} = "anomsensor"; $alert->{TYPE} = "plugin"; $alert->{SIG} = $alert->{PLUGIN}; } elsif ($_ =~ /^spp_portscan\:\sEnd\sof\sportscan\sfrom\s([\d\.]+)/ox) { $alert->{PLUGIN} = "portscan"; $alert->{TYPE} = "plugin"; $alert->{SADDR} = $1; $alert->{SIG} = $alert->{PLUGIN}; process_data($alert); $lastwassnort = 1; next; } elsif ( $_ =~ /^spp_stream4\:\s(.+)/o ) { $alert->{SIG} = $1; $alert->{TYPE} = "alert"; $alert->{PLUGIN} = "stream"; } elsif ( $_ =~ /[^:]/ox) { $alert->{SIG} = $_; $alert->{TYPE} = "alert"; } if ( $line =~ m/^\[Classification\:([^\]]*)\]\s \[Priority\:\s(\d+)\]/ox) { $alert->{CLASS} = $1; $alert->{PRIORITY} = $2; $line=<>; } if ( $line =~ m/^\[Priority\:\s(\d+)\]/ox) { $alert->{CLASS} = "Undefined"; $alert->{PRIORITY} = $1; $line=<>; } if ( $line =~ m/^(\d+)\/(\d+)(?:\/\d+)?\-(\d+)\:(\d+)\:(\d+)\.(\d+)\s ([\d\.]+)[\:]*([\d]*)\s[\-\>]+\s([\d\.]+)[\:]*([\d]*)/ox) { next if (!$opt_a && $line =~ /^$yesterday_date_string/); $alert->{MON} = $1; $alert->{DAY} = $2; $alert->{HOUR} = $3; $alert->{MIN} = $4; $alert->{SEC} = $5; $alert->{SADDR} = $7; $alert->{SPORT} = $8; $alert->{DADDR} = $9; $alert->{DPORT} = $10; $alert->{HOST} = "localhost"; $alert->{CLASS} = "Undefined" if ! defined ($alert->{CLASS}); $alert->{PRIORITY} = 0 if ! defined ($alert->{PRIORITY}); process_data($alert); $lastwassnort = 1; next; } } else { print STDERR "Warning, file may be incomplete\n"; next; } } # This is syslog format if ($_ =~ m/^(\w{3}) \s+ (\d+) \s (\d+)\:(\d+)\:(\d+)\s (\S+?)\ssnort[\[\d+\]]*\:\s+(.+)/ox || m/^(\d+)\/(\d+)\-(\d+)\:(\d+)\:(\d+)\.(\d+)\s(.+)/ox) { $alert->{MON} = $1; $alert->{DAY} = $2; $alert->{HOUR} = $3; $alert->{MIN} = $4; $alert->{SEC} = $5; $alert->{HOST} = $6; $alert->{SIG} = $7; $alert->{SIG} =~ s/\s*\[[\d\:]+\]\s*//; # Get rid of [343:33:31] $alert->{SIG} =~ s/\[\*\*\]//og; # Get rid of [**] if fast alert if ($alert->{SIG} =~ m/spp_portscan\:\sEnd\sof\sportscan\sfrom\s ([\d\.]+)/ox) { # portscan $alert->{SADDR} = $1; $alert->{TYPE} = "plugin"; $alert->{PLUGIN} = "portscan"; process_data($alert); $lastwassnort = 1; next; } elsif ( $alert->{SIG} =~ s/\s([\d\.]+)[\:]?([\d]*)\s[\-\>]+\s ([\d\.]+)[\:]?([\d]*)\s*//x) { $alert->{SADDR} = $1; $alert->{SPORT} = $2; $alert->{DADDR} = $3; $alert->{DPORT} = $4; if ($alert->{SIG} =~ m/spp_anomsensor\:\sAnomaly\sthreshold\s exceeded\:\s([\d\.]+)/ox) { # spade $alert->{THR} = $1; $alert->{TYPE} = "plugin"; $alert->{PLUGIN} = "anomsensor"; process_data($alert); $lastwassnort = 1; next; } elsif ($alert->{SIG} =~ s/spp_bo\:\s//ox) { # bo $alert->{TYPE} = "plugin"; $alert->{PLUGIN} = "bo"; process_data($alert); $lastwassnort = 1; next; } elsif ($alert->{SIG} =~ s/spp_stream4\:\s//ox) { # stream4 $alert->{TYPE} = "plugin"; $alert->{PLUGIN} = "stream"; process_data($alert); $lastwassnort = 1; next; } else { # normal alert if ( $alert->{SIG} =~ s/\[Classification\:([^\[|^\]]*?)\]\s* (?:\[Priority\:\s(\d+)\])//x ) { $alert->{CLASS} = $1; $alert->{PRIORITY} = $2; } if ( $alert->{SIG} =~ s/^\[Priority\:\s(\d+)\]//x ) { $alert->{CLASS} = "Undefined"; $alert->{PRIORITY} = $1; } $alert->{TYPE} = "sys"; $alert->{PLUGIN} = "none"; process_data($alert); $lastwassnort = 1; next; } } else { print STDERR "No source/dest IP address found! Skipped!" if $opt_d; $alert = {}; next; } } # If a snort message has been repeated several times elsif ($lastwassnort && $_ =~ m/last message repeated (\d+) times/) { # put the data in the matrix again for each repeat $repeats = $1; while ($repeats) { push @result, $result[-1]; $repeats--; } next; } else { $lastwassnort = 0; next; } # Message not related to snort } # begin statistics # I should've used $#result + 1 as $total in the first version! :( $total = $#result + 1; for $i ( 0 .. $#result ) { # for the same pair of eventer and victim with same sig # to see the event pattern # used in same_event() $s0{"$result[$i]->[9],$result[$i]->[7],$result[$i]->[6]"}++; # for the same pair of eventer and victim # to see how many ways are being tried # used in same_host_dest() $s1{"$result[$i]->[7],$result[$i]->[9]"}++; # from same host use same method to event # to see how many events launched from one host # used in same_host_sig() $s2{"$result[$i]->[6],$result[$i]->[7]"}++; # to same victim with same method # to see how many events received by one host # used in same_dest_sig_stat() $s3{"$result[$i]->[6],$result[$i]->[9]"}++; # same signature # to see the popularity of one event method # used in event_distribution() $s4{"$result[$i]->[6]"}++; # source ip $s5{"$result[$i]->[7]"}++; # destination ip $s6{"$result[$i]->[9]"}++; } # begin report exit 0 unless ($total); print_head(); print_summary(); print_menu(); same_event(); same_host_dest(); same_host_sig(); same_dest_sig_stat(); event_distribution(); if ($opt_p) { portscan(); } if ($opt_n) { anomsensor(); } print_footer(); # print the header (e.g. for mail) sub print_head { my $hostname = `hostname --fqdn`; chomp($hostname); if ($opt_h) { print "\n\n"; print "Snort Statistics"; print "\n\n"; print "

[SNORT] $hostname Statistics

\n"; } else { print "Subject: [SNORT] $hostname daily report\n\n"; } } # print the time of begin and end of the log sub print_summary { if ($opt_h) { print "\n"; print "\n"; print "\n"; print "\n"; print "\n"; print "\n"; print "\n"; print "\n"; print "\n"; print "\n" if $opt_p; print "\n" if $opt_n; print "
The log begins at:$result[0]->[0] $result[0]->[1] $result[0]->[2]:$result[0]->[3]:$result[0]->[4]
The log ends at:$result[$#result]->[0] $result[$#result]->[1] $result[$#result]->[2]:$result[$#result]->[3]:$result[$#result]->[4]
Total events: $total
Signatures recorded: ". keys(%s4) ."
Source IP recorded: ". keys(%s5) ."
Destination IP recorded: ". keys(%s6) ."
Portscan detected: ", eval '$#posres +1',"
Anomaly detected: ", eval '$#anores +1',"
\n"; print "
\n"; } else { print "Events between $result[0]->[0] $result[0]->[1] ". "$result[0]->[2]:$result[0]->[3]:$result[0]->[4] and ". "$result[$#result]->[0] $result[$#result]->[1] ". "$result[$#result]->[2]:$result[$#result]->[3]:$result[$#result]->[4]\n"; print "Total events: $total\n"; print "Signatures recorded: ". keys(%s4) ."\n"; print "Source IP recorded: ". keys(%s5) ."\n"; print "Destination IP recorded: ". keys(%s6) ."\n"; print "Portscan recorded: ", eval '$#posres +1',"\n" if $opt_p; print "Anomaly recorded: ", eval '$#anores +1',"\n" if $opt_n; } } # print menu for HTML page sub print_menu { if ($opt_h) { print "
\n"; } } # to see the frequency of the event from a certain pair of # host and destination sub same_event { if ($opt_h) { print "

Number of event from same host to same destination using same method

\n"; print "\n"; print ""; foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) { @_ = split ",",$k; print "\n" if $s0{$k} > $th; } print "
# of eventsfromtowith
$s0{$k}$_[1]$_[0] ".printHref($_[2])."
Top
\n"; } else { section_header("Events from same host to same destination using same method\n", "asdm"); foreach $k ((sort { $s0{$b} <=> $s0{$a} } keys %s0)[0..$maxlines]) { @_ = split ",",$k; printf(" %4d %-${saddr_len}s %-${daddr_len}s %-20s\n", $s0{$k},$_[1],$_[0],$_[2]) if $s0{$k} > $th; } } } # to see the percentage and number of events from a host to a destination sub same_host_dest { if ($opt_h) { print "

Percentage and number of events from a host to a destination

\n"; print "\n"; print "\n"; foreach $k (sort { $s1{$b} <=> $s1{$a} } keys %s1) { @_ = split ",",$k; printf("
%# of eventsfromto
%-2.2f%-2d%-20s%-20s \n",$s1{$k}/$total*100,$s1{$k},$_[0],$_[1]) if $s1{$k} > $th; } print "
Top
\n"; } else { section_header("Percentage and number of events from a host to a destination\n", "pasd"); foreach $k ((sort { $s1{$b} <=> $s1{$a} } keys %s1)[0..$maxlines]) { @_ = split ",",$k; printf("%5.2f %4d %-${saddr_len}s %-${daddr_len}s\n", $s1{$k}/$total*100, $s1{$k},$_[0],$_[1]) if $s1{$k} > $th; } } } # to see how many events launched from one host sub same_host_sig { if ($opt_h) { print "

Percentage and number of events from one host to any with same method

\n"; print "\n"; print "\n"; foreach $k (sort { $s2{$b} <=> $s2{$a} } keys %s2) { @_ = split ",",$k; printf("\n",$s2{$k}/$total*100,$s2{$k},$_[1],&printHref($_[0])) if $s2{$k} > $th; } print "
%# of eventsfromtype
%-2.2f%-4d%-20s%-28s
Top
\n"; } else { section_header("Percentage and number of events from one host to any with same method\n", "pasm"); foreach $k ((sort { $s2{$b} <=> $s2{$a} } keys %s2)[0..$maxlines]) { @_ = split ",",$k; printf("%5.2f %4d %-${saddr_len}s %-28s\n", $s2{$k}/$total*100, $s2{$k},$_[1],$_[0]) if $s2{$k} > $th; } } } # to see how many events received by one host (destination correlated) sub same_dest_sig_stat { if ($opt_h) { print "

Percentage and number of events to one certain host

\n"; print "\n"; print "\n"; foreach $k (sort { $s3{$b} <=> $s3{$a} } keys %s3) { @_ = split ",",$k; printf("
%# of eventstotype
%-2.2f%-4d%-25s%-28s\n",$s3{$k}/$total*100,$s3{$k},$_[1],&printHref($_[0])) if $s3{$k} > $th; } print "
Top
\n"; } else { section_header("Percentage and number of events to one certain host\n", "padm"); foreach $k ((sort { $s3{$b} <=> $s3{$a} } keys %s3)[0..$maxlines]) { @_ = split ",",$k; printf("%5.2f %4d %-${daddr_len}s %-28s\n", $s3{$k}/$total*100, $s3{$k}, $_[1], $_[0]) if $s3{$k} > $th; } } } # to see the popularity of one event method sub event_distribution { if ($opt_h) { print "

Distribution of event methods

\n"; print "\n"; print "\n"; foreach $k (sort { $s4{$b} <=> $s4{$a} } keys %s4) { @p1 = split ":",$k; if ($s4{$k} > $th) { printf("\n", $s4{$k}/$total*100,$s4{$k},&printHref($p1[0])); foreach $k2 (sort { $s0{$b} <=> $s0{$a} } keys %s0) { @p2 = split ",",$k2; printf("\n", $s0{$k2}, join(" -> ", $p2[1],$p2[0])) if $p1[0] eq $p2[2]; } } } print "
%# of eventsmethods
%-2.2f%-4d%-32s
%-4d%-32s
Top
\n"; } else { section_header("The distribution of event methods\n", "pam"); foreach $k ((sort { $s4{$b} <=> $s4{$a} } keys %s4)[0..$maxlines]) { @p1 = split ":",$k; if ($s4{$k} > $th) { printf("%5.2f %4d %-32s\n", $s4{$k}/$total*100,$s4{$k},$p1[0]); foreach $k2 (sort { $s0{$b} <=> $s0{$a} } keys %s0) { @p2 = split ",",$k2; printf("\t\t %-4d %-${saddr_len}s -> %-${daddr_len}s\n", $s0{$k2}, $p2[1],$p2[0]) if $p1[0] eq $p2[2]; } } } } } # portscan (if enable -p switch) # Please use '-A fast' to generate the log, so portscan() can process it. # contributed by: Paul Bobby, # Jian-Da Li, sub portscan { my (%s7, %s8); # to see how many times a host performs portscan # used in portscan() for $i (0 .. $#posres) { $s7{"$posres[$i]->[0]"}++; } if ($opt_h) { print "

Portscans performed to/from HOME_NET

\n"; print "\n"; print "\n"; foreach $k (sort { $s7{$b} <=> $s7{$a} } keys %s7) { print "\n" if $s7{$k} > $th; } print "
Scan AttemptsSource Address
$s7{$k}$k
Top
\n"; } else { section_header("Portscans performed to/from HOME_NET\n", "as"); foreach $k ((sort { $s7{$b} <=> $s7{$a} } keys %s7)[0..$maxlines]) { printf(" %4d %-${saddr_len}s\n", $s7{$k},$k) if $s7{$k} > $th; } } } # anomsensor (if enable -n switch) # This function process data generated by spp_anomsensor plug-in (SPADE) # By Yen-Ming Chen sub anomsensor { my (%s7); # to see how many times a host performs portscan # used in anomsensor() for $i (0 .. $#anores) { $s7{"$anores[$i]->[1],$anores[$i]->[3],$anores[$i]->[4]"}++; } if ($opt_h) { print "

Anomaly detected by SPADE

\n"; print "\n"; print "\n"; foreach $k (sort { $s7{$b} <=> $s7{$a} } keys %s7) { @_ = split(/,/,$k); print "\n" if $s7{$k} > $th; } print "
Scan AttemptsSource AddressDestination AddressDestination Ports
$s7{$k}$_[0]$_[1]$_[2]
Top
\n"; } else { section_header("Anomaly detected by SPADE\n", "asdo"); foreach $k ((sort { $s7{$b} <=> $s7{$a} } keys %s7)[0..$maxlines]) { @_ = split(/,/,$k); printf(" %-4d %-${saddr_len}s %-${daddr_len}s\t%-6d\n", $s7{$k},$_[0],$_[1],$_[2]) if $s7{$k} > $th; } } } # print the footer (needed for html) sub print_footer { if ($opt_h) { print "Generated by snort_stat.pl\n"; print "\n\n"; } } # # resolve host name and cache it # contributed by: Angelos Karageorgiou, # edited by: $Author: ssmeenk $ # sub resolve { local ($mname, $miaddr, $mhost = shift); $miaddr = inet_aton($mhost); if (!$HOSTS{$mhost}) { $mname =""; eval { local $SIG{ALRM} = sub {die "alarm\n" }; # NB \n required alarm $timeout; $mname = gethostbyaddr($miaddr, AF_INET); alarm 0; }; die if $@ && $@ ne "alarm\n"; # propagate errors if ($mname =~ /^$/) { $mname = $mhost; } $HOSTS{$mhost} = $mname; } return $HOSTS{$mhost}; } # Use a title and a short code to write the section headers # This is used in place of a FORMAT as this allows variable column widths # contributed by: Ned Patterson, # # Usage: section_header($title, $format); # # Format: "pasdom" # p percentage of events # a number of events # s source host # d destination host # o home net # m method used # sub section_header { my $linelength; $title = shift; $_ = shift; print("\n\n$title"); # constant for method length for now $linelength = (/p/?7:0) + (/a/?20:0) + (/s/?$saddr_len:0) + (/d/?$daddr_len+3:0) + (/m/?20:0); print( '=' x $linelength, "\n"); print(" % ") if (s/^p([asdm]*)/$1/); print(" # of ") if (s/^a([sdm]*)/$1/); printf("%-${saddr_len}s ", "from") if (s/^s([dm]*)/$1/); printf("%-${daddr_len}s ", "to" ) if (s/^d(m*)/$1/); printf("%-5s ", "ports" ) if (s/^o(m*)/$1/); print("method") if (/^m/); print("\n"); print( '=' x $linelength, "\n"); } # Put data $alert into matrix for further process # INPUT: $alert sub process_data() { $self = shift; # if the resolve switch is on if ($opt_r) { $self->{SADDR} = resolve($self->{SADDR}); unless ($opt_f) { if ( length($self->{SADDR}) > $saddr_len ) { $saddr_len = length($self->{SADDR}); } } $self->{DADDR} = resolve($self->{DADDR}); unless ($opt_f) { if ( length($self->{DADDR}) > $daddr_len ) { $daddr_len = length($self->{DADDR}); } } } # put those data into a big matrix if ($self->{PLUGIN} eq "anomsensor") { push @anores , [$self->{THR},$self->{SADDR},$self->{SPORT}, $self->{DADDR},$self->{DPORT}]; $opt_n = 1; } elsif ($self->{PLUGIN} eq "portscan") { push @posres , [$self->{SADDR}]; $opt_p = 1; } elsif ($self->{TYPE} eq "sys" || $self->{TYPE} eq "alert" || $self->{PLUGIN} eq "stream" || $self->{PLUGIN} eq "bo" ) { $self->{SIG} =~ s/\:$//o; push @result ,[$self->{MON},$self->{DAY},$self->{HOUR},$self->{MIN}, $self->{SEC},$self->{HOST},$self->{SIG},$self->{SADDR}, $self->{SPORT},$self->{DADDR},$self->{DPORT}]; $lastwassnort = 1; } else { print STDERR "Unknown alert type/plugin! $self->{TYPE}:$self->{PLUGIN} Skipped!\n"; return; } 1; } # Turn IDS into the link to whitehats sub printHref { my $type = $_[0]; if ($type =~ /\A\s*(IDS\d+)\//) { return "$type"; } return $type; } debian/my/lisapaper.txt0000664000000000000000000011605612317374526012361 0ustar Snort - Lightweight Intrusion Detection for Networks Martin Roesch Stanford Telecommunications, Inc. roesch@clark.net ABSTRACT Network intrusion detection systems (NIDS) are an important part of any network security architecture. They provide a layer of defense which monitors network traffic for predefined suspicious activity or patterns, and alert system administrators when potential hostile traffic is detected. Commercial NIDS have many differences, but Information Systems departments must face the commonalities that they share such as significant system footprint, complex deployment and high monetary cost. Snort was designed to address these issues. Introduction Snort fills an important "ecological niche" in the the realm of network security: a cross-platform, lightweight network intrusion detection tool that can be deployed to monitor small TCP/IP networks and detect a wide variety of suspicious network traffic as well as outright attacks. It can provide administrators with enough data to make informed decisions on the proper course of action in the face of suspicious activity. Snort can also be deployed rapidly to fill potential holes in a network's security coverage, such as when a new attack emerges and commercial security vendors are slow to release new attack recognition signatures. This paper discusses the background of Snort and its rules-based traffic collection engine, as well as new and different applications where it can be very useful as a part of an integrated network security infrastructure. Snort is a tool for small, lightly utilized networks. Snort is useful when it is not cost efficient to deploy commercial NIDS sensors. Modern commercial intrusion detection systems cost thousands of dollars at minimum, tens or even hundreds of thousands in extreme cases. Snort is available under the GNU General Public License [GNU89], and is free for use in any environment, making the employment of Snort as a network security system more of a network management and coordination issue than one of affordability. What is "lightweight" intrusion detection? A lightweight intrusion detection system can easily be deployed on most any node of a network, with minimal disruption to operations. Lightweight IDS' should be cross-platform, have a small system footprint, and be easily configured by system administrators who need to implement a specific security solution in a short amount of time. They can be any set of software tools which can be assembled and put into action in response to evolving security situations. Lightweight IDS' are small, powerful, and flexible enough to be used as permanent elements of the network security infrastructure. Snort is well suited to fill these roles, weighing in at roughly 100 kilobytes in its compressed source distribution. On most modern architectures Snort takes only a few minutes to compile and put into place, and perhaps another ten minutes to configure and activate. Compare this with many commercial NIDS', which require dedicated platforms and user training to deploy in a meaningful way. Snort can be configured and left running for long periods of time without requiring monitoring or administrative maintenance, and can therefore also be utilized as an integral part of most network security infrastructures. What is Snort? Snort is a libpcap-based [PCAP94] packet sniffer and logger that can be used as a lightweight network intrusion detection system (NIDS). It features rules based logging to perform content pattern matching and detect a variety of attacks and probes, such as buffer overflows [ALE96], stealth port scans, CGI attacks, SMB probes, and much more. Snort has real-time alerting capability, with alerts being sent to syslog, Server Message Block (SMB) "WinPopup" messages, or a separate "alert" file. Snort is configured using command line switches and optional Berkeley Packet Filter [BPF93] commands. The detection engine is programmed using a simple language that describes per packet tests and actions. Ease of use simplifies and expedites the development of new exploit detection rules. For example, when the IIS Showcode [IISBT99] web exploits were revealed on the Bugtraq mailing list [BTQ99], Snort rules to detect the probes were available within a few hours. Snort vs. The World! Snort shares commonalities with both sniffers and NIDS. Two programs that lend themselves to direct comparison with Snort, tcpdump and Network Flight Recorder [NFR97], will be examined and contrasted in this section. In many cases, Snort is financially, technically, and/or adminstratively easier to implement than other Open Source [OSS98] or commercially available tools. How is Snort different from tcpdump? Snort is cosmetically similar to tcpdump [TCPD91] but is more focused on the security applications of packet sniffing. The major feature that Snort has which tcpdump does not is packet payload inspection. Snort decodes the application layer of a packet and can be given rules to collect traffic that has specific data contained within its application layer. This allows Snort to detect many types of hostile activity, including buffer overflows, CGI scans, or any other data in the packet payload that can be characterized in a unique detection fingerprint. Another Snort advantage is that its decoded output display is somewhat more user friendly than tcpdump's output. Snort does not currently lookup host names or port names while running, which is a function that tcpdump can perform. Snort is focused on collecting packets as quickly as possible and processing them in the Snort detection engine. Performing run-time host name lookup is not conducive to high performance packet analysis. Figure 1 shows typical Snort output for a telnet banner display, and Figure 2 shows the same packet as displayed by tcpdump. Figure 1 - Typical Snort telnet packet display: -------------------------------------------------------------------------- 20:59:49.153313 0:10:4B:D:A9:66 -> 0:60:97:7:C2:8E type:0x800 len:0x7D 192.168.1.3:23 -> 192.168.1.4:1031 TCP TTL:64 TOS:0x10 DF ***PA* Seq: 0xDF4A6536 Ack: 0xB3A6FD01 Win: 0x446A FF FA 22 03 03 E2 03 04 82 0F 07 E2 1C 08 82 04 .."............. 09 C2 1A 0A 82 7F 0B 82 15 0F 82 11 10 82 13 FF ................ F0 0D 0A 46 72 65 65 42 53 44 20 28 65 6C 72 69 ...FreeBSD (elri 63 2E 68 6F 6D 65 2E 6E 65 74 29 20 28 74 74 79 c.home.net) (tty 70 30 29 0D 0A 0D 0A p0).... --------------------------------------------------------------------------- Figure 2 - The same telnet packet as displayed by tcpdump: --------------------------------------------------------------------------- 20:59:49.153313 0:10:4b:d:a9:66 0:60:97:7:c2:8e 0800 125: 192.168.1.3.23 > 192.168.1.4.1031: P 76:147(71) ack 194 win 17514 (DF) [tos 0x10] (ttl 64, id 660) 4510 006f 0294 4000 4006 b48d c0a8 0103 c0a8 0104 0017 0407 df4a 6536 b3a6 fd01 5018 446a d2ad 0000 fffa 2203 03e2 0304 820f 07e2 1c08 8204 09c2 1a0a 827f 0b82 150f 8211 1082 13ff f00d 0a46 7265 6542 5344 2028 656c 7269 632e 686f 6d65 2e6e 6574 2920 2874 7479 7030 290d 0a0d 0a --------------------------------------------------------------------------- One powerful feature that Snort and tcpdump share, is the capability to filter traffic with Berkeley Packet Filter (BPF) commands. This allows traffic to be collected based upon a variety of specific packet fields. For example, both tools may be instructed via BPF commands to process TCP traffic only. While tcpdump would collect all TCP traffic, Snort can utilize its flexible rules set to perform additional functions, such as searching out and recording only those packets that have their TCP flags set a particular way or containing web requests that amount to CGI vulnerability probes. The SHADOW IDS [SHD98] from the Naval Surface Warfare Center is based on tcpdump and uses extensive BPF filtering. SHADOW is discussed in more detail near the end of this paper. Snort and NFR Perhaps the best comparison of Snort to NFR is the analogy of Snort as little brother to NFR's college-bound football hero. Snort shares some of the same concepts of functionality as NFR, but NFR is a more flexible and complete network analysis tool. That said, the little brother idea could be extended in that Snort tends to fit into small places and is somewhat more "nimble" than NFR. For example, NFR's packet filtering n-code language is a serious, full featured scripting language, while Snort's rules are more one dimensional. On the other hand, writing a Snort rule to detect a new attack takes only minutes once the attack signature has been determined. See Appendix A for an example of a simple web detection rule written in n-code and the analogous Snort rule. NFR also has a more complete feature set than Snort, including IP fragmentation reassembly and TCP stream decoding. These features are essential in any commercial product that is meant to perform mission critical intrusion detection, and NFR was the first product which could defeat anti-NIDS attacks outlined by Ptacek and Newsham [PTA98]. Presently, Snort does not implement TCP stream reassembly, but future versions will implement this capability. Snort currently addresses IP fragmentation with a rule option that sets a minimum size threshold for fragmented packets. This rule option takes advantage of the fact that there is virtually no commercial network equipment on the market that fragments packets smaller than 256-bytes. By setting this threshold value to some reasonable value, say 128-bytes, fragmented packet probes and attacks can be logged and alerts can be sent by Snort automatically. Full IP fragment and TCP stream reassembly and analysis will be addressed in later versions of Snort. Under the Hood Snort's architecture is focused on performance, simplicity, and flexibility. There are three primary subsystems that make up Snort: the packet decoder, the detection engine, and the logging and alerting subsystem. These subsystems ride on top of the libpcap promiscuous packet sniffing library, which provides a portable packet sniffing and filtering capability. Program configuration, rules parsing, and data structure generation takes place before the sniffer section is initialized, keeping the amount of per packet processing to the minimum required to achieve the base program functionality. The packet decoder The decode engine is organized around the layers of the protocol stack present in the supported data-link and TCP/IP protocol definitions. Each subroutine in the decoder imposes order on the packet data by overlaying data structures on the raw network traffic. These decoding routines are called in order through the protocol stack, from the data link layer up through the transport layer, finally ending at the application layer. Speed is emphasized in this section, and the majority of the functionality of the decoder consists of setting pointers into the packet data for later analysis by the detection engine. Snort provides decoding capabilities for Ethernet, SLIP, and raw (PPP) data-link protocols. ATM support is under development. The detection engine Snort maintains its detection rules in a two dimensional linked list of what are termed Chain Headers and Chain Options. These are lists of rules that have been condensed down to a list of common attributes in the Chain Headers, with the detection modifier options contained in the Chain Options. For example, if forty five CGI-BIN probe detection rules are specified in a given Snort detection library file, they generally all share common source and destination IP addresses and ports. To speed the detection processing, these commonalities are condensed into a single Chain Header and then individual detection signatures are kept in Chain Option structures. Figure 3 - Rule Chain logical structure ------------------------------------------------------------------------------- ------------------------ ------------------------ ----- | Chain Header | | Chain Header | | Chai | | | | | | Source IP Address | | Source IP Address | | Sour | Destination IP Address |--------->| Destination IP Address |--------->| Dest | Source Port | | Source Port | | Sour | Destination Port | | Destination Port | | Dest | | | | | ------------------------ ------------------------ ----- | | | | | | \|/ \|/ -----------V--------- -----------V--------- | Chain Option | | Chain Option | | | | | | Content | | TCP Flags | | ICMP Codes/types | | Payload Size | | etc. | | | --------------------- | | | \|/ -----------V--------- | Chain Option | | | | Content | | TCP Flags | | ICMP Codes/types | | Payload Size | | etc. | | | --------------------- | | ------------------------------------------------------------------------------- These rule chains are searched recursively for each packet in both directions. The detection engine checks only those chain options which have been set by the rules parser at run-time. The first rule that matches a decoded packet in the detection engine triggers the action specified in the rule definition and returns. A major overhaul of the detection engine is currently in the planning and development stage. The next version of the engine will include the capability for users to write and distribute plug-in modules and bind them to keywords for the detection engine rules language. This will allow anyone with an appropriate plug-in module to add significant detection functionality to Snort and customize the program for specific jobs. The logging/alerting subsystem The alerting and logging subsystem is selected at run-time with command line switches. There are currently three logging and five alerting options. The logging options can be set to log packets in their decoded, human readable format to an IP-based directory structure, or in tcpdump binary format to a single log file. The decoded format logging allows fast analysis of data collected by the system. The tcpdump format is much faster to record to the disk and should be used in instances where high performance is required. Logging can also be turned off completely, leaving alerts enabled for even greater performance improvements. Alerts may either be sent to syslog, logged to an alert text file in two different formats, or sent as WinPopup messages using the Samba smbclient program. The syslog alerts are sent as security/authorization messages that are easily monitored with tools such as swatch [SWT93]. WinPopup alerts allow event notifications to be sent to a user-specified list of Microsoft Windows consoles running the WinPopup software. There are two options for sending the alerts to a plain text file; full and fast alerting. Full alerting writes the alert message and the packet header information through the transport layer protocol. The fast alert option writes a condensed subset of the header information to the alert file, allowing greater performance under load than full mode. There is a fifth option to completely disable alerting, which is useful when alerting is unnecessary or inappropriate, such as when network penetrations tests are being performed. Writing Snort Rules Snort rules are simple to write, yet powerful enough to detect a wide variety of hostile or merely suspicious network traffic. There are three base action directives that Snort can use when a packet matches a specified rule pattern: pass, log, or alert. Pass rules simply drop the packet. Log rules write the full packet to the logging routine that was user selected at run-time. Alert rules generate an event notification using the method specified by the user at the command line, and then log the full packet using the selected logging mechanism to enable later analysis. The most basic rules contain only protocol, direction, and the port of interest, such as in Figure 4. Figure 4 - A simple Snort rule --------------------------------------------------------------------------- log tcp any any -> 10.1.1.0/24 79 --------------------------------------------------------------------------- This rule would record all traffic inbound for port 79 (finger) going to the 10.1.1 class C network address space. Snort interprets keywords enclosed in parentheses as "option fields". Option fields are available for all rule types and may be used to generate complex behaviors from the program, such as in Figure 5. Figure 5 - Options allow increased rule complexity --------------------------------------------------------------------------- alert tcp any any -> 10.1.1.0/24 80 (content: "/cgi-bin/phf"; msg: "PHF probe!";) --------------------------------------------------------------------------- The rule in Figure 5 would detect attempts to access the PHF service on any of the local network's web servers. If such a packet is detected on the network, an event notification alert is generated and then the entire packet is logged via the logging mechanism selected at run-time. The rule IP address and port specifiers have several features available. The CIDR block netmask may be set to any value between one and thirty-two. Port ranges can be specified using the colon ":" modifier. For example, to monitor all ports upon which the X Windows service may run (generally 6000 through 6010), the port range could be specified with the colon modifier as shown in Figure 6. Figure 6 - An example of port ranges --------------------------------------------------------------------------- alert tcp any any -> 10.1.1.0/24 6000:6010 (msg: "X traffic";) --------------------------------------------------------------------------- Both ports and IP addresses can be modified to match by exception with the bang "!" operator, which would be useful in the rule described in Figure 7 to detect X Windows traffic from sources outside of the network. Figure 7 - Matching by exception on the source IP address --------------------------------------------------------------------------- alert tcp !10.1.1.0/24 any -> 10.1.1.0/24 6000:6010 (msg: "X traffic";) --------------------------------------------------------------------------- This rule would generate an alert for all traffic originating outside of the host network that was bound for internal X Windows service ports. Snort version 1.2.1 has fourteen option fields available: 1. content: Search the packet payload for the a specified pattern. 2. flags: Test the TCP flags for specified settings. 3. ttl: Check the IP header's time-to-live (TTL) field. 4. itype: Match on the ICMP type field. 5. icode: Match on the ICMP code field. 6. minfrag: Set the threshold value for IP fragment size. 7. id: Test the IP header for the specified value. 8. ack: Look for a specific TCP header acknowledgement number. 9. seq: Log for a specific TCP header sequence number. 10. logto: Log packets matching the rule to the specified filename. 11. dsize: Match on the size of the packet payload. 12. offset: Modifier for the content option, sets the offset into the packet payload to begin the content search. 13. depth: Modifier for the content option, sets the number of bytes from the start position to search through. 14. msg: Sets the message to be sent when a packet generates an event. These options may be combined in any manner to detect and classify packets of interest. The rule options are processed using a logical AND between them; all of the testing options in a rule must be true in order for the rule to generate a "found" response and have the program perform the rule action. Rule Development Snort is extremely useful for rapidly developing new Snort rules. The clear and concise manner in which the data is displayed by the tool makes it perfect for writing new rules. The general method for development consists of getting the exploit of interest, such as a new buffer overflow, running the exploit on a test network with Snort recording all traffic between the target and attack hosts, and then analyzing the data for a unique signature and condensing that signature into a rule. Figure 8 shows Snort's view of a notional "IMAP buffer overflow" that has just come into widespread use by the "script kiddie" community. Figure 8 - Notional "IMAP buffer overflow" packet -------------------------------------------------------------------------- 052499-22:27:58.403313 192.168.1.4:1034 -> 192.168.1.3:143 TCP TTL:64 TOS:0x0 DF ***PA* Seq: 0x5295B44E Ack: 0x1B4F8970 Win: 0x7D78 90 90 90 90 90 90 90 90 90 90 90 90 90 90 EB 3B ...............; 5E 89 76 08 31 ED 31 C9 31 C0 88 6E 07 89 6E 0C ^.v.1.1.1..n..n. B0 0B 89 F3 8D 6E 08 89 E9 8D 6E 0C 89 EA CD 80 .....n....n..... 31 DB 89 D8 40 CD 80 90 90 90 90 90 90 90 90 90 1...@........... 90 90 90 90 90 90 90 90 90 90 90 E8 C0 FF FF FF ................ 2F 62 69 6E 2F 73 68 90 90 90 90 90 90 90 90 90 /bin/sh......... --------------------------------------------------------------------------- The unique signature data in the application layer is the machine code just prior to the /bin/sh text string, as well as the string itself. Using this information, a new rule can be developed quickly, such as the one defined in Figure 9. Figure 9 - Alert rule for the new buffer overflow --------------------------------------------------------------------------- alert tcp any any -> 192.168.1.0/24 143 (content:"|E8C0 FFFF FF|/bin/sh"; msg:"New IMAP Buffer Overflow detected!";) --------------------------------------------------------------------------- The content field of the rule contains mixed plain text and hex formatted bytecode, which is enclosed in pipes. At run-time, this data is converted into its binary representation, as displayed in the decoded packet dump in Figure 8, and then stored in an internal list of rules by Snort. Thus, the rule contained in Figure 9 will raise an alarm any time a packet containing the "fingerprint" of the new IMAP buffer overflow is detected. Writing high performance pattern matching rules The current rules system lends itself to high performance under most conditions, but there are some general concepts that can be applied when writing Snort rules to keep the processing speeds as high as possible. Computationally, the content matching option is the most expensive process that can be performed in the detection engine. Accordingly, it is performed after all other rule tests. This fact can be used to advantage by specifying other rule options in combination with the content option. For example, almost all requests to web servers have their TCP PUSH and ACK flags set. Using this knowledge, it is relatively easy to write a rule which will perform a simple TCP flag test before running the far more computationally intensive pattern match test. Other options can be combined with the content rules to limit the amount of data that must be searched. The offset and depth keywords were made specifically to fulfill this function. Using these options, the area of the packet payload to search for an exploit pattern can be localized. Care should be taken to avoid limiting the search too severely. For example, many buffer overflows use variable offsets to tune the size and placement of the exploit machine code. A Snort rule that has been tuned too tightly to key on a specific area of a packet's payload may overlook the real exploit that has been shifted to a different area within the packet. On the other hand, web CGI probes and attacks generally all take place at the beginning of the packet within the first thirty to fifty bytes. This can be a great place to optimize Snort content searching. The actual search pattern used in the content rule is another area where performance tuning may take place. Snort uses a Boyer-Moore [SEDG97] algorithm to perform its pattern matching, which is one of the best algorithms available for that task. It achieves its greatest efficiency in cases where the pattern to match consists of non-repeating sets of unique bytes. For example, the Intel x86 architecture uses the hex value 0x90 to indicate a NOP in machine code. Buffer overflows generally use large regions of NOPs to pad the actual exploit code and make the return jump calculations easier for the exploit programmer. When specifying content match patterns, it is best to avoid including any NOPs in the match pattern, which will otherwise cause the Boyer-Moore routine to complete many partial matches before actually finding the correct match pattern. Advanced Snorting Snort is a flexible tool with a wide variety of uses. It is intended to be used in the most classic sense of a network intrusion detection system. It examines network traffic against a set of rules, and alerts administrators to suspicious network activity so that they may react appropriately. There are many other areas where Snort can be useful as well. Shoring up commercial IDS' Snort can be used to fill holes in commercial vendor's network-based intrusion detection tools, such as when a new attack makes its debut in the hacker/cracker community and signature updates are slow to come from the vendor. In this case, Snort may be used to characterize the new attack by running it locally on a test network and determining it's signature. Once the signature is written into a snort rule, the BPF command line filtering may be used to limit the traffic that Snort analyzes to the service or protocol of interest. Snort can be used as a very specialized detector for a single attack or family of attacks in this mode. The recent IRDP denial of service attack [IRDP99] revealed by the L0pht provides a good example of this concept. The same day that the attack was announced, Snort rules were made available by the user community and these attacks were detectable. Passive traps Another application to which Snort is very well suited is as a Honeypot monitor. Honeypots are programs or computers that are dedicated to the notion of deceiving hostile parties interested in a network. Most honeypot systems, for example Fred Cohen & Associates Deception Toolkit [DTK98], record their data at the server level, with a fake "service", such as an FTP server actually recording the data sent to it. The problem with that concept is that the services doing the recording have to be started before they will record anything. This means that events such as stealth port scans or binary data streams will be missed or garbled on honeypots that don't perform packet level monitoring. Another problem is that the data generated by such a system will tend to be complex by its nature. The data coming out of a honeypot requires a skilled analyst to properly interpret the results. Snort can be a great help to the analyst/administrator with its packet classification and automatic alerting functionality. With these capabilities a honeypot can be erected as a stand alone intrusion detection mechanism. It requires no other monitoring or maintenance because Snort can be set to record and generate event notification on the first packet that arrives at the honeypot. Snort can be used to implement another concept that is being advocated today; that of "passive traps" [MJR99]. A passive trap uses the "home field advantage" that network administrators enjoy when securing their networks. One aspect of this concept is that administrators know which services are not available on their networks. Snort rules can be written that watch for traffic headed for these non-existent services. Packets which are found to be using these ports may be an indication of port scanning, backdoors, or other hostile traffic. For example, a network that is not using TFTP can be configured with Snort alert rules for all packets headed to or from any node on the network bound for port 69. This can be a good method for detecting covert communications channels such as Loki or backdoors like Back Orifice. Another easy concept to implement to set up pass rules for all of the services known to be running on a network and log inbound connections to other ports or port ranges. Shining some light on SHADOW SHADOW is designed to be a cheap alternative to commercial NIDS. As an aside, SHADOW was probably the first true lightweight intrusion detection system. tcpdump is used as the sensor in these systems, which are configured using often extensive BPF commands. All traffic that is not filtered out with these BPF rules is collected into a single file that can become quite large over extended periods of time. Once the data is collected by the sensor, it is post-processed using a variety of external third party tools. There are some limitations to this system, including a complete lack of real-time alerts and a lack of good data classification tools to aid the analyst in identifying the data produced by the sensor. Snort uses the same BPF filter language rules as tcpdump, and can be used as a complete replacement for tcpdump sensors in environments where SHADOW is the IDS of choice. The advantages of using Snort as a replacement sensor include real-time automatic traffic classification as it is collected and real-time alerting. This allows security events to be detected and acted upon by the administrative staff in a more timely manner and log file sizes to be reduced significantly. At the same time, Snort can record the data it collects to tcpdump formatted files so that the data generated by the system can be post-processed for in depth analysis with existing tools that analysts are comfortable using. Focused monitoring "Focused monitoring" is the concept of watching a single critical node or service on a network for signs of hostile activity. For example, the Sendmail [ALMN99] SMTP server has an extensive and well known list of vulnerabilities and exploits. A single Snort sensor could be deployed with a rule set that covers all known Sendmail attacks and would provide highly focused monitoring of that specific traffic on the network. These rules could even be extended to provide a running narrative of all of the commands and responses into and out of SMTP servers on the defended network. This can make the network security analysts job somewhat easier by letting the collection engine (Snort) describe the normal flow of commands and responses as well as the attacks. Focused monitoring can be especially useful in instances where existing NIDS provide inadequate coverage. For example, a set of rules that monitor SQL database queries to a web or database server could be developed. This would provide more complete coverage of CGI and ODBC SQL attacks and probes than any commercial NIDS on the market today. This concept can be extended to any network communications technology that is under represented by commercial NIDS. Conclusions Snort was designed to fulfill the requirements of a prototypical lightweight network intrusion detection system. It has become a small, flexible, and highly capable system that is in use around the world on both large and small networks. It has attained its initial design goals and is a fully capable alternative to commercial intrusion detection systems in places where it is cost inefficient to install full featured commercial systems. Availability and Requirements Snort will run on any platform where libpcap will run. The current version of Snort is 1.2.1, and libpcap is required to compile and run the software. Snort is known to run on RedHat Linux 5.1/5.2/6.0, Debian Linux, MkLinux, S/Linux, HP-UX, Solaris 2.5.1 - 2.7 (x86 and Sparc), x86 Free/Net/OpenBSD, M68k NetBSD, and MacOS X. Information about snort may be acquired directly from the author's web site at http://www.clark.net/~roesch/security.html Snort may be downloaded from the author's web site at http://www.clark.net/~roesch/snort-1.2.1.tar.gz There is a slowly growing library of Snort rules available at http://www.clark.net/~roesch/snort-lib Acknowledgements Snort originally used Mike Borella's ipgrab program as a development template and example for how to properly code libpcap programs and packet decoders. ipgrab can be found at http://www.borella.net. Mike's code is an excellent starting point for any libpcap-based project. Ron Gula of Network Security Wizards provided valuable advice on logging methodologies and some of the initial program logic, as well as contributing example rules to the system. Ken Williams has been fantastically supportive throughout the development of Snort, providing encouragement and ideas for additional features as well as providing a friendly forum for the distribution of Snort. The Snort user community has been especially enjoyable to work with, providing bug reports, ideas for new development directions, and new rules for the library since the program's initial release. Their support and enthusiasm has kept this a vital and growing collaborative project far past what I had imagined was possible! References [SHD98] SHADOW, Steven Northcutt et al, Naval Surface Warfare Center Dahlgren Laboratory, 1998. [TCPD91] tcpdump, Van Jacobson, Craig Leres and Steven McCanne, Lawrence Berkeley National Laboratory, 1991. [PCAP94] libpcap, Van Jacobson, Craig Leres and Steven McCanne, Lawrence Berkeley National Laboratory, 1994. [DTK98] Deception Toolkit, Fred Cohen & Associates, 1998. [GNU89] GNU General Public License, Richard Stallman, 1989. [BPF93] The BSD Packet Filter: A New Architecture for User-level Packet Capture, Steven McCanne, Van Jacobson, USENIX Technical Conference Proceedings, 1993. [ALE96] Smashing the Stack for Fun and Profit, Aleph1, Phrack #49, 1996. [BTQ99] Bugtraq Mailing List, archives and vulnerability data base are available at Security Focus. [IISBT99] NT IIS Showcode ASP Vulnerability (Bugtraq ID #167), Parcens/L0pht, May 1999. [OSS98] The Cathedral and the Bazaar, Eric S. Raymond, 1998. [FYD97] The Art of Port Scanning, Fyodor, Phrack #51, 1997. [SWT92] Centralized System Monitoring With Swatch, Stephen E. Hansen and E. Todd Atkins, USENIX Seventh Systems Administration Conference, 1993 [SEDG97] Algorithms in C: Fundamentals, Data Structures, Sorting, Searching, Robert Sedgewick, Addison-Wesely Publishing Company, 1997 [IRDP99] L0pht Security Advisory, Silicosis and Mudge, August 1999 [ALMN99] Sendmail, Eric Allman, 1999 [PTA98] Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, Thomas Ptacek and Timothy Newsham, Secure Networks Inc, 1998 [MJR99] Burglar Alarms for Detecting Intrusions, Marcus Ranum, NFR Inc, 1999 Author Information Martin Roesch is a Network Security Engineer with Stanford Telecommunications Inc. He holds a B.S. in Computer Engineering from Clarkson University. He has extensive experience with intrusion detection systems and has developed several systems professionally. He was a primary software engineer during the development of GTE Internetworking's Global Network Infrastructure IDS, and designed and developed GTE's new commercial honeypot/deception system "Sentinel". He is also a member of the Trinux Linux Security Toolkit distribution development team. Snort is his first Open Source Software project, and has been an excellent learning experience for him. Contact him at . Appendix A. Sample NFR rule to detect web server CGI probes (n-code sample excerpted from the L0pht's NFR IDS Modules web page at ). --------------------------------------------------------------------------- badweb_schema = library_schema:new( 1, ["time", "int", "ip", "ip", "str"], scope()); # list of web servers to watch. List IP address of servers or a netmask # that matches all. use 0.0.0.0:0.0.0.0 to match any server da_web_servers = [ 0.0.0.0:0.0.0.0 ] ; query_list = [ "/cgi-bin/nph-test-cgi?", "/cgi-bin/test-cgi?", "/cgi-bin/perl.exe?", "/cgi-bin/phf?" ] ; filter bweb tcp ( client, dport: 80 ) { if (! ( tcp.connDst inside da_web_servers) ) return; declare $blob inside tcp.connSym; if ($blob == null) $blob = tcp.blob; else $blob = cat ( $blob, tcp.blob ); while (1 == 1) { $x = index( $blob, "\n" ); if ($x < 0) # break loop if no complete line yet break; $t=substr($blob,$x-1,1); # look for cr at end of line if ($t == '\r') $t=substr($blob,0,$x-1); # tear off line else $t=substr($blob,0,$x); $counter=0; foreach $y inside (query_list) { $z = index( $blob, $y ); if ( $z >= 0) { $counter=1; # save the time, the connection hash, the client, # the server, and the command to a histogram record system.time, tcp.connHash, tcp.connSrc, tcp.connDst, $t to badweb_hist; } } if ($counter) break; } # keep us from getting flooded if there is no newline in the data if (strlen($blob) > 4096) $blob = ""; # save the blob for next pass $blob = substr($blob, $x + 1); } badweb_hist = recorder ("bin/histogram packages/test/badweb.cfg", "badweb_schema" ); --------------------------------------------------------------------------------- Snort rules to detect the same web CGI probes. --------------------------------------------------------------------------------- alert tcp any any -> any 80 (msg:"CGI-nph-tst-cgi"; content:"cgi-bin/nph-test-cgi?"; flags: PA;) alert tcp any any -> any 80 (msg:"CGI-test-cgi"; content:"cgi-bin/test-cgi?"; flags: PA;) alert tcp any any -> any 80 (msg:"CGI-perl.exe"; content:"cgi-bin/perl.exe?"; flags: PA;) alert tcp any any -> any 80 (msg:"CGI-phf"; content:"cgi-bin/phf?"; flags: PA;) --------------------------------------------------------------------------------- debian/my/snort_rules.html0000664000000000000000000006601512317374526013104 0ustar Writing Snort Rules
Writing Snort Rules
How To write Snort rules and keep your sanity
Current as of version 1.3.1.2
By Martin Roesch
Contents


The Basics
Snort uses a simple, lightweight rules description language that is flexible and quite powerful.  There are a number of simple guidelines to remember when developing Snort rules.

The first is that Snort rules must be completely contained on a single line, the Snort rule parser doesn't know how to handle rules on multiple lines.

Snort rules are divided into two logical sections, the rule header and the rule options.  The rule header contains the rule's action, protocol, source and destination IP addresses and netmasks, and the source and destination ports information.  The rule option section contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken.

Here is an example rule:

alert tcp any any -> 192.168.1.0/24 111 (content:"|00 01 86 a5|"; msg: "mountd access";)
Figure 1 - Sample Snort Rule

The text up to the first parenthesis is the rule header and the section enclosed in parenthesis is the rule options.  The words before the colons in the rule options section are called option keywords.  Note that the rule options section is not specifically required by any rule, they are just used for the sake of making tighter definitions of packets to collect or alert on (or drop, for that matter).  All of the elements in that make up a rule must be true for the indicated rule action to be taken.  When taken together, the elements can be considered to form a logical AND statement.  At the same time, the various rules in a Snort rules library file can be considered to form a large logical OR statement.  Let's begin by talking about the rule header section.


Rule Headers
Rule Actions:

The rule header contains the information that defines the "who, where, and what" of a packet, as well as what to do in the event that a packet with all the attributes indicated in the rule should show up.  The first item in a rule is the rule action.  The rule action tells Snort what to do when it finds a packet that matches the rule criteria.  There are three available actions in Snort, alert, log, and pass.

  • alert - generate an alert using the selected alert method, and then log the packet
  • log - log the packet
  • pass - drop (ignore) the packet
Protocols:

The next field in a rule is the protocol.  There are three IP protocols that Snort currently analyzes for suspicious behavior, tcp, udp, and icmp.  In the future there may be more, such as ARP, IGRP, GRE, OSPF, RIP, IPX, etc.

  • tcp
  • udp
  • icmp
IP Addresses:

The next portion of the rule header deals with the IP address and port information for a given rule.  The keyword "any" may be used to define any address.  Snort does not have a mechanism to provide host name lookup for the IP address fields in the rules file.  The addresses are formed by a straight numeric IP address and a CIDR block.  The CIDR block indicates the netmask that should be applied to the rule's address and any incoming packets that are tested against the rule.  A CIDR block mask of /24 indicates a Class C network, /16 a Class B network, and /32 indicates a specific machine address.  For example, the address/CIDR combination 192.168.1.0/24 would signify the block of addresses from 192.168.1.1 to 192.168.1.255.  Any rule that used this designation for, say, the destination address would match on any address in that range.  The CIDR designations give us a nice short-hand way to designate large address spaces with just a few characters.

In Figure 1, the source IP address was set to match for any computer talking, and the destination address was set to match on the 192.168.1.0 Class C network.

There is an operator that can be applied to IP addresses, the negation operator.  This operator tells Snort to match any IP address except the one indicated by the listed IP address.  The negation operator is indicated with a "!".  For example, an easy modification to the initial example is to make it alert on any traffic that originates outside of the local net with the negation operator as shown in Figure 2.

alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111 (content: "|00 01 86 a5|"; msg: "external mountd access";)
Figure 2 - Example IP Address Negation Rule

This rule's IP addresses indicate "any tcp packet with a source IP address not originating from the internal network and a destination address on the  internal network".

Port Numbers

Port numbers may be specified in a number of ways, including "any" ports, static port definitions, ranges, and by negation.  "Any" ports are a wildcard value, meaning literally any port.  Static ports are indicated by a single port number, such as 111 for portmapper, 23 for telnet, or 80 for http, etc.  Port ranges are indicated with the range operator ":".  The range operator may be applied in a number of ways to take on different meanings, such as in Figure 3.
 
 

log udp any any -> 192.168.1.0/24 1:1024 
log udp traffic coming from any port and destination ports ranging from 1 to 1024
log tcp any any -> 192.168.1.0/24 :6000 
log tcp traffic from any port going to ports less than or equal to 6000
log tcp any :1024 -> 192.168.1.0/24 500: 
log tcp traffic from priveleged ports less than or equal to 1024 going to ports greater than or equal to 500
Figure 3 - Port Range Examples


Port negation is indicated by using the negation operator "!".  The negation operator may be applied against any of the other rule types (except any, which would translate to none, how Zen...).  For example, if for some twisted reason you wanted to log everything except the X Windows ports, you could do something like the rule in Figure 4.
 
 

log tcp any any -> 192.168.1.0/24 !6000:6010
Figure 4 - Example of Port Negation


The Direction Operator

The direction operator "->" indicates the orientation, or "direction", of the traffic that the rule applies to.  The IP address and port numbers on the left side of the direction operator is considered to be the traffic coming from the source host, and the address and port information on the right side of the operator is the destination host.  There is also a bidirectional operator, which is indicated with a "<>" symbol.  This tells Snort to consider the address/port pairs in either the source or destination orientation.  This is handy for recording/analyzing both sides of a conversation, such as telnet or POP3 sessions.  An example of the bidirectional operator being used to record both sides of a telnet session is shown in Figure 5.
 
 

log !192.168.1.0/24 any <> 192.168.1.0/24 23
Figure 5 - Snort rules using the Bidirectional Operator
Rule Options
Rule options form the heart of Snort's intrusion detection engine, combining ease of use with power and flexibility.  All Snort rule options are separated from each other using the semicolon ";" character.  Rule option keywords are separated from their arguments with a colon ":" character. As of this writing, there are fifteen rule option keywords  available for Snort:
  • msg - prints a message in alerts and packet logs
  • logto - log the packet to a user specified filename instead of the standard output file
  • minfrag - set a threshold value for the smallest acceptable IP fragment size
  • ttl - test the IP header's TTL field value
  • id - test the IP header's fragment ID field for a specific value
  • dsize - test the packet's payload size against a value
  • content - search for a pattern in the  packet's payload
  • offset - modifier for the content option, sets the offset to begin attempting a pattern match
  • depth - modifier for the content option, sets the maximum search depth for a pattern match attempt
  • flags - test the TCP flags for certain values
  • seq - test the TCP sequence number field for a specific value
  • ack - test the TCP acknowledgement field for a specific value
  • itype - test the ICMP type field against a specific value
  • icode - test the ICMP code field against a specific value
  • session - dumps the application layer information for a given session


Msg

The msg rule option tells the logging and alerting engine the message to print along with a packet dump or to an alert.  It is a simple text string that utilizes the "\" as an escape character to indicate a discrete character that might otherwise confuse Snort's rules parser (such as the semi-colon ";" character).

Format:

msg: "<message text>";


Logto

The logto option tells Snort to log all packets that trigger this rule to a special output log file.  This is especially handy for combining data from things like NMAP activity, HTTP CGI scans, etc.  It should be noted that this option does not work when Snort is in binary logging mode.

Format:

logto: "<filename>";


Minfrag

Minfrag sets a minimum size threshold for a fragmented packet.  It is generally used in conjunction with a single alert rule to set a boundry for the minimum fragment size that is acceptable on a network segment.  It makes a handy detector for attackers that like to break their fragments into tiny pieces before transmitting them to try to avoid detection mechaisms.  Generally speaking, there is virtually no commercial network equipment available that generates fragments smaller than 256-bytes, so people can take advantage of this fact by setting their minfrag value somewhere below that threshold.  See Figure 6 for an example of a rule that uses the minfrag option.

Format:

minfrag: "<number>";
alert tcp any any -> any any (minfrag: 256; msg: "Tiny fragments detected, possible hostile activity";)
Figure 6 - Minfrag Rule Option Example





TTL

This rule option is used to set a specific time-to-live value to test against.  The test it performs is only sucessful on an exact match.  This option keyword was intended for use in the detection of traceroute attempts.

Format:

ttl: "<number>";
ID

This option keyword is used to test for an exact match in the IP header fragment ID field.  Some hacking tools (and other programs) set this field specifically for various purposes, for example the value 31337 is very popular with some hackers.  This can be turned against them by putting a simple rule in place to test for this and some other "hacker numbers".

Format:

id: "<number>;


Dsize

The dsize option is used to test the packet payload size.  It may be set to any value, plus use the greater than/less than signs to indicate ranges and limits.  For example, if you know that a certain service has a buffer of a certain size, you can set this option to watch for attempted buffer overflows.  It has the added advantage of being a much faster way to test for a buffer overflow than a payload content check.

Format:

dsize: [>|<] <number>;
Note: The > and < operators are optional!


Content

The content keyword is one of the more important features of Snort.  It allows the user to set rules that search for specific content in the packet payload and trigger response based on that data.  Whenever a content option pattern match is performed, the Boyer-Moore pattern match function is called and the (rather computationally expensive) test is performed against the packet contents.  If data exactly matching the argument data string os contained anywhere within the packet's payload, the test is successful and the remainder of the rule option tests are performed.  Be aware that this test is case sensitive.

The option data for the content keyword is somewhat complex; it can contain mixed text and binary data.  The binary data is generally enclosed within the pipe ("|") character and represented as bytecode.  Bytecode represents binary data as hexidecimal numbers and is a good shorthand method for describing complex binary data.  Figure 7 contains an example of mixed text and binary data in a Snort rule.
 
 

alert tcp any any -> 192.168.1.0/24 143 (content: "|90C8 C0FF FFFF|/bin/sh"; msg: "IMAP buffer overflow!";)
Figure 7 - Mixed Binary Bytecode and Text in a Content Rule Option

Format:

content: "<content string>";


Offset

The offset rule option is used as a modifier to rules using the content option keyword.  This keyword modifies the starting search position for the pattern match function from the beginning of the packet payload.  It is very useful for things like CGI scan detection rules where the content search string is never found in the first four bytes of the payload.  Care should be taken against setting the offset value too "tightly" and potentially missing an attack!  This rule option keyword cannot be used without also specifying a content rule option.

Format:

offset: <number>;


Depth

Depth is another content rule option modifier.  This sets the maximum search depth for the content pattern match function to search from the beginning of its search region.  It is useful for limiting the pattern match function from performing inefficient searches once the possible search region for a given set of content has been exceeded.  (Which is to say, if you're searching for "cgi-bin/phf" in a web-bound packet, you probably don't need to waste time searching the payload beyond the first 20 bytes!)  See Figure 8 for an example of a combined content, offset, and depth search rule.

Format:

depth: <number>;

 
alert tcp any any -> 192.168.1.0/24 80 (content: "cgi-bin/phf"; offset: 3; depth: 22; msg: "CGI-PHF attack";)
Figure 8 - Combined Content, Offset and Depth Rule






Flags

This rule tests the TCP flags for an exact match.  There are actually 8 flags variables available in Snort:

  • F - FIN (LSB in TCP Flags byte)
  • S - SYN
  • R - RST
  • P - PSH
  • A - ACK
  • U - URG
  • 2 - Reserved bit 2
  • 1 - Reserved bit 1 (MSB in TCP Flags byte)
The reserved bits can be used to detect unusual behavior, such as IP stack fingerprinting attempts or other suspicious activity.  All of the flags are considered as a whole for this test, they must all be "up" for this rule option to be successful.  For instance, Figure 9 shows a SYN-FIN scan detection rule.

Format:

flags: <flag values>;

 
alert any any -> 192.168.1.0/24 any (flags: SF; msg: "Possible SYN FIN scan";)
Figure 9 - Sample TCP Flags Specification



Seq

This rule option refers to the TCP sequence number.  Essentially, it detects if the packet has a static sequence number set, and is therefore pretty much unused.  It was included for the sake of completeness.

Format:

seq: <number>;


Ack

The ack rule option keyword refers to the TCP header's acknowledge field.  This rule has one practical purpose so far: detecting  NMAP TCP pings.  A NMAP TCP ping sets this field to zero and sends a packet with the TCP ACK flag set to determine if a network host is active.  The rule to detect this activity is shown in Figure 10.

Format:

ack: <number>;

 
alert any any -> 192.168.1.0/24 any (flags: A; ack: 0; msg: "NMAP TCP ping";)
Figure 10 - TCP ACK Field Usage



Itype

This rule tests the value of the ICMP type field.  It is set using the numeric value of this field.  For a list of the available values, look in the decode.h file included with Snort or in any ICMP reference.  It should be noted that the values can be set out of range to detect invalid ICMP type values that are sometimes used in denial of service and flooding attacks.

Format:

itype: <number>;


Icode

The icode rule option keyword is pretty much identical to the itype rule, just set a numeric value in here and Snort will detect any traffic using that ICMP code value.  Out of range values can also be set to detect suspicious traffic.

Format:

icode: <number>;


Session

The session keyword is brand new as of version 1.3.1.1 and is used to extract the user data from TCP sessions.  It is extremely useful for seeing what users are typing in telnet, rlogin, ftp, or even web sessions.  There are two available argument keywords for the session rule option, printable or all.  The printable keyword only prints out data that the user would normally see or be able to type.  The all keyword substitutes non-printable characters with their hexadecimal equivalents.  This function can slow Snort down considerably, so it shouldn't be used in heavy load situations, and is probably best suited for post-processing binary (tcpdump format) log files.  See Figure 11 for a good example of a telnet session logging rule.

Format:

session: [printable|all];

 
log tcp any any <> 192.168.1.0/24 23 (session: printable;)
Figure 11 - Logging Printable Telnet Session Data


Advanced Rule Concepts
 
Includes

Versions of Snort after 1.3.1.2 include new rules file parsing functionality developed by Christian Lademann, including two new rules file keywords.  The first of these keywords is include.  The include keyword allows other rule files to be included with the rules file that indicated on the Snort command line.

Format:

include: <include file path/name>
Note that there is no semicolon at the end of this line.  Included files will substitute any predefined variable values into their own variable references.  See the Variables section for more information on defining and using variables in Snort rule files.

Variables

As of version 1.3.1.2, variables may be defined in Snort.  These are simple substitution variables set with the var keyword as in Figure 12.

Format:

var: <name> <value>

var MY_NET 192.168.1.0/24

alert tcp any any -> $MY_NET any (flags: S; msg: "SYN packet";)
 
Figure 12 - Example of Variable Definition and Usage

The rule variable names can be modified in several ways.  You can define meta-variables using the "$" operator.  These can be used with the variable modifier operators, "?" and "-".

  • $var - define meta variable
  • $(var) - replace with the contents of variable "var"
  • $(var:-default) - replace with the contents of the variable "var" or with "default" if "var" is undefined.
  • $(var:?message) - replace with the contents of variable "var" or print out the error message "message" and exit
See figure 13 for an example of these rules modifiers in action.
 
 

var MY_NET $(MY_NET:-192.168.1.0/24)

log tcp any any -> $(MY_NET:?MY_NET is undefined!) 23
 
Figure 13 - Advanced Variable Usage Example

 


Building Good Rules
There are some general concepts to keep in mind when developing Snort rules to maximize efficiency and speed.  I will add to this section as my muse wills. :)

Content Rules are Case Sensitive

Don't forget that content rules are case sensitive and that many programs typically use uppercase letters to indicate commands.  FTP is a good example of this.  Consider the following two rules:

alert tcp any any -> 192.168.1.0/24 21 (content: "user root"; msg: "FTP root login";)
alert tcp any any -> 192.168.1.0/24 21 (content: "USER root"; msg: "FTP root login";)

The second of those two rules will catch most every automated root login attempt, but none that use lower case characters for "user".  Case insensitivity is a feature that will probably be added in future versions of Snort, but for now be aware that case counts!

Speeding Up Rules That Have Content Options

The order that rules are tested by the detection engine is completely independent of the order that they are written in a rule.  The last rule test that is done (when necessary) is always the content rule option.  Take advantage of this fact by using other faster rule options that can detect whether or not the content needs to be checked at all.  For instance, most of the time when data is sent from client to server after a TCP session is established, the PSH and ACK TCP flags are set on the packet containing the data.  This fact can be taken advantage of by rules that need to test payload content coming from the client to the sever with a simple TCP flag test that is far less computationally expensive than the pattern match algorithm.  Knowing this, a simple way to speed up rules that use content options is to also perform a flag test, as in Figure 14.  The basic idea is that if the PSH and ACK flags aren't set, there's no need to test the packet payload for the given rule.  If the flags are set, the additional computing power required to perform the test is negligible.
 
 

alert tcp any any -> 192.168.1.0/24 80 (content: "cgi-bin/phf"; flags: PA; msg: "CGI-PHF probe";)
Figure 14 - Using TCP Flag Tests to Hasten Content Rules

 



 

Version 1.0, All rights reserved, © Copyright 1999 Martin Roesch debian/my/diff0000664000000000000000000000402112317374526010457 0ustar ---- start diff --- *** snort-stat Tue Feb 27 10:26:02 2001 ---- snort-stat.tomeck Tue Feb 27 10:38:25 2001 *************** *** 100,110 **** } # ! ################### print mail ################################## # ! open(MAIL,"| $sendmail $to") || die $!; ! printf MAIL "To: %s\n". "Subject: %s: snort daily report\n\n". "The log begins from: %3s %02d %02d:%02d:%02d\n". "The log ends at: %3s %02d %02d:%02d:%02d\n". ---- 100,121 ---- } # ! ################### Make tempfile ################################ # ! $cnt=0; ! while(1) { ! $tmpfile = "/tmp/snort-stat.$$.$cnt"; ! last unless -f $tmpfile; ! $cnt++; ! } ! ! # ! ################ Write report to tempfile ####################### ! # ! ! open(TMP,"> $tmpfile") || die $!; ! printf TMP "To: %s\n". "Subject: %s: snort daily report\n\n". "The log begins from: %3s %02d %02d:%02d:%02d\n". "The log ends at: %3s %02d %02d:%02d:%02d\n". *************** *** 129,143 **** $s0{$k}, $_[2], $_[1], $hostname . ! select(MAIL); $^ = SAME_ATTACK_TOP; $~ = SAME_ATTACK; foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) { @_ = split ",",$k; $hostname=`host $_[0] 2>/dev/null`; $hostname=$_[0] if (not defined $hostname) || ($hostname eq ""); $hostname=~ s/Name: //g; chomp($hostname); ! write if $s0{$k} > $treshold; } ! close(MAIL) || die $!; ---- 140,164 ---- $s0{$k}, $_[2], $_[1], $hostname . ! select(TMP); $^ = SAME_ATTACK_TOP; $~ = SAME_ATTACK; foreach $k (sort { $s0{$b} <=> $s0{$a} } keys %s0) { @_ = split ",",$k; + last if $s0{$k} <= $treshold; $hostname=`host $_[0] 2>/dev/null`; $hostname=$_[0] if (not defined $hostname) || ($hostname eq ""); $hostname=~ s/Name: //g; chomp($hostname); ! write; } ! select(STDOUT); ! close(TMP); ! ! # ! ################### send mail ################################## ! # ! ! system("cat $tmpfile | $sendmail $to"); ! unlink("$tmpfile"); ! --- end diff --- debian/snort-pgsql.config0000664000000000000000000001270612317374213012661 0ustar #!/bin/sh -e . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x if [ -r /etc/snort/snort.debian.conf ] ; then . /etc/snort/snort.debian.conf # Set the variables in debconf using the configuration values # (if defined) [ ! -z "$DEBIAN_SNORT_STARTUP" ] && { db_set snort-pgsql/startup "$DEBIAN_SNORT_STARTUP"; db_fset snort-pgsql/startup seen true ; } [ ! -z "$DEBIAN_SNORT_HOME_NET" ] && { db_set snort-pgsql/address_range "$DEBIAN_SNORT_HOME_NET"; db_fset snort-pgsql/address_range seen true ; } if [ ! -z "$DEBIAN_SNORT_OPTIONS" ] ; then # Remove the -p option wich is added in postinst due to the 'DISABLE_PROMISCUOUS' debconf option DEBIAN_SNORT_OPTIONS=`echo "$DEBIAN_SNORT_OPTIONS" | sed -e 's/ -p$//'` db_get snort/reverse_order if [ "x$RET" = "xyes" ]; then # Remove the -o option which was introduced by Debconf # (snort/reverse_order) in versions previous to 2.8.5.2-2 DEBIAN_SNORT_OPTIONS=`echo "$DEBIAN_SNORT_OPTIONS" | sed -e 's/ -o$//'` fi db_set snort-pgsql/options "$DEBIAN_SNORT_OPTIONS" db_fset snort-pgsql/options seen true fi [ ! -z "$DEBIAN_SNORT_INTERFACE" ] && { db_set snort-pgsql/interface "$DEBIAN_SNORT_INTERFACE"; db_fset snort-pgsql/interface seen true ; } [ ! -z "$DEBIAN_SNORT_SEND_STATS" ] && { db_set snort-pgsql/send_stats "$DEBIAN_SNORT_SEND_STATS"; db_fset snort-pgsql/send_stats seen true ; } [ ! -z "$DEBIAN_SNORT_STATS_RCPT" ] && { db_set snort-pgsql/stats_rcpt "$DEBIAN_SNORT_STATS_RCPT" ; db_fset snort-pgsql/stats_rcpt seen true ; } [ ! -z "$DEBIAN_SNORT_STATS_THRESHOLD" ] && { db_set snort-pgsql/stats_treshold "$DEBIAN_SNORT_STATS_THRESHOLD"; db_fset snort-pgsql/stats_treshold seen true ; } fi INTERFACES="" check_interfaces() { # Check the interface status, abort with error if a configured one is not # available [ -z "$INTERFACES" ] && return 0 ints=`echo $INTERFACES | sed -e 's/,/ /g'` for iface in $ints; do if ! LC_ALL=C ifconfig "$iface" 2>/dev/null | grep -w UP >/dev/null; then return 1 fi done return 0 } db_input low snort-pgsql/startup || true db_go # /etc/ppp/ip-up.d/snort-pgsql is called with interface and IP number db_get snort-pgsql/startup if [ "x$RET" = "xdialup" ]; then db_set snort-pgsql/interface "" db_set snort-pgsql/address_range "" db_set snort-pgsql/disable_promiscuous true else db_beginblock # Interface default in case the configuration file does not exist if [ -z "$DEBIAN_SNORT_INTERFACE" ] ; then INTERFACES=eth0 else INTERFACES="$DEBIAN_SNORT_INTERFACE" fi # Ask for a valid set of interfaces ok='' count=0 while [ ! "$ok" ] && [ "$count" -lt 2 ]; do # Depending on whether the default interface is up or down we set the # question priority priority='medium' if ! check_interfaces then priority='high' db_fset snort-pgsql/interface seen false fi set +e db_input $priority snort-pgsql/interface if [ $? -eq 30 ]; then # User is not being shown the question, break out break fi set -e db_go || true # Check the interfaces db_get snort-pgsql/interface INTERFACES=$RET if ! check_interfaces ; then db_fset snort-pgsql/invalid_interface seen false db_input critical snort-pgsql/invalid_interface else ok='yes' fi # Increment the count, we only go through this two times count=$(($count+1)) done db_input high snort-pgsql/address_range || true db_input low snort-pgsql/disable_promiscuous || true db_endblock db_go fi db_beginblock db_input low snort-pgsql/options || true db_endblock db_go db_beginblock db_input low snort-pgsql/send_stats || true db_go db_get snort-pgsql/send_stats if [ "x$RET" = "xtrue" ]; then # TODO: This values should not be empty (even # if we default to 'root' and '1' in the scripts) # so the config script should check wether the # values here are legitimate. db_beginblock db_input medium snort-pgsql/stats_rcpt || true db_input low snort-pgsql/stats_treshold || true db_endblock db_go fi # TODO: Database configuration should ensure that only # valid characters are included here. Since the information # is written into a configuration file at least hashes should be prevented. # See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567495 db_input high snort-pgsql/configure_db || true db_go db_get snort-pgsql/configure_db if [ "x$RET" = "xtrue" ]; then db_beginblock db_input medium snort-pgsql/db_host || true db_input medium snort-pgsql/db_database || true db_input medium snort-pgsql/db_user || true db_input medium snort-pgsql/db_pass || true # Use the old name for the Debconf value if it exists db_get snort-pgsql/wait_for_db_config || true if [ "x$RET" = "xtrue" ]; then db_set snort-pgsql/needs_db_config "true" || true else db_input high snort-pgsql/needs_db_config || true fi db_endblock db_go fi DEFAULT=/etc/default/snort PARAMETERS=/etc/snort/snort.common.parameters if [ -e "$DEFAULT" ] && [ -e "$PARAMETERS" ] ; then db_beginblock db_input high snort-pgsql/config_parameters || true db_endblock db_go fi db_get snort-pgsql/startup if [ "x$RET" = "xmanual" ]; then db_beginblock db_input medium snort-pgsql/please_restart_manually || true db_endblock db_go fi db_stop debian/snort-pgsql.dirs0000664000000000000000000000025612317374213012352 0ustar etc/cron.daily etc/init.d etc/logrotate.d etc/default etc/ppp/ip-down.d etc/ppp/ip-up.d etc/snort usr/sbin usr/share/doc/snort usr/share/man/man8 var/log/snort var/lib/snort debian/snort-mysql.preinst0000664000000000000000000000614212317374213013114 0ustar #!/bin/sh set -e # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' DEFAULT=/etc/default/snort PARAMETERS=/etc/snort/snort.common.parameters # Initialise variables SNORTUSER="" SNORTGROUP="" LOGDIR="" check_parameters() { # Check if the old parameters file is there and this is # an upgrade (default is not) # Abort if either the old parameters file does not exist # or if the new default has already been installed [ ! -r "$PARAMETERS" ] && return [ -r "$DEFAULT" ] && return # Extract our values from there logdir=`cat $PARAMETERS | perl -ne 'print $1 if /-l\s+([\w\/]+)/'` user_snort=`cat $PARAMETERS | perl -ne 'print $1 if /-u\s+(\w+)/'` group_snort=`cat $PARAMETERS | perl -ne 'print $1 if /-g\s+(\w+)/'` extraparms=`cat $PARAMETERS | sed -e 's/-l[[:space:]]\+[\/[:alnum:]]\+[[:space:]]\+//g; s/-u[[:space:]]\+[[:alnum:]]\+[[:space:]]*//g; s/-g[[:space:]]\+[[:alnum:]]\+[[:space:]]*//g;'` echo "Creating new $DEFAULT configuration based on $PARAMETERS" cat <$DEFAULT # Parameters for the daemon PARAMS="$extraparms" # Logging directory LOGDIR="$logdir" # Snort user SNORTUSER="$user_snort" # Snort group SNORTGROUP="$group_snort" EOF return } case "$1" in install|upgrade) check_parameters [ -r "$DEFAULT" ] && . $DEFAULT # Sane defaults, just in case [ -z "$SNORTUSER" ] && SNORTUSER=snort [ -z "$SNORTGROUP" ] && SNORTGROUP=snort [ -z "$LOGDIR" ] && LOGDIR=/var/log/snort # create snort user to avoid running snort as root # 1. create group if not existing if ! getent group | grep -q "^$SNORTGROUP:" ; then addgroup --quiet --system $SNORTGROUP 2>/dev/null || true fi # 2. create homedir if not existing test -d $LOGDIR || mkdir $LOGDIR # 3. create user if not existing if ! getent passwd | grep -q "^$SNORTUSER:"; then adduser --quiet \ --system \ --ingroup $SNORTGROUP \ --no-create-home \ --disabled-password \ $SNORTUSER 2>/dev/null || true fi # 4. adjust passwd entry usermod -c "Snort IDS" \ -d $LOGDIR \ -g $SNORTGROUP \ $SNORTUSER # 5. adjust file and directory permissions if ! dpkg-statoverride --list $LOGDIR >/dev/null then chown -R $SNORTUSER:adm $LOGDIR chmod u=rwx,g=rxs,o= $LOGDIR fi # setup /etc/snort test -d /etc/snort || mkdir /etc/snort # move config file to new location if [ -e /etc/snort.conf ]; then mv /etc/snort.conf /etc/snort/snort.conf fi # rename probably existing cron job with old name if [ -e /etc/cron.daily/snort ]; then mv /etc/cron.daily/snort /etc/cron.daily/5snort fi # If this is the first time we are installation then create # the /etc/snort/db-pending-config if [ "$1" = "install" ] && [ -z "$2" ] ; then touch /etc/snort/db-pending-config fi ;; configure) ;; abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/snort-rules-default.dirs0000664000000000000000000000002012317374526013774 0ustar etc/snort/rules debian/snort.postrm0000664000000000000000000000354012317374526011617 0ustar #! /bin/sh # postrm script for snort # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' overwrit>r> # for details, see /usr/doc/packaging-manual/ # TODO : Should use /etc/default/snort definitions? case "$1" in purge|disappear) # Remove logfiles rm -rf /var/log/snort/ # Remove configuration if [ -e /etc/snort/snort.debian.conf ] ; then rm /etc/snort/snort.debian.conf fi if [ -e /etc/snort/snort.common.parameters ] ; then rm /etc/snort/snort.common.parameters fi if [ -e /etc/default/snort ] ; then rm /etc/default/snort fi # Remove files created to follow checksums if [ -e /var/lib/snort/snort.debian.conf.md5sum ]; then rm /var/lib/snort/snort.debian.conf.md5sum fi # Remove configuration dir [ -d /etc/snort ] && rmdir --ignore-fail-on-non-empty /etc/snort # Remove init.d update-rc.d -f snort remove >/dev/null # Remove user/group if getent passwd | grep -q "^snort:"; then userdel snort 2>/dev/null || true fi if getent group | grep -q "^snort:" ; then delgroup --only-if-empty snort 2>/dev/null || true fi ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade) # nothing # We may not delete the user snort, as there may be # files owned by it in /var/log/snort and /etc/snort. ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# debian/snort.docs0000664000000000000000000000024312317374526011220 0ustar doc/AUTHORS doc/BUGS doc/CREDITS doc/NEWS doc/README doc/README.PLUGINS doc/USAGE doc/README.csv RELEASE.NOTES debian/my/snort_rules.html debian/README.Maintainer debian/snort-pgsql.postinst0000664000000000000000000004021612317374213013274 0ustar #!/bin/sh -e CONFIG=/etc/snort/snort.debian.conf CONFIG_CHECKSUM=/var/lib/snort/snort.debian.conf.md5sum DBCONFIG=/etc/snort/database.conf DBCONFIG_CHECKSUM=/var/lib/snort/database.conf.md5sum # Create the checksum directory if it does not exist if [ ! -d $(dirname $CONFIG_CHECKSUM) ]; then mkdir $(dirname $CONFIG_CHECKSUM) fi . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # for details, see /usr/doc/packaging-manual/ # # quoting from the policy: # Any necessary prompting should almost always be confined to the # post-installation script, and should be protected with a conditional # so that unnecessary prompting doesn't happen if a package's # installation fails and the `postinst' is called with `abort-upgrade', # `abort-remove' or `abort-deconfigure'. FIRSTINST= RECONFIGURE= if [ "$1" = "reconfigure" ] || [ -n "$DEBCONF_RECONFIGURE" ]; then RECONFIGURE="true" else RECONFIGURE= fi if ([ "$1" = "install" ] || [ "$1" = "configure" ]) && [ -z "$2" ]; then FIRSTINST="yes" fi if [ -z "$RECONFIGURE" ] && [ -z "$FIRSTINST" ]; then UPGRADE="yes" fi case "$1" in install) ;; upgrade) db_get snort-pgsql/startup || true if [ "$RET" = "manual" ]; then #db_fset snort-pgsql/please_restart_manually seen false db_beginblock db_input high snort-pgsql/please_restart_manually || true db_endblock db_go db_stop fi ;; configure) # only mess with config file it exists; otherwise, assume that's the way the # user wants it, but only if upgrading if [ -e "$CONFIG" ] || [ -z "$UPGRADE" ]; then # similarly, check for the existence of the checksum file; if it doesn't # exist, assume that's the way the user wants it, but only if upgrading if [ -e "$CONFIG_CHECKSUM" ] || [ -z "$UPGRADE" ]; then # next, compare the current and stored checksums; if they do not match, # assume that's the way the user wants it ... upgrading etc if [ "$(md5sum "$CONFIG" 2>/dev/null)" = \ "$(cat "$CONFIG_CHECKSUM" 2>/dev/null)" ] || \ [ -z "$UPGRADE" ]; then # they match; get ready to prepare a new version of the config file overwrite_config="yes" fi fi fi # generate new config file db_get snort-pgsql/startup || true; STARTUP="$RET" db_get snort-pgsql/interface || true; INTERFACE="$RET" db_get snort-pgsql/address_range || true; ADDRESS_RANGE="$RET" db_get snort-pgsql/disable_promiscuous || true; DISABLE_PROMISCUOUS="$RET" db_get snort-pgsql/send_stats || true; STATS_SEND="$RET" db_get snort-pgsql/stats_rcpt || true; STATS_RCPT="$RET" db_get snort-pgsql/stats_treshold || true; STATS_THRESHOLD="$RET" db_get snort-pgsql/options || true; OPTIONS="$RET" test "$DISABLE_PROMISCUOUS" = "true" && OPTIONS="$OPTIONS -p" # Failsafe in case the values above are blank (jfs) [ -z "$STATS_RCPT" ] && STATS_RCPT=root [ -z "$STATS_THRESHOLD" ] && STATS_THRESHOLD=1 # STATS_RCPT=`echo "$STATS_RCPT" | sed -e 's/@/\\\\@/g' -e 's/,/\\\\,/g'` # If this is an upgrade from a previous release that did not have # a configuration checksum then try to determine if we can # upgrade. # # To do this: tlest the current configuration against the old auto-generated configuration # file if there is no configuration checksum and create one if it exists. # Also, tell the script to overwrite with the new configuration file. if [ ! -e "$CONFIG_CHECKSUM" ] && [ -e "$CONFIG" ] && dpkg --compare-versions "$2" lt-nl 2.8.5.2-6; then OLD_CONFIG=$(tempfile) cat <>"$OLD_CONFIG" # This file is used for options that are changed by Debian to leave # the original lib files untouched. # You have to use "dpkg-reconfigure snort" to change them. DEBIAN_SNORT_STARTUP="$STARTUP" DEBIAN_SNORT_HOME_NET="$ADDRESS_RANGE" DEBIAN_SNORT_OPTIONS="$OPTIONS" DEBIAN_SNORT_INTERFACE="$INTERFACE" DEBIAN_SNORT_SEND_STATS="$STATS_SEND" DEBIAN_SNORT_STATS_RCPT="$STATS_RCPT" DEBIAN_SNORT_STATS_THRESHOLD="$STATS_THRESHOLD" EOF if cmp -s "$CONFIG" "$OLD_CONFIG"; then md5sum "$CONFIG" > "$CONFIG_CHECKSUM" overwrite_config="yes" fi rm -f "$OLD_CONFIG" fi # Create the new configuration file based on debconf information NEW_CONFIG=$(tempfile) cat <>"$NEW_CONFIG" # snort.debian.config (Debian Snort configuration file) # # This file was generated by the post-installation script of the snort-pgsql # package using values from the debconf database. # # It is used for options that are changed by Debian to leave # the original configuration files untouched. # # This file is automatically updated on upgrades of the snort-pgsql # package *only* if it has not been modified since the last upgrade of that package. # # If you have edited this file but would like it to be automatically updated # again, run the following command as root: # dpkg-reconfigure snort-pgsql DEBIAN_SNORT_STARTUP="$STARTUP" DEBIAN_SNORT_HOME_NET="$ADDRESS_RANGE" DEBIAN_SNORT_OPTIONS="$OPTIONS" DEBIAN_SNORT_INTERFACE="$INTERFACE" DEBIAN_SNORT_SEND_STATS="$STATS_SEND" DEBIAN_SNORT_STATS_RCPT="$STATS_RCPT" DEBIAN_SNORT_STATS_THRESHOLD="$STATS_THRESHOLD" EOF if ! cmp -s "$CONFIG" "$NEW_CONFIG"; then if [ "$overwrite_config" = "yes" ] ;then cp "$NEW_CONFIG" "$CONFIG.dpkg-new" mv "$CONFIG.dpkg-new" "$CONFIG" md5sum "$CONFIG" > "$CONFIG_CHECKSUM" else if [ ! -e "$CONFIG" ] ; then echo "snort: not updating $CONFIG; file does not exist" >&2 else if [ ! -e "$CONFIG_CHECKSUM" ] ; then echo "snort: not updating $CONFIG; no stored checksum available and it does not match the debconf database configuration" >&2 else echo "snort: not updating $CONFIG; file has been customized" >&2 fi fi fi else # Update the md5sum file md5sum "$CONFIG" > "$CONFIG_CHECKSUM" fi rm -f "$NEW_CONFIG" if [ -e /etc/snort/db-pending-config ] ; then STARTUP="manual" echo echo "/etc/snort/db-pending-config file found" echo "Snort will not start as its database is not yet configured." echo "Please configure the database as described in" echo "/usr/share/doc/snort-pgsql/README-database.Debian" echo "and then remove /etc/snort/db-pending-config" fi # create database config stuff in the configuration file, # or configure it for syslog-logging. db_get snort-pgsql/configure_db if [ "$RET" = "true" ]; then # only mess with config file it exists; otherwise, assume that's the way the # user wants it, but only if upgrading if [ -e "$DBCONFIG" ] || [ -z "$UPGRADE" ]; then # similarly, check for the existence of the checksum file; if it doesn't # exist, assume that's the way the user wants it, but only if upgrading if [ -e "$DBCONFIG_CHECKSUM" ] || [ -z "$UPGRADE" ]; then # next, compare the current and stored checksums; if they do not match, # assume that's the way the user wants it ... upgrading etc if [ "$(md5sum "$DBCONFIG" 2>/dev/null)" = \ "$(cat "$DBCONFIG_CHECKSUM" 2>/dev/null)" ] || \ [ -z "$UPGRADE" ]; then # they match; get ready to prepare a new version of the config file overwrite_dbconfig="yes" fi fi fi if [ ! -e "$DBCONFIG" ] && [ "$FIRSTINST" = "yes" ]; then overwrite_config="yes" fi db_get snort-pgsql/db_host || true; DB_HOST=$RET db_get snort-pgsql/db_database || true; DB_DATABASE=$RET db_get snort-pgsql/db_user || true; DB_USER=$RET db_get snort-pgsql/db_pass || true; DB_PASS=$RET # Check if this is an upgrade from previous version with no checksum if [ ! -e "$DBCONFIG_CHECKSUM" ] && [ -e "$DBCONFIG" ] && dpkg --compare-versions "$2" lt-nl 2.8.5.2-6; then # Here we put the database stuff in the config file. TEMPFILE=$(tempfile) # Header information echo "# AUTOMATIC GENERATED FILE -- DO NOT EDIT" >> $TEMPFILE echo "# Please, keep your paws off of these file" >> $TEMPFILE echo "# or you *will* break the configure process (snort-pgsql/snort-pgsql only)" >> $TEMPFILE echo "# Anything you put in this file will be removed on (re)configure." >> $TEMPFILE echo -n "output database: log, postgresql, " >> $TEMPFILE if [ -n "$DB_USER" ] then echo -n "user=$DB_USER " >> $TEMPFILE fi if [ -n "$DB_PASS" ] then echo -n "password=$DB_PASS " >> $TEMPFILE fi if [ -n "$DB_DATABASE" ] then echo -n "dbname=$DB_DATABASE " >> $TEMPFILE fi if [ -n "$DB_HOST" ] then echo -n "host=$DB_HOST " >> $TEMPFILE fi echo " " >> $TEMPFILE if cmp -s "$DBCONFIG" "$TEMPFILE"; then md5sum "$DBCONFIG" > "$DBCONFIG_CHECKSUM" overwrite_dbconfig="yes" fi fi NEW_DBCONFIG=$(tempfile) cat <>"$NEW_DBCONFIG" # database.config (Debian Snort database configuration file) # # This file was generated by the post-installation script of the # snort-pgsql package using values from the debconf database. # # It is used for database options for Snort that are configured # by the sysadmin to live the original configuration files untouched. # # This file is automatically updated on upgrades of the snort-pgsql # package *only* if it has not been modified since the last upgrade of that # package. # # If you have edited this file but would like it to be automatically updated # again, run the following command as root: # dpkg-reconfigure snort-pgsql # EOF echo -n "output database: log, postgresql, " >> "$NEW_DBCONFIG" [ -n "$DB_USER" ] && echo -n "user=$DB_USER " >> "$NEW_DBCONFIG" [ -n "$DB_PASS" ] && echo -n "password=$DB_PASS " >> "$NEW_DBCONFIG" [ -n "$DB_DATABASE" ] && echo -n "dbname=$DB_DATABASE " >> "$NEW_DBCONFIG" [ -n "$DB_HOST" ] && echo -n "host=$DB_HOST " >> "$NEW_DBCONFIG" echo " " >> "$NEW_DBCONFIG" if ! cmp -s "$CONFIG" "$NEW_DBCONFIG"; then if [ "$overwrite_dbconfig" = "yes" ] ;then cp "$NEW_DBCONFIG" "$DBCONFIG.dpkg-new" mv "$DBCONFIG.dpkg-new" "$DBCONFIG" md5sum "$DBCONFIG" > "$DBCONFIG_CHECKSUM" else if [ ! -e "$DBCONFIG" ] ; then echo "snort: not updating $DBCONFIG; file does not exist" >&2 else if [ ! -e "$DBCONFIG_CHECKSUM" ] ; then echo "snort: not updating $DBCONFIG; no stored checksum available and it does not match the debconf database configuration" >&2 else echo "snort: not updating $DBCONFIG; file has been customized" >&2 fi fi fi fi rm -f "$NEW_DBCONFIG" fi # of if $RET true - end of database configuration # Ensure the config file is readable by root.root and mode 600 if ! dpkg-statoverride --list /etc/snort/snort.conf >/dev/null then chown root:snort /etc/snort/snort.conf chmod 640 /etc/snort/snort.conf fi if ! dpkg-statoverride --list /etc/snort/database.conf >/dev/null then chown root:snort /etc/snort/database.conf chmod 640 /etc/snort/database.conf fi db_stop # Check for left-over files from woody packages. OLDCONF=/etc/snort/snort.rules.conf if [ -f $OLDCONF ]; then mv $OLDCONF $OLDCONF.OBSOLETE fi # Update the rc.d's update-rc.d snort defaults >/dev/null if [ "$STARTUP" != "manual" ]; then # in the case we reconfigure we have to restart and not just to start. if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d snort stop || exit $? else /etc/init.d/snort stop || exit $? fi fi # of if STARTUP - manual ;; abort-upgrade) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 0 ;; esac if [ "$STARTUP" = "dialup" ]; then # Try to guess environments for all pppds we have no .env for... for PPPD_PID in $(pidof pppd ipppd); do # If we got an empty PID (however), we break here test "$PPPD_PID" || continue # # This is a lot of shell voodoo, let's try to figure it out: # 1. egrep: # It greps for our current pppd PID in all pppd and ipppd # pidfiles. # It *should* return exactly one file name: the one with # our current pppd PID in it; however, to be safe, we fence # it with a head -1. # 2. basename $(egrep ...) .pid: # It takes the file name from the egrep and strips off its # path and the .pid suffix # 3. sed: # Unfortunately the filenames of pppd and ipppd differ: # pppd uses $INTERFACE.pid, while ipppd uses # ipppd.$INTERFACE.pid. # The .pid is already stripped off by basename, thus, we # just strip off any "ipppd." prefix and end up in the # plain interface name. # Maybe pppd decides to change it's pidfile naming # convention according to ipppd somewhere in the future, # thus, we use '^i\?pppd\.' (sed eregex) and thus strip # off all "ipppd." and all "pppd." prefixes. This doesn't # harm anyways. # Because of the pppd pidfile naming convention, our # approach works always with ipppd and mostly with pppd: # the latter only, if the user did not decide to rename # his ppp interface to something else than ppp* # (not possible currently, afaics). # PPP_IFACE=$(basename $(egrep -l "^[[:space:]]*$PPPD_PID[[:space:]]*\$" /var/run/ppp*.pid /var/run/ipppd.*.pid 2> /dev/null | head -1) .pid | sed -e 's/^i\?pppd\.//') # # If we got no interface from pidfiles (because there are no # pidfiles, for example), we assume the most common case: # one pppd with default route set. # This is ugly, but there is no other chance. Let's hope, # nobody ever manages multiple pppds without pidfiles for # them. # test "$PPP_IFACE" || PPP_IFACE=$(route -n | awk '/^0\.0\.0\.0 / { print $8 }') # If we couldn't discover an interface name, we break here test "$PPP_IFACE" || continue PPP_LOCAL=$(ifconfig $PPP_IFACE | awk '/inet addr:/ { gsub("addr:", ""); print $2 }') # If we couldn't discover a local IP, we break here test "$PPP_LOCAL" || continue ENVFILE=/var/run/snort_$PPP_IFACE.env # If we already have an .env for that interface, we break here test -e "$ENVFILE" && continue # Write .env for that interface echo "Creating missing $ENVFILE" echo "PPPD_PID=$PPPD_PID" > "$ENVFILE" echo "PPP_IFACE=$PPP_IFACE" >> "$ENVFILE" echo "PPP_LOCAL=$PPP_LOCAL" >> "$ENVFILE" # If such a snort is still running, just kill it ps -ef | grep /usr/sbin/snort | grep "$PPP_LOCAL" | grep "$PPP_IFACE" | awk '{ print $2 }' | xargs --no-run-if-empty kill -s KILL >/dev/null done fi if [ "$STARTUP" = "boot" ] || [ "$STARTUP" = "dialup" ]; then if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d snort start || exit $? else /etc/init.d/snort start || exit $? fi fi # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/snort.common.parameters0000664000000000000000000000006112317374526013720 0ustar -m 027 -D -l /var/log/snort -d -u snort -g snort debian/check-snort-conf.sh0000775000000000000000000000203612317374526012705 0ustar #!/bin/sh # Check configuration file provided by snort.conf upstrea # to detect rules files which are not available set -e CONFIG="etc/snort.conf" errval=0 if [ ! -e "$CONFIG" ] ; then echo "ERROR: configuration file $CONFIG does not exist" >&2 exit 1 fi if [ ! -d "rules" ] ; then echo "ERROR: Rules subdirectory does not exist" >&2 exit 1 fi # Review the rules which are enabled but do not exist cat $CONFIG | grep -v ^# | egrep 'include \$RULE_PATH.*\.rules$' | awk -F "/" '{print $2}' | while read rules_file; do if [ ! -e "rules/$rules_file" ] ; then echo "ERROR: Rules file $rules_file in configuration file does not exist under rules/" >&2 errval=1 fi done # Review the rules which are disabled but *do* exist cat $CONFIG | grep ^# | egrep 'include \$RULE_PATH.*\.rules$' | awk -F "/" '{print $2}' | while read rules_file; do if [ -e "rules/$rules_file" ] ; then echo "WARN: Rules file $rules_file disabled in configuration file but exists under rules/" >&2 fi done exit $errval debian/README-database.Debian0000664000000000000000000001112612317374213012777 0ustar !! The database output plugins are considered deprecated as of Snort 2.9.2 and !! will be removed by the upstream maintainers in Snort 2.9.3. !! !! Consequently, the database packages for Debian will be removed with !! the next Snort release. !! !! The recommended approach to logging is to use unified2 with barnyard2 !! or similar. SNORT WITH DATABASE SUPPORT ------------------------------ If you are using snort-pgsql or snort-mysql please notice that you have to create the database structure right after installing the package and start Snort manually. In order to create the database structure do: - first create the database (see below 'CREATING THE DATABASE') - if using PostgreSQL $ cd /usr/share/doc/snort-pgsql/ $ zcat create_postgresql.gz | psql -U -h -W - if using MySQL $ cd /usr/share/doc/snort-mysql/ $ zcat create_mysql.gz | mysql -u -h -p In either case fill in the correct values for the user, host, and database names. Depending on the user priviledges set on the database you can use the same user that Snort will use to access the database or an admin user. In either case, the user you use should have priviledges to create tables and indexes. Once created you have to grant the user your configured in Debconf so that it has priviledges over the tables created through the schema. Once you have setup the database, you will need to start Snort manually since it was left unstarted after the installation. To do this remove the file '/etc/snort/db-pending-config' and then do '/etc/init.d/snort start'. Confirm that snort is working and up by running '/etc/init.d/snort status' and reviewing the messages in the /var/log/daemon.log syslog file. CREATING THE DATABASE ----------------------- Notice that in order for the above to work you need to create first a database. The following section provides some quick examples that should be sufficient to create a database for Snort. Note: The following examples assume you have used the following information when answering the questions related to database configuration when installing the package: * Database Username: snort * Database Password: snort-db * Database name: snort * Database host: localhost To create the database in MySQL you can do the following: [ running as an mysql user with admin privileges ] $ mysql mysql> CREATE DATABASE snort; mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort@localhost; mysql> grant CREATE, INSERT, SELECT, UPDATE on snort.* to snort; mysql> SET PASSWORD FOR snort@localhost=PASSWORD('snort-db'); mysql> flush privileges; [ you can confirm the changes above running ] mysql> show grants for 'snort'@'localhost'; And then you can run the command above as: $ zcat create_mysql.gz | mysql -u snort -D snort -psnort-db To create the database in PosgreSQL you can do this: [ running as user 'posgres' ] $ psql template1 template1=# CREATE DATABASE snort; CREATE DATABASE template1=# \q $ zcat create_postgresql.gz | psql snort [ creates the database ] If you are using authentication based on passwords in your PostgreSQL database you will have to use this: $ psql snort snort=# CREATE USER snort PASSWORD 'snort-db'; CREATE USER snort=# GRANT INSERT, SELECT, UPDATE ON TABLE data,detail,encoding, event,icmphdr,iphdr,opt,reference,reference_system,schema,sensor, sig_class,signature,sig_reference,tcphdr,udphdr TO snort; GRANT [ now you can confirm that it was indeed created ] snort=# SELECT * FROM pg_user WHERE usename='snort'; snort=#\q You should be able now to connect to the PostgreSQL database with: $ psql -U snort --password snort [ introduce the password defined above when requested ] Alternatively, if the sensor is running on the same server as the database you could use 'ident' authentication, since the Snort sensor will be running as user 'snort'. Use this line in /etc/postgresql/pg_hba.conf: ------------------------------------------------------------------------------ host all all 127.0.0.1 255.255.255.255 ident sameuser ------------------------------------------------------------------------------ KNOWN LIMITATIONS ----------------- In Debian, IPv6 support is not enabled when the database packages are used because the database schemas for Snort do not log IPv6 addresses. This is not foreseen to change since upstream is dropping support of the database modules for future releases. -- Javier Fernandez-Sanguino Pen~a Wed, 25 Jan 2012 23:00:05 +0100 debian/snort-doc.dirs0000664000000000000000000000002512317374526011772 0ustar /usr/share/doc/snort debian/snort-mysql.prerm0000664000000000000000000000275712317374213012565 0ustar #! /bin/sh # prerm script for snort # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `upgrade' # * `failed-upgrade' # * `remove' `in-favour' # * `deconfigure' `in-favour' # `removing' # # for details, see /usr/doc/packaging-manual/ case "$1" in remove|upgrade|deconfigure) if [ -x "/etc/init.d/snort" ] ; then if [ -x "`which invoke-rc.d >/dev/null 2>&1`" ] ; then invoke-rc.d snort stop || exit $? else /etc/init.d/snort stop || exit $? fi else start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/snort fi rm -f /var/run/snort_*.pid # Older versions of snort just kill every process with 'snort' in the # name, so also 'snort.prerm'. This fixes that. ps cax | grep ' snort$' | awk '{print $1}' | xargs --no-run-if-empty kill -s KILL >/dev/null || true ;; failed-upgrade) ;; *) echo "prerm called with unknown argument \`$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/snort-inline.manpages0000664000000000000000000000001012317374213013320 0ustar snort.8 debian/snort-inline.default0000664000000000000000000000147612317374213013172 0ustar # Parameters for the daemon # Add any additional parameteres here. PARAMS="-m 027 -D -d " # # Snort user # This user will be used to launch snort. Notice that the # preinst script of the package might do changes to the user # (home directory, User Name) when the package is upgraded or # reinstalled. So, do *not* change this to 'root' or to any other user # unless you are sure there is no problem with those changes being introduced. # SNORTUSER="snort" # # Logging directory # Snort logs will be dropped here and this will be the home # directory for the SNORTUSER. If you change this value you should # change the /etc/logrotate.d/snort definition too, otherwise logs # will not be rotated properly. # LOGDIR="/var/log/snort" # # Snort group # This is the group that the snort user will be added to. # SNORTGROUP="snort" debian/snort.preinst0000664000000000000000000000570312317374526011762 0ustar #!/bin/sh set -e # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' DEFAULT=/etc/default/snort PARAMETERS=/etc/snort/snort.common.parameters # Initialise variables SNORTUSER="" SNORTGROUP="" LOGDIR="" check_parameters() { # Check if the old parameters file is there and this is # an upgrade (default is not) # Abort if either the old parameters file does not exist # or if the new default has already been installed [ ! -r "$PARAMETERS" ] && return [ -r "$DEFAULT" ] && return # Extract our values from there logdir=`cat $PARAMETERS | perl -ne 'print $1 if /-l\s+([\w\/]+)/'` user_snort=`cat $PARAMETERS | perl -ne 'print $1 if /-u\s+(\w+)/'` group_snort=`cat $PARAMETERS | perl -ne 'print $1 if /-g\s+(\w+)/'` extraparms=`cat $PARAMETERS | sed -e 's/-l[[:space:]]\+[\/[:alnum:]]\+[[:space:]]\+//g; s/-u[[:space:]]\+[[:alnum:]]\+[[:space:]]*//g; s/-g[[:space:]]\+[[:alnum:]]\+[[:space:]]*//g;'` echo "Creating new $DEFAULT configuration based on $PARAMETERS" cat <$DEFAULT # Parameters for the daemon PARAMS="$extraparms" # Logging directory LOGDIR="$logdir" # Snort user SNORTUSER="$user_snort" # Snort group SNORTGROUP="$group_snort" EOF return } case "$1" in install|upgrade) check_parameters [ -r "$DEFAULT" ] && . $DEFAULT # Sane defaults, just in case [ -z "$SNORTUSER" ] && SNORTUSER=snort [ -z "$SNORTGROUP" ] && SNORTGROUP=snort [ -z "$LOGDIR" ] && LOGDIR=/var/log/snort # create snort user to avoid running snort as root # 1. create group if not existing if ! getent group | grep -q "^$SNORTGROUP:" ; then addgroup --quiet --system $SNORTGROUP 2>/dev/null || true fi # 2. create homedir if not existing test -d $LOGDIR || mkdir $LOGDIR # 3. create user if not existing if ! getent passwd | grep -q "^$SNORTUSER:"; then adduser --quiet \ --system \ --ingroup $SNORTGROUP \ --no-create-home \ --disabled-password \ $SNORTUSER 2>/dev/null || true fi # 4. adjust passwd entry usermod -c "Snort IDS" \ -d $LOGDIR \ -g $SNORTGROUP \ $SNORTUSER > /dev/null 2>&1 || true # 5. adjust file and directory permissions if ! dpkg-statoverride --list $LOGDIR >/dev/null then chown -R $SNORTUSER:adm $LOGDIR chmod u=rwx,g=rxs,o= $LOGDIR fi # setup /etc/snort test -d /etc/snort || mkdir /etc/snort # move config file to new location if [ -e /etc/snort.conf ]; then mv /etc/snort.conf /etc/snort/snort.conf fi # rename probably existing cron job with old name if [ -e /etc/cron.daily/snort ]; then mv /etc/cron.daily/snort /etc/cron.daily/5snort fi ;; configure) ;; abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/README.Maintainer0000664000000000000000000000166612317374526012161 0ustar # # files modified outside the debian directory # snort-lib: * Activated alert_syslog LOG_AUTH LOG_ALERT * Activated output log_tcpdump snort.log # easier for logrotate * Activated preprocessor defrag * Commented out the HOME_NET variable - this will be set in snort-startup-script. * Commented out the DNS_SERVER variable. What's the benefit? * Added 'include local-first' as first include and 'include local-last' as last include for user-specific extensions. * Commented out backdoor-lib completely. Too many false positives. * Commented out ping-lib completely. Too many false positives. I commented out the following detections as they either generated too many false positives or generate too much noise for harmless things like traceroutes or nmap fingerprint attempts. (marked by s/^/#debian#/) scan-lib: "detect fingerprinting attempts" "Windows Traceroutes" "Standard Traceroutes" "dst port 8080" # http proxy debian/copyright_list0000664000000000000000000000111112317374526012162 0ustar Martin Roesch Sourcefire, Inc Sourcefire Inc SourceFire, Inc Sourcefire,Inc Sourcefire Christopher R. Hertel Brian Caswell Andrew R. Baker Joshua Wright Jeff Nathan Carnegie Mellon University Jed Pickel MySQL AB PreludeIDS Technologies Todd C. Miller Association for Computing Machinery,Inc Marc Norton Daniel Roelker Michael Davis Kungliga Tekniska University of Cambridge Maciej Szarpak Phil Wood Christian Lademann Sendmail, Inc Eric P. Allman The Regents of the University of California Christopher Cramer Michael J. Pomraning Christian Lademann Free Software Foundation Makefile debian/snort-rules-default.preinst0000664000000000000000000001074212317374526014533 0ustar #!/bin/sh -e # Preinst for snort-common-rules, currently only handles # migration from old /etc/snort to new /etc/snort setup # check_md5() { # if the MD5sum matches the user has not modified it, remove it # if it does not match then just move it to the new location [ ! -f "$1" ] && return 1 [ -z "$2" ] && return 1 if md5sum $1 2>/dev/null |grep -q $2; then echo "Removing $1 since it has not been changed" rm -f $1 else # Optionally move to a directory if [ -n "$3" ] && [ -d "$3" ] ; then echo "Moving $1 to $3" mv $1 $3 fi fi } if [ ! -d /etc/snort/rules ] then mkdir -p /etc/snort/rules chown root:root /etc/snort/rules chmod 755 /etc/snort/rules fi case "$1" in install|upgrade) if [ "x$2" != "x" ] ; then if dpkg --compare-versions $2 lt 1.9.0beta4-1 ; then if [ ! -z "`ls /etc/snort/*.rules 2>/dev/null | head -1`" ] then echo "Checking if old rulefiles have been changed" echo " 3bc265bef3ff5fc675f9f1acf8ea6390 attack-responses.rules 3bc265bef3ff5fc675f9f1acf8ea6390 attack-responses.rules c20eb0f3f140b7659ebd37f2e3553f2d backdoor.rules 08b710276367c03fcd26d1b3512a870d bad-traffic.rules 48683f29e6452e4e43f1af004f537485 ddos.rules f605e07289ace0adc279aa46225834a5 dns.rules b231ab5af973df5f06201f16be8a37ff dos.rules 31788f18caaed776f021e5029bdd6757 exploit.rules 3f0c90491298edd0dfc37a6afc9ffac6 finger.rules a2f2068460b622a85624b664d9108b36 ftp.rules c580f094d32435915f893c2661fb73dc icmp-info.rules 3abbb384dd222225560ec87b324b63ce icmp.rules 9159fed0eda9c16245f4c6edb94c0d7c info.rules 8005f28d5e2400c474a7b765029eefb5 local.rules 8204b5ce028496bca3f95a06dfca10b9 misc.rules f63f7c3c9a9f627521b0dcce1e134f1f netbios.rules fe402fc3c9e795ea22af59be84683be5 policy.rules 00b1e66fe86b46bf94460320ca71d972 porn.rules c23be32425937a87219ccd0ee4f85813 rpc.rules 82a173d9144a11ea1e686fcec730549a rservices.rules c9dd621a43c896dde6dd2da09575897f scan.rules 55a0e660ea08c314cf4d5c19f7973f83 shellcode.rules b304d4b570e94112d6b025d6a55007c1 smtp.rules ccff2e48615eb7d27466b26a9dd66b66 sql.rules f68e3bee2ab97ce729f20a0f4751ca04 telnet.rules a263d7e4526e8012aafd9daf62690519 tftp.rules 2abd1c03364a8a1c01650764cf2af2f1 virus.rules fe239ae24a682d3d47251c28689fc9ec web-attacks.rules 2e99d333c4ab20bfd3f5694915b6d591 web-cgi.rules 3051d9dda0ed859487580733b2a318d2 web-coldfusion.rules b7fc9e8371d04b5ec203651c15135657 web-frontpage.rules e7100df55b15a262f45d0a2940594d1f web-iis.rules 028a217dbdc67fea026a1f7c3dd6560b web-misc.rules 6e85b6a55b84bffc29fd58b8e6747b65 x11.rules c20eb0f3f140b7659ebd37f2e3553f2d backdoor.rules 08b710276367c03fcd26d1b3512a870d bad-traffic.rules 48683f29e6452e4e43f1af004f537485 ddos.rules f605e07289ace0adc279aa46225834a5 dns.rules b231ab5af973df5f06201f16be8a37ff dos.rules 31788f18caaed776f021e5029bdd6757 exploit.rules 3f0c90491298edd0dfc37a6afc9ffac6 finger.rules a2f2068460b622a85624b664d9108b36 ftp.rules c580f094d32435915f893c2661fb73dc icmp-info.rules 3abbb384dd222225560ec87b324b63ce icmp.rules 9159fed0eda9c16245f4c6edb94c0d7c info.rules 8005f28d5e2400c474a7b765029eefb5 local.rules 8204b5ce028496bca3f95a06dfca10b9 misc.rules f63f7c3c9a9f627521b0dcce1e134f1f netbios.rules fe402fc3c9e795ea22af59be84683be5 policy.rules 00b1e66fe86b46bf94460320ca71d972 porn.rules c23be32425937a87219ccd0ee4f85813 rpc.rules 82a173d9144a11ea1e686fcec730549a rservices.rules c9dd621a43c896dde6dd2da09575897f scan.rules 55a0e660ea08c314cf4d5c19f7973f83 shellcode.rules b304d4b570e94112d6b025d6a55007c1 smtp.rules ccff2e48615eb7d27466b26a9dd66b66 sql.rules f68e3bee2ab97ce729f20a0f4751ca04 telnet.rules a263d7e4526e8012aafd9daf62690519 tftp.rules 2abd1c03364a8a1c01650764cf2af2f1 virus.rules fe239ae24a682d3d47251c28689fc9ec web-attacks.rules 2e99d333c4ab20bfd3f5694915b6d591 web-cgi.rules 3051d9dda0ed859487580733b2a318d2 web-coldfusion.rules b7fc9e8371d04b5ec203651c15135657 web-frontpage.rules e7100df55b15a262f45d0a2940594d1f web-iis.rules 028a217dbdc67fea026a1f7c3dd6560b web-misc.rules 6e85b6a55b84bffc29fd58b8e6747b65 x11.rules " | while read md5sum file ; do check_md5 /etc/snort/$file $md5sum /etc/snort/rules/ done echo "Finished check of old rulefiles" # Classification config modified? check_md5 /etc/snort/classification.config 183a351fc8c3a60ed9fbbb8194e4eda1 fi fi fi ;; abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# debian/snort.TEMPLATE.templates0000664000000000000000000001027612317374213013500 0ustar Template: snort{PACKAGE}/startup Type: select __Choices: boot, dialup, manual Default: boot _Description: Snort start method: Snort can be started during boot, when connecting to the net with pppd or only manually with the /usr/sbin/snort command. Template: snort{PACKAGE}/interface Type: string Default: eth0 _Description: Interface(s) which Snort should listen on: This value is usually 'eth0', but this may be inappropriate in some network environments; for a dialup connection 'ppp0' might be more appropiate (see the output of '/sbin/ifconfig'). . Typically, this is the same interface as the 'default route' is on. You can determine which interface is used for this by running '/sbin/route -n' (look for '0.0.0.0'). . It is also not uncommon to use an interface with no IP address configured in promiscuous mode. For such cases, select the interface in this system that is physically connected to the network that should be inspected, enable promiscuous mode later on and make sure that the network traffic is sent to this interface (either connected to a 'port mirroring/spanning' port in a switch, to a hub or to a tap). . You can configure multiple interfaces, just by adding more than one interface name separated by spaces. Each interface can have its own specific configuration. Template: snort{PACKAGE}/address_range Type: string Default: 192.168.0.0/16 _Description: Address range for the local network: Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 addresses or 192.168.1.42/32 for just one. Multiple values should be comma-separated (without spaces). . Please note that if Snort is configured to use multiple interfaces, it will use this value as the HOME_NET definition for all of them. Template: snort{PACKAGE}/disable_promiscuous Type: boolean Default: false _Description: Should Snort disable promiscuous mode on the interface? Disabling promiscuous mode means that Snort will only see packets addressed to the interface it is monitoring. Enabling it allows Snort to check every packet that passes the Ethernet segment even if it's a connection between two other computers. Template: snort{PACKAGE}/invalid_interface Type: error _Description: Invalid interface Snort is trying to use an interface which does not exist or is down. Either it is defaulting inappropriately to 'eth0', or you specified one which is invalid. Template: snort{PACKAGE}/send_stats Type: boolean Default: true _Description: Should daily summaries be sent by e-mail? A cron job can be set up to send daily summaries of Snort logs to a selected e-mail address. . Please choose whether you want to activate this feature. Template: snort{PACKAGE}/stats_rcpt Type: string Default: root _Description: Recipient of daily statistics mails: Please specify the e-mail address that should receive daily summaries of Snort logs. Template: snort{PACKAGE}/options Type: string _Description: Additional custom options: Please specify any additional options Snort should use. Template: snort{PACKAGE}/stats_treshold Type: string Default: 1 _Description: Minimum occurrences before alerts are reported: Please enter the minimum number of alert occurrences before a given alert is included in the daily statistics. Template: snort{PACKAGE}/please_restart_manually Type: note _Description: Snort restart required As Snort is manually launched, you need to run '/etc/init.d/snort' for the changes to take place. Template: snort{PACKAGE}/config_error Type: error _Description: Configuration error The current Snort configuration is invalid and will prevent Snort starting up normally. Please review and correct it. . To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -c '. Template: snort{PACKAGE}/config_parameters Type: error _Description: Obsolete configuration file This system uses an obsolete configuration file (/etc/snort/snort.common.parameters) which has been automatically converted into the new configuration file format (at /etc/default/snort). . Please review the new configuration and remove the obsolete one. Until you do this, the initialization script will not use the new configuration and you will not take advantage of the benefits introduced in newer releases. debian/snort-inline.docs0000664000000000000000000000025112317374213012464 0ustar doc/AUTHORS doc/BUGS doc/CREDITS doc/NEWS doc/README doc/README.PLUGINS doc/USAGE doc/README.database doc/README.csv debian/my/snort_rules.html debian/README.Maintainer debian/snort-inline.config0000664000000000000000000000531612317374213013010 0ustar #!/bin/sh -e . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x [ -r /etc/snort/snort.debian.conf ] && . /etc/snort/snort.debian.conf INTERFACES="" check_interfaces() { # Check the interface status, abort with error if a configured one is not # available [ -z "$INTERFACES" ] && return 0 ints=`echo $INTERFACES | sed -e 's/,/ /g'` for iface in $ints; do if ! LC_ALL=C ifconfig "$iface" | grep -w UP >/dev/null; then return 1 fi done return 0 } db_input low snort-inline/startup || true db_go # /etc/ppp/ip-up.d/snort is called with interface and IP number db_get snort-inline/startup if [ "$RET" = "dialup" ]; then db_set snort-inline/interface "" db_set snort-inline/address_range "" else db_beginblock # Interface default in case the configuration file does not exist if [ -z "$DEBIAN_SNORT_INTERFACE" ] ; then INTERFACES=eth0 else INTERFACES=$DEBIAN_SNORT_INTERFACE fi # Ask for a valid set of interfaces ok='' count=0 while [ ! "$ok" ] && [ "$count" -lt 2 ]; do # Depending on whether the default interface is up or down we set the # question priority priority='medium' if ! check_interfaces then priority='high' db_fset snort-inline/interface seen false fi set +e db_input $priority snort-inline/interface if [ $? -eq 30 ]; then # User is not being shown the question, break out break fi set -e db_go || true # Check the interfaces db_get snort-inline/interface INTERFACES=$RET if ! check_interfaces ; then db_fset snort-inline/invalid_interface seen false db_input critical snort-inline/invalid_interface else ok='yes' fi # Increment the count, we only go through this two times count=$(($count+1)) done db_input high snort-inline/address_range || true db_endblock db_go fi db_beginblock db_input low snort-inline/options || true db_endblock db_go db_beginblock db_input low snort-inline/send_stats || true db_go db_get snort-inline/send_stats if [ $RET = true ]; then # TODO: This values should not be empty (even # if we default to 'root' and '1' in the scripts) # so the config script should check wether the # values here are legitimate. db_beginblock db_input medium snort-inline/stats_rcpt || true db_input low snort-inline/stats_treshold || true db_endblock db_go fi db_get snort-inline/startup if [ $RET = "manual" ]; then db_beginblock db_input medium snort-inline/please_restart_manually || true db_endblock db_go fi DEFAULT=/etc/default/snort PARAMETERS=/etc/snort/snort.common.parameters if [ -e "$DEFAULT" ] && [ -e "$PARAMETERS" ] ; then db_beginblock db_input medium snort-inline/config_parameters || true db_endblock db_go fi db_stop debian/snort.prerm0000664000000000000000000000275712317374526011431 0ustar #! /bin/sh # prerm script for snort # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `upgrade' # * `failed-upgrade' # * `remove' `in-favour' # * `deconfigure' `in-favour' # `removing' # # for details, see /usr/doc/packaging-manual/ case "$1" in remove|upgrade|deconfigure) if [ -x "/etc/init.d/snort" ] ; then if [ -x "`which invoke-rc.d >/dev/null 2>&1`" ] ; then invoke-rc.d snort stop || exit $? else /etc/init.d/snort stop || exit $? fi else start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/snort fi rm -f /var/run/snort_*.pid # Older versions of snort just kill every process with 'snort' in the # name, so also 'snort.prerm'. This fixes that. ps cax | grep ' snort$' | awk '{print $1}' | xargs --no-run-if-empty kill -s KILL >/dev/null || true ;; failed-upgrade) ;; *) echo "prerm called with unknown argument \`$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/README-database-upgrade.Debian0000664000000000000000000000307412317374213014427 0ustar DATABASE CHANGES ------------------ The database layout has changed a bit in different Snort releases: - DB schema v107 [ introduced in Snort 2.6 ] Added signature.sig_gid to the schema. Upgrading from v106 -> v107 is as simple as: mysql> ALTER TABLE signature ADD sig_gid INT UNSIGNED; mysql> UPDATE `schema` SET vseq=107; mysql> UPDATE `schema` SET ctime=now(); psql> ALTER TABLE signature ADD sig_gid INT8; psql> UPDATE schema SET vseq=107; psql> UPDATE schema SET ctime=now(); - DB schema v106 [ introduced in Snort 1.9 ] Added the sensor.last_cid field to the schema so the database can store the last used cid for a given sensor. This field will ensure that a cid will never be reused. Upgrading from v105 -> v106 is as simple as: mysql> ALTER TABLE sensor ADD last_cid INT UNSIGNED NOT NULL; mysql> UPDATE `schema` SET vseq=106; mysql> UPDATE `schema` SET ctime=now(); psql> ALTER TABLE sensor ADD last_cid INT8; psql> UPDATE schema SET vseq=106; psql> UPDATE schema SET ctime=now(); FINAL NOTE ---------- These changes have to be made as Database administrator. For MySQL you can use the debian-sys-maint's password available at /etc/mysql/debian.cnf and connect like this to fix the database: mysql -u debian-sys-maint -h localhost -p SNORT_DB Where SNORT_DB is the name of your alert database (typically 'snort') For PostgreSQL you can 'su' to the postgres user in the system the database is installed in and run psql -h localhost -p SNORT_DB --- Javier Fernandez-Sanguino Thu, 01 May 2008 22:22:21 +0200 debian/snort-mysql.config0000664000000000000000000001271512317374213012700 0ustar #!/bin/sh -e . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x if [ -r /etc/snort/snort.debian.conf ] ; then . /etc/snort/snort.debian.conf # Set the variables in debconf using the configuration values # (if defined) [ ! -z "$DEBIAN_SNORT_STARTUP" ] && { db_set snort-mysql/startup "$DEBIAN_SNORT_STARTUP"; db_fset snort-mysql/startup seen true ; } [ ! -z "$DEBIAN_SNORT_HOME_NET" ] && { db_set snort-mysql/address_range "$DEBIAN_SNORT_HOME_NET"; db_fset snort-mysql/address_range seen true ; } if [ ! -z "$DEBIAN_SNORT_OPTIONS" ] ; then # Remove the -p option wich is added in postinst due to the 'DISABLE_PROMISCUOUS' debconf option DEBIAN_SNORT_OPTIONS=`echo "$DEBIAN_SNORT_OPTIONS" | sed -e 's/ -p$//'` db_get snort/reverse_order if [ "x$RET" = "xyes" ]; then # Remove the -o option which was introduced by Debconf # (snort/reverse_order) in versions previous to 2.8.5.2-2 DEBIAN_SNORT_OPTIONS=`echo "$DEBIAN_SNORT_OPTIONS" | sed -e 's/ -o$//'` fi db_set snort-mysql/options "$DEBIAN_SNORT_OPTIONS" db_fset snort-mysql/options seen true fi [ ! -z "$DEBIAN_SNORT_INTERFACE" ] && { db_set snort-mysql/interface "$DEBIAN_SNORT_INTERFACE"; db_fset snort-mysql/interface seen true ; } [ ! -z "$DEBIAN_SNORT_SEND_STATS" ] && { db_set snort-mysql/send_stats "$DEBIAN_SNORT_SEND_STATS"; db_fset snort-mysql/send_stats seen true ; } [ ! -z "$DEBIAN_SNORT_STATS_RCPT" ] && { db_set snort-mysql/stats_rcpt "$DEBIAN_SNORT_STATS_RCPT" ; db_fset snort-mysql/stats_rcpt seen true ; } [ ! -z "$DEBIAN_SNORT_STATS_THRESHOLD" ] && { db_set snort-mysql/stats_treshold "$DEBIAN_SNORT_STATS_THRESHOLD"; db_fset snort-mysql/stats_treshold seen true ; } fi INTERFACES="" check_interfaces() { # Check the interface status, abort with error if a configured one is not # available [ -z "$INTERFACES" ] && return 0 ints=`echo $INTERFACES | sed -e 's/,/ /g'` for iface in $ints; do if ! LC_ALL=C ifconfig "$iface" 2>/dev/null | grep -w UP >/dev/null; then return 1 fi done return 0 } db_input low snort-mysql/startup || true db_go # /etc/ppp/ip-up.d/snort-mysql is called with interface and IP number db_get snort-mysql/startup if [ "x$RET" = "xdialup" ]; then db_set snort-mysql/interface "" db_set snort-mysql/address_range "" db_set snort-mysql/disable_promiscuous true else db_beginblock # Interface default in case the configuration file does not exist if [ -z "$DEBIAN_SNORT_INTERFACE" ] ; then INTERFACES=eth0 else INTERFACES="$DEBIAN_SNORT_INTERFACE" fi # Ask for a valid set of interfaces ok='' count=0 while [ ! "$ok" ] && [ "$count" -lt 2 ]; do # Depending on whether the default interface is up or down we set the # question priority priority='medium' if ! check_interfaces then priority='high' db_fset snort-mysql/interface seen false fi set +e db_input $priority snort-mysql/interface if [ $? -eq 30 ]; then # User is not being shown the question, break out break fi set -e db_go || true # Check the interfaces db_get snort-mysql/interface INTERFACES=$RET if ! check_interfaces ; then db_fset snort-mysql/invalid_interface seen false db_input critical snort-mysql/invalid_interface else ok='yes' fi # Increment the count, we only go through this two times count=$(($count+1)) done db_input high snort-mysql/address_range || true db_input low snort-mysql/disable_promiscuous || true db_endblock db_go fi db_beginblock db_input low snort-mysql/options || true db_endblock db_go db_beginblock db_input low snort-mysql/send_stats || true db_go db_get snort-mysql/send_stats if [ "x$RET" = "true" ]; then # TODO: This values should not be empty (even # if we default to 'root' and '1' in the scripts) # so the config script should check wether the # values here are legitimate. db_beginblock db_input medium snort-mysql/stats_rcpt || true db_input low snort-mysql/stats_treshold || true db_endblock db_go fi # TODO: Database configuration should ensure that only # valid characters are included here. Since the information # is written into a configuration file at least hashes should be prevented. # See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567495 db_input high snort-mysql/configure_db || true db_go db_get snort-mysql/configure_db if [ "x$RET" = "xtrue" ]; then db_beginblock db_input medium snort-mysql/db_host || true db_input medium snort-mysql/db_database || true db_input medium snort-mysql/db_user || true db_input medium snort-mysql/db_pass || true # Use the old name for the Debconf value if it exists db_get snort-pgsql/wait_for_db_config || true if [ "x$RET" = "xtrue" ]; then db_set snort-mysql/needs_db_config "true" || true else db_input high snort-mysql/needs_db_config || true fi db_endblock db_go fi DEFAULT=/etc/default/snort PARAMETERS=/etc/snort/snort.common.parameters if [ -e "$DEFAULT" ] && [ -e "$PARAMETERS" ] ; then db_beginblock db_input high snort-mysql/config_parameters || true db_endblock db_go fi db_get snort-mysql/startup if [ "x$RET" = "xmanual" ]; then db_beginblock db_input medium snort-mysql/please_restart_manually || true db_endblock db_go fi db_stop debian/snort-inline.postrm0000664000000000000000000000321312317374213013061 0ustar #! /bin/sh # postrm script for snort # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' overwrit>r> # for details, see /usr/doc/packaging-manual/ # TODO : Should use /etc/default/snort definitions? case "$1" in purge|disappear) # Remove logfiles rm -rf /var/log/snort/ # Remove configuration if [ -e /etc/snort/snort.debian.conf ] ; then rm /etc/snort/snort.debian.conf fi if [ -e /etc/snort/snort.common.parameters ] ; then rm /etc/snort/snort.common.parameters fi if [ -e /etc/default/snort ] ; then rm /etc/default/snort fi # Remove configuration dir [ -d /etc/snort ] && rmdir --ignore-fail-on-non-empty /etc/snort # Remove init.d update-rc.d -f snort remove >/dev/null # Remove user/group if getent passwd | grep -q "^snort:"; then userdel snort 2>/dev/null || true fi if getent group | grep -q "^snort:" ; then delgroup --only-if-empty snort 2>/dev/null || true fi ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade) # nothing # We may not delete the user snort, as there may be # files owned by it in /var/log/snort and /etc/snort. ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# debian/snort-pgsql.ADD.templates0000664000000000000000000000113012317374213013766 0ustar Template: snort-pgsql/needs_db_config Type: note _Description: Configured database mandatory for Snort Snort needs a configured database before it can successfully start up. In order to create the structure you need to run the following commands AFTER the package is installed: . cd /usr/share/doc/snort-pgsql/ zcat create_postgresql.gz | psql -U -h -W . Fill in the correct values for the user, host, and database names. PostgreSQL will prompt you for the password. . After you have created the database structure, you will need to start Snort manually. debian/snort-mysql.postinst0000664000000000000000000004034412317374213013315 0ustar #!/bin/sh -e CONFIG=/etc/snort/snort.debian.conf CONFIG_CHECKSUM=/var/lib/snort/snort.debian.conf.md5sum DBCONFIG=/etc/snort/database.conf DBCONFIG_CHECKSUM=/var/lib/snort/database.conf.md5sum # Create the checksum directory if it does not exist if [ ! -d $(dirname $CONFIG_CHECKSUM) ]; then mkdir $(dirname $CONFIG_CHECKSUM) fi . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # for details, see /usr/doc/packaging-manual/ # # quoting from the policy: # Any necessary prompting should almost always be confined to the # post-installation script, and should be protected with a conditional # so that unnecessary prompting doesn't happen if a package's # installation fails and the `postinst' is called with `abort-upgrade', # `abort-remove' or `abort-deconfigure'. FIRSTINST= RECONFIGURE= if [ "$1" = "reconfigure" ] || [ -n "$DEBCONF_RECONFIGURE" ]; then RECONFIGURE="true" else RECONFIGURE= fi if ([ "$1" = "install" ] || [ "$1" = "configure" ]) && [ -z "$2" ]; then FIRSTINST="yes" fi if [ -z "$RECONFIGURE" ] && [ -z "$FIRSTINST" ]; then UPGRADE="yes" fi case "$1" in install) ;; upgrade) db_get snort-mysql/startup || true if [ "$RET" = "manual" ]; then #db_fset snort-mysql/please_restart_manually seen false db_beginblock db_input high snort-mysql/please_restart_manually || true db_endblock db_go db_stop fi ;; configure) # only mess with config file it exists; otherwise, assume that's the way the # user wants it, but only if upgrading if [ -e "$CONFIG" ] || [ -z "$UPGRADE" ]; then # similarly, check for the existence of the checksum file; if it doesn't # exist, assume that's the way the user wants it, but only if upgrading if [ -e "$CONFIG_CHECKSUM" ] || [ -z "$UPGRADE" ]; then # next, compare the current and stored checksums; if they do not match, # assume that's the way the user wants it ... upgrading etc if [ "$(md5sum "$CONFIG" 2>/dev/null)" = \ "$(cat "$CONFIG_CHECKSUM" 2>/dev/null)" ] || \ [ -z "$UPGRADE" ]; then # they match; get ready to prepare a new version of the config file overwrite_config="yes" fi fi fi # generate new config file db_get snort-mysql/startup || true; STARTUP="$RET" db_get snort-mysql/interface || true; INTERFACE="$RET" db_get snort-mysql/address_range || true; ADDRESS_RANGE="$RET" db_get snort-mysql/disable_promiscuous || true; DISABLE_PROMISCUOUS="$RET" db_get snort-mysql/send_stats || true; STATS_SEND="$RET" db_get snort-mysql/stats_rcpt || true; STATS_RCPT="$RET" db_get snort-mysql/stats_treshold || true; STATS_THRESHOLD="$RET" db_get snort-mysql/options || true; OPTIONS="$RET" test "$DISABLE_PROMISCUOUS" = "true" && OPTIONS="$OPTIONS -p" # Failsafe in case the values above are blank (jfs) [ -z "$STATS_RCPT" ] && STATS_RCPT=root [ -z "$STATS_THRESHOLD" ] && STATS_THRESHOLD=1 # STATS_RCPT=`echo "$STATS_RCPT" | sed -e 's/@/\\\\@/g' -e 's/,/\\\\,/g'` # If this is an upgrade from a previous release that did not have # a configuration checksum then try to determine if we can # upgrade. # # To do this: tlest the current configuration against the old auto-generated configuration # file if there is no configuration checksum and create one if it exists. # Also, tell the script to overwrite with the new configuration file. if [ ! -e "$CONFIG_CHECKSUM" ] && [ -e "$CONFIG" ] && dpkg --compare-versions "$2" lt-nl 2.8.5.2-6; then OLD_CONFIG=$(tempfile) cat <>"$OLD_CONFIG" # This file is used for options that are changed by Debian to leave # the original lib files untouched. # You have to use "dpkg-reconfigure snort" to change them. DEBIAN_SNORT_STARTUP="$STARTUP" DEBIAN_SNORT_HOME_NET="$ADDRESS_RANGE" DEBIAN_SNORT_OPTIONS="$OPTIONS" DEBIAN_SNORT_INTERFACE="$INTERFACE" DEBIAN_SNORT_SEND_STATS="$STATS_SEND" DEBIAN_SNORT_STATS_RCPT="$STATS_RCPT" DEBIAN_SNORT_STATS_THRESHOLD="$STATS_THRESHOLD" EOF if cmp -s "$CONFIG" "$OLD_CONFIG"; then md5sum "$CONFIG" > "$CONFIG_CHECKSUM" overwrite_config="yes" fi rm -f "$OLD_CONFIG" fi # Create the new configuration file based on debconf information NEW_CONFIG=$(tempfile) cat <>"$NEW_CONFIG" # snort.debian.config (Debian Snort configuration file) # # This file was generated by the post-installation script of the snort-mysql # package using values from the debconf database. # # It is used for options that are changed by Debian to leave # the original configuration files untouched. # # This file is automatically updated on upgrades of the snort-mysql # package *only* if it has not been modified since the last upgrade of that package. # # If you have edited this file but would like it to be automatically updated # again, run the following command as root: # dpkg-reconfigure snort-mysql DEBIAN_SNORT_STARTUP="$STARTUP" DEBIAN_SNORT_HOME_NET="$ADDRESS_RANGE" DEBIAN_SNORT_OPTIONS="$OPTIONS" DEBIAN_SNORT_INTERFACE="$INTERFACE" DEBIAN_SNORT_SEND_STATS="$STATS_SEND" DEBIAN_SNORT_STATS_RCPT="$STATS_RCPT" DEBIAN_SNORT_STATS_THRESHOLD="$STATS_THRESHOLD" EOF if ! cmp -s "$CONFIG" "$NEW_CONFIG"; then if [ "$overwrite_config" = "yes" ] ;then cp "$NEW_CONFIG" "$CONFIG.dpkg-new" mv "$CONFIG.dpkg-new" "$CONFIG" md5sum "$CONFIG" > "$CONFIG_CHECKSUM" else if [ ! -e "$CONFIG" ] ; then echo "snort: not updating $CONFIG; file does not exist" >&2 else if [ ! -e "$CONFIG_CHECKSUM" ] ; then echo "snort: not updating $CONFIG; no stored checksum available and it does not match the debconf database configuration" >&2 else echo "snort: not updating $CONFIG; file has been customized" >&2 fi fi fi else # Update the md5sum file md5sum "$CONFIG" > "$CONFIG_CHECKSUM" fi rm -f "$NEW_CONFIG" if [ -e /etc/snort/db-pending-config ] ; then STARTUP="manual" echo echo "/etc/snort/db-pending-config file found" echo "Snort will not start as its database is not yet configured." echo "Please configure the database as described in" echo "/usr/share/doc/snort-mysql/README-database.Debian" echo "and then remove /etc/snort/db-pending-config" fi # create database config stuff in the configuration file, # or configure it for syslog-logging. db_get snort-mysql/configure_db if [ "$RET" = "true" ]; then # only mess with config file it exists; otherwise, assume that's the way the # user wants it, but only if upgrading if [ -e "$DBCONFIG" ] || [ -z "$UPGRADE" ]; then # similarly, check for the existence of the checksum file; if it doesn't # exist, assume that's the way the user wants it, but only if upgrading if [ -e "$DBCONFIG_CHECKSUM" ] || [ -z "$UPGRADE" ]; then # next, compare the current and stored checksums; if they do not match, # assume that's the way the user wants it ... upgrading etc if [ "$(md5sum "$DBCONFIG" 2>/dev/null)" = \ "$(cat "$DBCONFIG_CHECKSUM" 2>/dev/null)" ] || \ [ -z "$UPGRADE" ]; then # they match; get ready to prepare a new version of the config file overwrite_dbconfig="yes" fi fi fi if [ ! -e "$DBCONFIG" ] && [ "$FIRSTINST" = "yes" ]; then overwrite_config="yes" fi db_get snort-mysql/db_host || true; DB_HOST=$RET db_get snort-mysql/db_database || true; DB_DATABASE=$RET db_get snort-mysql/db_user || true; DB_USER=$RET db_get snort-mysql/db_pass || true; DB_PASS=$RET # Check if this is an upgrade from previous version with no checksum if [ ! -e "$DBCONFIG_CHECKSUM" ] && [ -e "$DBCONFIG" ] && dpkg --compare-versions "$2" lt-nl 2.8.5.2-6; then # Here we put the database stuff in the config file. TEMPFILE=$(tempfile) # Header information echo "# AUTOMATIC GENERATED FILE -- DO NOT EDIT" >> $TEMPFILE echo "# Please, keep your paws off of these file" >> $TEMPFILE echo "# or you *will* break the configure process (snort-pgsql/snort-mysql only)" >> $TEMPFILE echo "# Anything you put in this file will be removed on (re)configure." >> $TEMPFILE echo -n "output database: log, mysql, " >> $TEMPFILE if [ -n "$DB_USER" ] then echo -n "user=$DB_USER " >> $TEMPFILE fi if [ -n "$DB_PASS" ] then echo -n "password=$DB_PASS " >> $TEMPFILE fi if [ -n "$DB_DATABASE" ] then echo -n "dbname=$DB_DATABASE " >> $TEMPFILE fi if [ -n "$DB_HOST" ] then echo -n "host=$DB_HOST " >> $TEMPFILE fi echo " " >> $TEMPFILE if cmp -s "$DBCONFIG" "$TEMPFILE"; then md5sum "$DBCONFIG" > "$DBCONFIG_CHECKSUM" overwrite_dbconfig="yes" fi fi NEW_DBCONFIG=$(tempfile) cat <>"$NEW_DBCONFIG" # database.config (Debian Snort database configuration file) # # This file was generated by the post-installation script of the # snort-mysql package using values from the debconf database. # # It is used for database options for Snort that are configured # by the sysadmin to live the original configuration files untouched. # # This file is automatically updated on upgrades of the snort-mysql # package *only* if it has not been modified since the last upgrade of that # package. # # If you have edited this file but would like it to be automatically updated # again, run the following command as root: # dpkg-reconfigure snort-mysql # EOF echo -n "output database: log, mysql, " >> "$NEW_DBCONFIG" [ -n "$DB_USER" ] && echo -n "user=$DB_USER " >> "$NEW_DBCONFIG" [ -n "$DB_PASS" ] && echo -n "password=$DB_PASS " >> "$NEW_DBCONFIG" [ -n "$DB_DATABASE" ] && echo -n "dbname=$DB_DATABASE " >> "$NEW_DBCONFIG" [ -n "$DB_HOST" ] && echo -n "host=$DB_HOST " >> "$NEW_DBCONFIG" echo " " >> "$NEW_DBCONFIG" if ! cmp -s "$CONFIG" "$NEW_DBCONFIG"; then if [ "$overwrite_dbconfig" = "yes" ] ;then cp "$NEW_DBCONFIG" "$DBCONFIG.dpkg-new" mv "$DBCONFIG.dpkg-new" "$DBCONFIG" md5sum "$DBCONFIG" > "$DBCONFIG_CHECKSUM" else if [ ! -e "$DBCONFIG" ] ; then echo "snort: not updating $DBCONFIG; file does not exist" >&2 else if [ ! -e "$DBCONFIG_CHECKSUM" ] ; then echo "snort: not updating $DBCONFIG; no stored checksum available and it does not match the debconf database configuration" >&2 else echo "snort: not updating $DBCONFIG; file has been customized" >&2 fi fi fi fi rm -f "$NEW_DBCONFIG" fi # of if $RET true - end of database configuration # Ensure the config file is readable by root.root and mode 600 if ! dpkg-statoverride --list /etc/snort/snort.conf >/dev/null then chown root:snort /etc/snort/snort.conf chmod 640 /etc/snort/snort.conf fi if ! dpkg-statoverride --list /etc/snort/database.conf >/dev/null then chown root:snort /etc/snort/database.conf chmod 640 /etc/snort/database.conf fi db_stop # Check for left-over files from woody packages. OLDCONF=/etc/snort/snort.rules.conf if [ -f "$OLDCONF" ]; then mv "$OLDCONF" "$OLDCONF.OBSOLETE" fi # Update the rc.d's update-rc.d snort defaults >/dev/null if [ "$STARTUP" != "manual" ]; then # in the case we reconfigure we have to restart and not just to start. if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d snort stop || exit $? else /etc/init.d/snort stop || exit $? fi fi # of if STARTUP - manual ;; abort-upgrade) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 0 ;; esac if [ "$STARTUP" = "dialup" ]; then # Try to guess environments for all pppds we have no .env for... for PPPD_PID in $(pidof pppd ipppd); do # If we got an empty PID (however), we break here test "$PPPD_PID" || continue # # This is a lot of shell voodoo, let's try to figure it out: # 1. egrep: # It greps for our current pppd PID in all pppd and ipppd # pidfiles. # It *should* return exactly one file name: the one with # our current pppd PID in it; however, to be safe, we fence # it with a head -1. # 2. basename $(egrep ...) .pid: # It takes the file name from the egrep and strips off its # path and the .pid suffix # 3. sed: # Unfortunately the filenames of pppd and ipppd differ: # pppd uses $INTERFACE.pid, while ipppd uses # ipppd.$INTERFACE.pid. # The .pid is already stripped off by basename, thus, we # just strip off any "ipppd." prefix and end up in the # plain interface name. # Maybe pppd decides to change it's pidfile naming # convention according to ipppd somewhere in the future, # thus, we use '^i\?pppd\.' (sed eregex) and thus strip # off all "ipppd." and all "pppd." prefixes. This doesn't # harm anyways. # Because of the pppd pidfile naming convention, our # approach works always with ipppd and mostly with pppd: # the latter only, if the user did not decide to rename # his ppp interface to something else than ppp* # (not possible currently, afaics). # PPP_IFACE=$(basename $(egrep -l "^[[:space:]]*$PPPD_PID[[:space:]]*\$" /var/run/ppp*.pid /var/run/ipppd.*.pid 2> /dev/null | head -1) .pid | sed -e 's/^i\?pppd\.//') # # If we got no interface from pidfiles (because there are no # pidfiles, for example), we assume the most common case: # one pppd with default route set. # This is ugly, but there is no other chance. Let's hope, # nobody ever manages multiple pppds without pidfiles for # them. # test "$PPP_IFACE" || PPP_IFACE=$(route -n | awk '/^0\.0\.0\.0 / { print $8 }') # If we couldn't discover an interface name, we break here test "$PPP_IFACE" || continue PPP_LOCAL=$(ifconfig $PPP_IFACE | awk '/inet addr:/ { gsub("addr:", ""); print $2 }') # If we couldn't discover a local IP, we break here test "$PPP_LOCAL" || continue ENVFILE=/var/run/snort_$PPP_IFACE.env # If we already have an .env for that interface, we break here test -e "$ENVFILE" && continue # Write .env for that interface echo "Creating missing $ENVFILE" echo "PPPD_PID=$PPPD_PID" > "$ENVFILE" echo "PPP_IFACE=$PPP_IFACE" >> "$ENVFILE" echo "PPP_LOCAL=$PPP_LOCAL" >> "$ENVFILE" # If such a snort is still running, just kill it ps -ef | grep /usr/sbin/snort | grep "$PPP_LOCAL" | grep "$PPP_IFACE" | awk '{ print $2 }' | xargs --no-run-if-empty kill -s KILL >/dev/null done fi if [ "$STARTUP" = "boot" ] || [ "$STARTUP" = "dialup" ]; then if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d snort start || exit $? else /etc/init.d/snort start || exit $? fi fi # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/snort-mysql.manpages0000664000000000000000000000001012317374213013207 0ustar snort.8 debian/TODO-package0000664000000000000000000000272212317374526011266 0ustar TODO for Snort's packaging -------------------------- - Move to dpkg format v3. We have only a few changes in the source package so that should be easy to do. - Make it possible for admins to provide more than one interface Snort will listen to when configuring the package - Make it easier to do changes in maintainer's config files if different 'flavors' are provided (with different compilation flags). Although currently there is one flavor of the snort package, if different flavors are generated they might duplicate a lot of common code which makes it unmaintainable and leads to bugs. For example, when the database flavor packages were provided (snort-pgsql and snort-mysql) bugs (e.g. #502084) might be fixed in the basic flavor but not in other packages. --> This might require that the generation of the /etc/snort/snort.debian.conf configuration file and its handling (through scripts common for all packages) should be moved over to snort-common (along with all of the questions and templates) - Share information between package installations. If a user installs the basic 'snort' package and later on a different snort-xxx 'flavor' (e.g. with inline support) he will be asked the same questions (interface, IP range) twice. Maybe use snort-common as a placeholder for shared information. Also simplifies code sharing between config files --> Fixes the above. ---- Javier Fernandez-Sanguino Wed, 08 Aug 2012 21:12:54 +0200 debian/snort.dirs0000664000000000000000000000025612317374526011235 0ustar etc/cron.daily etc/init.d etc/logrotate.d etc/default etc/ppp/ip-down.d etc/ppp/ip-up.d etc/snort usr/sbin usr/share/doc/snort usr/share/man/man8 var/log/snort var/lib/snort debian/snort.postinst0000664000000000000000000002501612317374526012160 0ustar #!/bin/sh -e CONFIG=/etc/snort/snort.debian.conf CONFIG_CHECKSUM=/var/lib/snort/snort.debian.conf.md5sum # Create the checksum directory if it does not exist if [ ! -d $(dirname $CONFIG_CHECKSUM) ]; then mkdir $(dirname $CONFIG_CHECKSUM) fi . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # for details, see /usr/doc/packaging-manual/ # # quoting from the policy: # Any necessary prompting should almost always be confined to the # post-installation script, and should be protected with a conditional # so that unnecessary prompting doesn't happen if a package's # installation fails and the `postinst' is called with `abort-upgrade', # `abort-remove' or `abort-deconfigure'. FIRSTINST= RECONFIGURE= if [ "$1" = "reconfigure" ] || [ -n "$DEBCONF_RECONFIGURE" ]; then RECONFIGURE="true" else RECONFIGURE= fi if ([ "$1" = "install" ] || [ "$1" = "configure" ]) && [ -z "$2" ]; then FIRSTINST="yes" fi if [ -z "$RECONFIGURE" ] && [ -z "$FIRSTINST" ]; then UPGRADE="yes" fi case "$1" in install) ;; upgrade) db_get snort/startup || true if [ "$RET" = "manual" ]; then echo "You have chosen to (re)start snort manually." echo "Please restart Snort manually." sleep 2 #db_fset snort/please_restart_manually seen false #db_beginblock #db_input high snort/please_restart_manually || true #db_endblock #db_go #db_stop fi ;; configure) # only mess with config file it exists; otherwise, assume that's the way the # user wants it, but only if upgrading if [ -e "$CONFIG" ] || [ -z "$UPGRADE" ]; then # similarly, check for the existence of the checksum file; if it doesn't # exist, assume that's the way the user wants it, but only if upgrading if [ -e "$CONFIG_CHECKSUM" ] || [ -z "$UPGRADE" ]; then # next, compare the current and stored checksums; if they do not match, # assume that's the way the user wants it ... upgrading etc if [ "$(md5sum "$CONFIG" 2>/dev/null)" = \ "$(cat "$CONFIG_CHECKSUM" 2>/dev/null)" ] || \ [ -z "$UPGRADE" ]; then # they match; get ready to prepare a new version of the config file overwrite_config="yes" fi fi fi # generate new config file db_get snort/startup || true; STARTUP="$RET" db_get snort/interface || true; INTERFACE="$RET" db_get snort/address_range || true; ADDRESS_RANGE="$RET" db_get snort/disable_promiscuous || true; DISABLE_PROMISCUOUS="$RET" db_get snort/send_stats || true; STATS_SEND="$RET" db_get snort/stats_rcpt || true; STATS_RCPT="$RET" db_get snort/stats_treshold || true; STATS_THRESHOLD="$RET" db_get snort/options || true; OPTIONS="$RET" test "$DISABLE_PROMISCUOUS" = "true" && OPTIONS="$OPTIONS -p" # Failsafe in case the values above are blank (jfs) [ -z "$STATS_RCPT" ] && STATS_RCPT=root [ -z "$STATS_THRESHOLD" ] && STATS_THRESHOLD=1 # STATS_RCPT=`echo "$STATS_RCPT" | sed -e 's/@/\\\\@/g' -e 's/,/\\\\,/g'` # If this is an upgrade from a previous release that did not have # a configuration checksum then try to determine if we can # upgrade. # # To do this: tlest the current configuration against the old auto-generated configuration # file if there is no configuration checksum and create one if it exists. # Also, tell the script to overwrite with the new configuration file. if [ ! -e "$CONFIG_CHECKSUM" ] && [ -e "$CONFIG" ] && dpkg --compare-versions "$2" lt-nl 2.8.5.2-6; then OLD_CONFIG=$(tempfile) cat <>"$OLD_CONFIG" # This file is used for options that are changed by Debian to leave # the original lib files untouched. # You have to use "dpkg-reconfigure snort" to change them. DEBIAN_SNORT_STARTUP="$STARTUP" DEBIAN_SNORT_HOME_NET="$ADDRESS_RANGE" DEBIAN_SNORT_OPTIONS="$OPTIONS" DEBIAN_SNORT_INTERFACE="$INTERFACE" DEBIAN_SNORT_SEND_STATS="$STATS_SEND" DEBIAN_SNORT_STATS_RCPT="$STATS_RCPT" DEBIAN_SNORT_STATS_THRESHOLD="$STATS_THRESHOLD" EOF if cmp -s "$CONFIG" "$OLD_CONFIG"; then md5sum "$CONFIG" > "$CONFIG_CHECKSUM" overwrite_config="yes" fi rm -f "$OLD_CONFIG" fi # Create the new configuration file based on debconf information NEW_CONFIG=$(tempfile) cat <>"$NEW_CONFIG" # snort.debian.config (Debian Snort configuration file) # # This file was generated by the post-installation script of the snort # package using values from the debconf database. # # It is used for options that are changed by Debian to leave # the original configuration files untouched. # # This file is automatically updated on upgrades of the snort package # *only* if it has not been modified since the last upgrade of that package. # # If you have edited this file but would like it to be automatically updated # again, run the following command as root: # dpkg-reconfigure snort DEBIAN_SNORT_STARTUP="$STARTUP" DEBIAN_SNORT_HOME_NET="$ADDRESS_RANGE" DEBIAN_SNORT_OPTIONS="$OPTIONS" DEBIAN_SNORT_INTERFACE="$INTERFACE" DEBIAN_SNORT_SEND_STATS="$STATS_SEND" DEBIAN_SNORT_STATS_RCPT="$STATS_RCPT" DEBIAN_SNORT_STATS_THRESHOLD="$STATS_THRESHOLD" EOF if ! cmp -s "$CONFIG" "$NEW_CONFIG"; then if [ "$overwrite_config" = "yes" ] ;then cp "$NEW_CONFIG" "$CONFIG.dpkg-new" mv "$CONFIG.dpkg-new" "$CONFIG" md5sum "$CONFIG" > "$CONFIG_CHECKSUM" else if [ ! -e "$CONFIG" ] ; then echo "snort: not updating $CONFIG; file does not exist" >&2 else if [ ! -e "$CONFIG_CHECKSUM" ] ; then echo "snort: not updating $CONFIG; no stored checksum available and it does not match the debconf database configuration" >&2 else echo "snort: not updating $CONFIG; file has been customized" >&2 fi fi fi else # Update the md5sum file md5sum "$CONFIG" > "$CONFIG_CHECKSUM" fi rm -f "$NEW_CONFIG" if [ -f /etc/snort/snort.conf ]; then # Ensure the config file is readable by root.root and mode 600 if ! dpkg-statoverride --list /etc/snort/snort.conf >/dev/null then chown root:snort /etc/snort/snort.conf chmod 640 /etc/snort/snort.conf fi fi db_stop # Check for left-over files from woody packages. OLDCONF=/etc/snort/snort.rules.conf if [ -f "$OLDCONF" ]; then mv "$OLDCONF" "$OLDCONF.OBSOLETE" fi # Update the rc.d's update-rc.d snort defaults >/dev/null # in the case we reconfigure we have to restart and not just to start. if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d snort stop || exit $? else /etc/init.d/snort stop || exit $? fi ;; abort-upgrade) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 0 ;; esac if [ "$STARTUP" = "dialup" ]; then # Try to guess environments for all pppds we have no .env for... for PPPD_PID in $(pidof pppd ipppd); do # If we got an empty PID (however), we break here test "$PPPD_PID" || continue # # This is a lot of shell voodoo, let's try to figure it out: # 1. egrep: # It greps for our current pppd PID in all pppd and ipppd # pidfiles. # It *should* return exactly one file name: the one with # our current pppd PID in it; however, to be safe, we fence # it with a head -1. # 2. basename $(egrep ...) .pid: # It takes the file name from the egrep and strips off its # path and the .pid suffix # 3. sed: # Unfortunately the filenames of pppd and ipppd differ: # pppd uses $INTERFACE.pid, while ipppd uses # ipppd.$INTERFACE.pid. # The .pid is already stripped off by basename, thus, we # just strip off any "ipppd." prefix and end up in the # plain interface name. # Maybe pppd decides to change it's pidfile naming # convention according to ipppd somewhere in the future, # thus, we use '^i\?pppd\.' (sed eregex) and thus strip # off all "ipppd." and all "pppd." prefixes. This doesn't # harm anyways. # Because of the pppd pidfile naming convention, our # approach works always with ipppd and mostly with pppd: # the latter only, if the user did not decide to rename # his ppp interface to something else than ppp* # (not possible currently, afaics). # PPP_IFACE=$(basename $(egrep -l "^[[:space:]]*$PPPD_PID[[:space:]]*\$" /var/run/ppp*.pid /var/run/ipppd.*.pid 2> /dev/null | head -1) .pid | sed -e 's/^i\?pppd\.//') # # If we got no interface from pidfiles (because there are no # pidfiles, for example), we assume the most common case: # one pppd with default route set. # This is ugly, but there is no other chance. Let's hope, # nobody ever manages multiple pppds without pidfiles for # them. # test "$PPP_IFACE" || PPP_IFACE=$(route -n | awk '/^0\.0\.0\.0 / { print $8 }') # If we couldn't discover an interface name, we break here test "$PPP_IFACE" || continue PPP_LOCAL=$(ifconfig $PPP_IFACE | awk '/inet addr:/ { gsub("addr:", ""); print $2 }') # If we couldn't discover a local IP, we break here test "$PPP_LOCAL" || continue ENVFILE=/var/run/snort_$PPP_IFACE.env # If we already have an .env for that interface, we break here test -e "$ENVFILE" && continue # Write .env for that interface echo "Creating missing $ENVFILE" echo "PPPD_PID=$PPPD_PID" > "$ENVFILE" echo "PPP_IFACE=$PPP_IFACE" >> "$ENVFILE" echo "PPP_LOCAL=$PPP_LOCAL" >> "$ENVFILE" # If such a snort is still running, just kill it ps -ef | grep /usr/sbin/snort | grep "$PPP_LOCAL" | grep "$PPP_IFACE" | awk '{ print $2 }' | xargs --no-run-if-empty kill -s KILL >/dev/null done fi if [ "$STARTUP" = "boot" ] || [ "$STARTUP" = "dialup" ]; then if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d snort start || exit $? else /etc/init.d/snort start || exit $? fi fi # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/snort-rules-default.postrm0000664000000000000000000000210212317374526014362 0ustar #! /bin/sh # postrm script for snort-rules-default # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' overwrit>r> # for details, see /usr/doc/packaging-manual/ case "$1" in purge|disappear) if [ -d /etc/snort/rules ]; then rmdir --ignore-fail-on-non-empty /etc/snort/rules || true fi if [ -d /etc/snort ]; then rmdir --ignore-fail-on-non-empty /etc/snort || true fi ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade) ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then . /usr/share/debconf/confmodule db_purge fi debian/snort-pgsql.docs0000664000000000000000000000035512317374213012341 0ustar doc/AUTHORS doc/BUGS doc/CREDITS doc/NEWS doc/README doc/README.PLUGINS doc/USAGE doc/README.database doc/README.csv debian/my/snort_rules.html debian/README.Maintainer debian/README-database.Debian debian/README-database-upgrade.Debian debian/snort-pgsql.manpages0000664000000000000000000000001012317374213013170 0ustar snort.8 debian/snort-common-libraries.dirs0000664000000000000000000000004312317374526014467 0ustar usr/lib usr/lib/snort_dynamicrules debian/rules.inline0000664000000000000000000002054512317374213011533 0ustar #!/usr/bin/make -f #-*- makefile -*- # Made with the aid of dh_make, by Craig Small # Sample debian/rules that uses debhelper. GNU copyright 1997 by Joey Hess. # Some lines taken from debmake, by Christoph Lameter. export DH_VERBOSE=1 TMP=`pwd`/debian CFLAGS:=-g -O2 -D_GNU_SOURCE ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) CFLAGS += -g endif ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) INSTALL_PROGRAM += -s endif export CFLAGS CONFFLAGS= --prefix=/usr \ --bindir=\$$\{exec_prefix\}/sbin \ --mandir=\$$\{exec_prefix\}/share/man \ --enable-smbalerts # Cannot enable flexresp since it builds only with libnet 1.0.2a # --enable-flexresp \ build-indep: build-indep-stamp build-indep-stamp: dh_testdir cd doc && make snort_manual.pdf build-mysql: build-mysql-stamp build-mysql-stamp: dh_testdir # MySQL package: ./configure $(CONFFLAGS) \ --with-mysql \ --without-postgresql $(MAKE) mv src/snort src/snort-mysql $(MAKE) clean build-pgsql: build-pgsql-stamp build-pgsql-stamp: dh_testdir # PostgreSQL package: ./configure $(CONFFLAGS) \ --without-mysql \ --with-postgresql \ --with-pgsql-includes=`pg_config --includedir` $(MAKE) mv src/snort src/snort-pgsql $(MAKE) clean build-inline: build-inline-stamp build-inline-stamp: dh_testdir # Inline support ./configure $(CONFFLAGS) \ --without-mysql \ --without-postgresql \ --enable-inline \ --with-libipq-includes=/usr/include/libipq/ \ --enable-prelude # Add here commands to compile the package. $(MAKE) mv src/snort src/snort-inline $(MAKE) clean build: build-stamp build-stamp: build-pgsql build-mysql dh_testdir # Standard package support ./configure $(CONFFLAGS) \ --without-mysql \ --without-postgresql \ --enable-prelude $(MAKE) $(MAKE) clean # Build the documentation cd doc && $(MAKE) faq.pdf touch build-stamp clean: dh_testdir dh_testroot rm -f build*stamp install-stamp # Add here commands to clean up after the build process. -(cd doc && $(MAKE) distclean) -$(MAKE) distclean rm -f src/snort-mysql rm -f src/snort-pgsql rm -f src/snort-inline rm -f doc/snort_manual.{pdf,ps,aux,log,toc} dh_clean install: install-stamp install-stamp: build-stamp dh_testdir dh_testroot dh_clean -k dh_installdirs # Add here commands to install the package into debian/tmp. $(MAKE) install prefix=$(TMP)/snort-common/usr/ install -m 755 -o root -g root `pwd`/debian/snort.init.d $(TMP)/snort-mysql/etc/init.d/snort install -m 755 -o root -g root `pwd`/debian/snort.init.d $(TMP)/snort-pgsql/etc/init.d/snort install -m 755 -o root -g root `pwd`/debian/snort.init.d $(TMP)/snort-inline/etc/init.d/snort install -m 755 -o root -g root `pwd`/debian/snort.init.d $(TMP)/snort/etc/init.d/snort install -m 755 -o root -g root `pwd`/debian/my/snort.ip-up.d $(TMP)/snort-mysql/etc/ppp/ip-up.d/snort install -m 755 -o root -g root `pwd`/debian/my/snort.ip-up.d $(TMP)/snort-pgsql/etc/ppp/ip-up.d/snort install -m 755 -o root -g root `pwd`/debian/my/snort.ip-up.d $(TMP)/snort-inline/etc/ppp/ip-up.d/snort install -m 755 -o root -g root `pwd`/debian/my/snort.ip-up.d $(TMP)/snort/etc/ppp/ip-up.d/snort install -m 755 -o root -g root `pwd`/debian/my/snort.ip-down.d $(TMP)/snort-mysql/etc/ppp/ip-down.d/snort install -m 755 -o root -g root `pwd`/debian/my/snort.ip-down.d $(TMP)/snort-pgsql/etc/ppp/ip-down.d/snort install -m 755 -o root -g root `pwd`/debian/my/snort.ip-down.d $(TMP)/snort-inline/etc/ppp/ip-down.d/snort install -m 755 -o root -g root `pwd`/debian/my/snort.ip-down.d $(TMP)/snort/etc/ppp/ip-down.d/snort rm -rf $(TMP)/snort-common/etc/ppp # install -m 644 -o root -g root `pwd`/debian/snort.common.parameters $(TMP)/snort-mysql/etc/snort/snort.common.parameters # install -m 644 -o root -g root `pwd`/debian/snort.common.parameters $(TMP)/snort-pgsql/etc/snort/snort.common.parameters # install -m 644 -o root -g root `pwd`/debian/snort.common.parameters $(TMP)/snort/etc/snort/snort.common.parameters install -m 644 -o root -g root `pwd`/debian/snort.default $(TMP)/snort-mysql/etc/default/snort install -m 644 -o root -g root `pwd`/debian/snort.default $(TMP)/snort-pgsql/etc/default/snort install -m 644 -o root -g root `pwd`/debian/snort.default $(TMP)/snort-inline/etc/default/snort install -m 644 -o root -g root `pwd`/debian/snort.default $(TMP)/snort/etc/default/snort install -m 644 -o root -g root `pwd`/debian/snort.logrotate $(TMP)/snort-mysql/etc/logrotate.d/snort install -m 644 -o root -g root `pwd`/debian/snort.logrotate $(TMP)/snort-pgsql/etc/logrotate.d/snort install -m 644 -o root -g root `pwd`/debian/snort.logrotate $(TMP)/snort-inline/etc/logrotate.d/snort install -m 644 -o root -g root `pwd`/debian/snort.logrotate $(TMP)/snort/etc/logrotate.d/snort install -m 755 -o root -g root `pwd`/debian/snort.cron.daily $(TMP)/snort-common/etc/cron.daily/5snort install -m 755 -o root -g root `pwd`/debian/my/snort-stat $(TMP)/snort-common/usr/sbin/ install -m 644 -o root -g root `pwd`/etc/snort.conf $(TMP)/snort-common/etc/snort/ install -m 644 -o root -g root `pwd`/etc/unicode.map $(TMP)/snort-common/etc/snort/ install -m 644 -o root -g root `pwd`/etc/threshold.conf $(TMP)/snort-common/etc/snort/ cp rules/*.rules $(TMP)/snort-rules-default/etc/snort/rules/ # mkdir -p $(TMP)/snort-rules-default/usr/share/snort/ # install -m 644 -o root -g root `pwd`/debian/oldrules.md5 $(TMP)/snort-rules-default/usr/share/snort/oldrules.md5 cp etc/sid-msg.map $(TMP)/snort-rules-default/etc/snort/ cp etc/gen-msg.map $(TMP)/snort-rules-default/etc/snort/ cp etc/community-sid-msg.map $(TMP)/snort-rules-default/etc/snort/ cp etc/classification.config $(TMP)/snort-rules-default/etc/snort/ cp etc/reference.config $(TMP)/snort-rules-default/etc/snort/ mv src/snort-mysql $(TMP)/snort-mysql/usr/sbin/snort mv src/snort-pgsql $(TMP)/snort-pgsql/usr/sbin/snort mv src/snort $(TMP)/snort-inline/usr/sbin/snort mv $(TMP)/snort-common/usr/sbin/snort $(TMP)/snort/usr/sbin/snort touch install-stamp # Build architecture-independent files here. binary-indep: build build-indep install dh_testdir -i dh_testroot -i dh_installdocs -i dh_installexamples -i dh_installdebconf -i dh_installman -i # Other adjustments rm -rf $(TMP)/snort-doc/usr/share/doc/snort-doc/CVS rm -rf $(TMP)/snort-doc/usr/share/doc/snort-doc/contrib/CVS chmod +x $(TMP)/snort-common/usr/share/doc/snort-doc/examples/snort* cp -a doc/signatures/ $(TMP)/snort-doc/usr/share/doc/snort-doc/ rm -rf $(TMP)/snort-doc/usr/share/man rm -rf $(TMP)/snort-rules-default/usr/share/man dh_undocumented -i rm -rf $(TMP)/snort-common/usr/share/man/man8/snort.* dh_installchangelogs -i ChangeLog dh_link -i dh_strip -i dh_compress -i dh_fixperms -i dh_suidregister -i dh_makeshlibs -i dh_installdeb -i dh_perl -i dh_shlibdeps -i dh_gencontrol -i dh_md5sums -i dh_builddeb -i # Build architecture-dependent files here. binary-arch: build install dh_testdir -a dh_testroot -a dh_installdocs -a dh_installexamples -a dh_installdebconf -a dh_installman -a cp $(TMP)/snort-mysql/usr/share/doc/snort-mysql/copyright $(TMP)/snort/usr/share/doc/snort/ rm -f $(TMP)/snort-mysql/usr/share/man/man8/snort-stat.* rm -f $(TMP)/snort-pgsql/usr/share/man/man8/snort-stat.* rm -f $(TMP)/snort-inline/usr/share/man/man8/snort-stat.* rm -rf $(TMP)/snort-rules-default/usr/share/man rm -f $(TMP)/snort/usr/share/man/man8/snort-stat.* rm -f $(TMP)/snort-common/usr/share/man/man8/snort.* mkdir -p $(TMP)/snort-mysql/usr/share/doc/snort-mysql/ install -m 644 -o root -g root schemas/create_mysql $(TMP)/snort-mysql/usr/share/doc/snort-mysql/ mkdir -p $(TMP)/snort-pgsql/usr/share/doc/snort-pgsql/ install -m 644 -o root -g root schemas/create_postgresql $(TMP)/snort-pgsql/usr/share/doc/snort-pgsql/ dh_undocumented -a dh_installchangelogs -a ChangeLog dh_link -a dh_strip -a dh_compress -a dh_fixperms -a dh_suidregister -a dh_makeshlibs -a dh_installdeb -a dh_perl -a dh_shlibdeps -a dh_gencontrol -a dh_md5sums -a dh_builddeb -a source diff: @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false update-rules: mv rules rules.old wget -q -O ../snortrules-snapshot-2_2.tar.gz http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz tar -zxf ../snortrules-snapshot-2_2.tar.gz if [ -d rules ] ; then mv rules.old/Makefile* rules/; rm -rf rules.old; fi binary: binary-indep binary-arch .PHONY: build clean binary-indep binary-arch binary debian/snort-inline.dirs0000664000000000000000000000017612317374213012503 0ustar etc/cron.daily etc/init.d etc/logrotate.d etc/default etc/snort usr/sbin usr/share/doc/snort usr/share/man/man8 var/log/snort debian/copyright0000664000000000000000000001110212317374526011130 0ustar This package was adopted by Sander Smeenk Tue, 4 Jun 2002 21:56:15 +0200 This package was debianized by Robert van der Meulen Sun Feb 4 17:20:36 CET 2001. It was downloaded from http://www.snort.org/ Upstream Author: Martin Roesch Copyright: Copyright (C) 1998-2002 Martin Roesch Portions: - Copyright (C) 2002-2007 Sourcefire, Inc. - Copyright (C) 1993-1998 by Christopher R. Hertel - Copyright (C) 2001 Brian Caswell - Copyright (C) 2000,2001 Andrew R. Baker - Copyright (C) 2006 Joshua Wright - Copyright (C) 2002-2004 Jeff Nathan - Copyright (C) 2000,2001,2002 Carnegie Mellon University - Copyright (C) 2001 Jed Pickel - Copyright (C) 2000-2003 MySQL AB & MySQL Finland AB & TCX DataKonsult AB - Copyright (C) 2005 PreludeIDS Technologies. - Copyright (c) 1998 Todd C. Miller - Copyright(C) 1975 Association for Computing Machinery,Inc - Copyright(C) 2002,2003,2004 Marc Norton - Copyright(C) 2003,2004 Daniel Roelker - Copyright (c) 2001 Michael Davis - Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan - Copyright (c) 1997-2003 University of Cambridge - Copyright (C) 2000,2001 Maciej Szarpak - Copyright (C) 2001 Phil Wood - Copyright (C) 1999,2000,2001 Christian Lademann - Copyright (c) 1998 Sendmail, Inc. All rights reserved. - Copyright (c) 1997 Eric P. Allman. All rights reserved. - Copyright (c) 1988, 1993 The Regents of the University of California - Copyright (C) 2000,2001 Christopher Cramer - Copyright (C) 2003 Michael J. Pomraning - Copyright (C) 1999,2000,2001 Christian Lademann - Copyright (C) 2000 Mike Andersen - Copyright (C) 2001 Andrew Stubbs - Copyright (C) 2002 Chris Reid License: This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 dated June, 1991. You may not use, modify or distribute this program under any other version of the GNU General Public License. This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA On Debian GNU/Linux systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL-2'. Additional licenses / copyrights: --------------------------------- Snort includes Winpcap which is: * Copyright (c) 2001 - 2003 * NetGroup, Politecnico di Torino (Italy) * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the Politecnico di Torino nor the names of its * contributors may be used to endorse or promote products derived from * this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. debian/snort-inline.prerm0000664000000000000000000000275612317374213012675 0ustar #! /bin/sh # prerm script for snort # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `upgrade' # * `failed-upgrade' # * `remove' `in-favour' # * `deconfigure' `in-favour' # `removing' # # for details, see /usr/doc/packaging-manual/ case "$1" in remove|upgrade|deconfigure) if [ -x "/etc/init.d/snort" ] ; then if [ -x "`which invoke-rc.d >/dev/null 2>&1`" ] ; then invoke-rc.d snort stop || exit $? else /etc/init.d/snort stop || exit $? fi else start-stop-daemon --stop --quiet --oknodo --exec /usr/sbin/snort fi rm -f /var/run/snort_*.pid # Older versions of snort just kill every process with 'snort' in the # name, so also 'snort.prerm'. This fixes that. ps cax | grep ' snort$' | awk '{print $1}' | xargs --no-run-if-empty kill -s KILL >/dev/null || true ;; failed-upgrade) ;; *) echo "prerm called with unknown argument \`$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/snort-common.postinst0000664000000000000000000000201212317374526013435 0ustar #!/bin/sh -e . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x # Check if Snort will be able to run properly # Obviously, if you are using deprecated preprocessors (checked on config) # it's not going to work either, but we do not test for that here. # # TODO: Maybe it's also best if we could tell dpkg that snort should # not be started if this fails. if [ -x /etc/init.d/snort ] ; then # Try to find if we are expecting the script to run enabled=0 if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then set +e invoke-rc.d --query snort start if [ $? -ne 104 ] ; then # Disabled, or does not work, do not check the configuration enabled=1 fi set -e fi if [ "$enabled" -eq 0 ] ; then set +e /etc/init.d/snort config-check >/dev/null 2>&1 if [ $? -ne 0 ] ; then db_input critical snort/config_error || true db_go || true fi set -e fi fi db_stop #DEBHELPER# exit 0 debian/control0000664000000000000000000001276412317404376010614 0ustar Source: snort Section: net Priority: optional Maintainer: Javier Fernández-Sanguino Peña Uploaders: Andrew Pollock Build-Depends: libnet1-dev, libpcap0.8-dev, libpcre3-dev, debhelper (>= 5.0.0), po-debconf (>= 0.5.0), libgnutls-dev, libdumbnet-dev, libdaq-dev (>= 2.0), flex, bison Build-Depends-Indep: texlive, texlive-binaries, texlive-latex-base, texlive-font-utils, latex2html, ghostscript Standards-Version: 3.9.5 Homepage: http://www.snort.org/ Vcs-Git: git://git.debian.org/git/pkg-snort/pkg-snort.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-snort/pkg-snort.git Package: snort Architecture: any Pre-Depends: adduser (>= 3.11) Depends: snort-common-libraries (>=${binary:Version}), snort-rules-default (>= ${source:Version}), snort-common (>= ${source:Version}), debconf (>= 0.2.80) | debconf-2.0, rsyslog | system-log-daemon, logrotate, net-tools, ${shlibs:Depends}, ${misc:Depends} Conflicts: snort-mysql, snort-pgsql Replaces: snort-common (<< 2.0.2-3) Recommends: iproute2 Suggests: snort-doc Description: flexible Network Intrusion Detection System Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules-based logging and can perform content searching/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. . This package provides the plain-vanilla version of Snort. Package: snort-common Architecture: all Pre-Depends: adduser (>= 3.11) Depends: perl-modules, debconf (>= 0.2.80) | debconf-2.0, lsb-base, ${shlibs:Depends}, ${misc:Depends} Conflicts: snort (<< ${binary:Version}) Replaces: snort (<< 1.8.4beta1-1) Suggests: snort-doc Description: flexible Network Intrusion Detection System - common files Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules-based logging and can perform content searching/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. . This is a common package which holds cron jobs, tools, and config files used by all the different package flavors. Package: snort-doc Architecture: all Depends: ${misc:Depends} Priority: optional Section: doc Description: flexible Network Intrusion Detection System - documentation Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules-based logging and can perform content searching/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. . This package provides the documentation for Snort. Package: snort-rules-default Provides: snort-rules Architecture: all Depends: debconf (>= 0.2.80) | debconf-2.0, adduser (>= 3.11), ${shlibs:Depends}, ${misc:Depends} Suggests: snort (>= 2.2.0) | snort-pgsql (>= 2.2.0) | snort-mysql (>= 2.2.0) Recommends: oinkmaster Homepage: http://www.snort.org/snort-rules/ Description: flexible Network Intrusion Detection System - ruleset Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules-based logging and can perform content searching/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. . This is the Snort default ruleset, which provides a basic set of network intrusion detection rules developed by the Snort community. They can be used as a basis for development of additional rules. Users using Snort to defend networks in production environments are encouraged to update their local rulesets as described in the included documentation or using the oinkmaster package. Package: snort-common-libraries Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Suggests: snort (>= 2.7.0) | snort-pgsql (>= 2.7.0) | snort-mysql (>= 2.7.0) Conflicts: snort-common (<< 2.7.0-6) Description: flexible Network Intrusion Detection System - libraries Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules-based logging and can perform content searching/matching in addition to detecting a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability, with alerts being sent to syslog, a separate "alert" file, or even to a Windows computer via Samba. . This package provides libraries used by all the Snort binary packages. debian/snort-common.preinst0000664000000000000000000000243512317374526013247 0ustar #!/bin/sh set -e # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' GENCONF="/etc/snort/snort.conf" # generic configuration file DBCONF="/etc/snort/database.conf" # deprecated case "$1" in install) # Do nothing ;; upgrade) # versions previous to 2.9.3 created the /etc/snort/database.conf # file for configuration #if dpkg --compare-versions "$2" le "2.9.3" && [ -e "$DBCONF" ] && ! [ -s "$DBCONF" ] #then # # should show a warning to the user if not empty? # (it will be deprecated anyway and will not be included in snort.conf) # #fi # Remove the database configuration file it is exists and is empty if [ -e "$DBCONF" ] && ! [ -s "$DBCONF" ] then rm -f $DBCONF fi ;; configure) # Do nothing ;; abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/snort.logrotate0000664000000000000000000000062212317374526012271 0ustar /var/log/snort/portscan.log /var/log/snort/alert /var/log/snort/portscan2.log { daily rotate 7 compress missingok notifempty create 0640 snort adm sharedscripts postrotate if [ -x /usr/sbin/invoke-rc.d ]; then \ invoke-rc.d snort restart > /dev/null; \ else \ /etc/init.d/snort restart > /dev/null; \ fi; endscript } debian/snort-doc.examples0000664000000000000000000000003512317374526012650 0ustar debian/my/snort_rules_update debian/snort-doc.docs0000664000000000000000000000023712317374526011766 0ustar debian/README.docs doc/BUGS doc/NEWS doc/PROBLEMS doc/snort_manual.pdf doc/TODO doc/USAGE doc/WISHLIST debian/my/lisapaper.txt doc/README* doc/RELEASE.NOTES.* debian/snort-inline.postinst0000664000000000000000000000655312317374213013432 0ustar #!/bin/sh -e CONFIG=/etc/snort/snort.debian.conf . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-deconfigure' `in-favour' # `removing' # # for details, see /usr/doc/packaging-manual/ # # quoting from the policy: # Any necessary prompting should almost always be confined to the # post-installation script, and should be protected with a conditional # so that unnecessary prompting doesn't happen if a package's # installation fails and the `postinst' is called with `abort-upgrade', # `abort-remove' or `abort-deconfigure'. case "$1" in install) ;; upgrade) db_get snort-inline/startup || true if [ "$RET" = "manual" ]; then echo "You have chosen to (re)start snort manually." echo "Please restart Snort manually." sleep 2 fi ;; configure) # edit config file db_get snort-inline/startup || true; STARTUP=$RET db_get snort-inline/interface || true; INTERFACE="$RET" db_get snort-inline/address_range || true; ADDRESS_RANGE="$RET" db_get snort-inline/send_stats || true; STATS_SEND="$RET" db_get snort-inline/stats_rcpt || true; STATS_RCPT="$RET" db_get snort-inline/stats_treshold || true; STATS_THRESHOLD="$RET" db_get snort-inline/options || true; OPTIONS="$RET" # Failsafe in case the values above are blank (jfs) [ -z "$STATS_RCPT" ] && STATS_RCPT=root [ -z "$STATS_THRESHOLD" ] && STATS_THRESHOLD=1 # STATS_RCPT=`echo "$STATS_RCPT" | sed -e 's/@/\\\\@/g' -e 's/,/\\\\,/g'` cat <$CONFIG # This file is used for options that are changed by Debian to leave # the original lib files untouched. # You have to use "dpkg-reconfigure snort" to change them. DEBIAN_SNORT_STARTUP="$STARTUP" DEBIAN_SNORT_HOME_NET="$ADDRESS_RANGE" DEBIAN_SNORT_OPTIONS="$OPTIONS" DEBIAN_SNORT_INTERFACE="$INTERFACE" DEBIAN_SNORT_SEND_STATS="$STATS_SEND" DEBIAN_SNORT_STATS_RCPT="$STATS_RCPT" DEBIAN_SNORT_STATS_THRESHOLD="$STATS_THRESHOLD" EOF if [ -f /etc/snort/snort.conf ]; then # Ensure the config file is readable by root.root and mode 600 if ! dpkg-statoverride --list /etc/snort/snort.conf >/dev/null then chown root:snort /etc/snort/snort.conf chmod 640 /etc/snort/snort.conf fi fi db_stop # Check for left-over files from woody packages. OLDCONF=/etc/snort/snort.rules.conf if [ -f $OLDCONF ]; then mv $OLDCONF $OLDCONF.OBSOLETE fi # Update the rc.d's update-rc.d snort defaults >/dev/null # in the case we reconfigure we have to restart and not just to start. if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d snort stop || exit $? else /etc/init.d/snort stop || exit $? fi ;; abort-upgrade) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 0 ;; esac if [ "$STARTUP" = "boot" ] || [ "$STARTUP" = "dialup" ]; then if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then invoke-rc.d snort start || exit $? else /etc/init.d/snort start || exit $? fi fi # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/snort-common.examples0000664000000000000000000000003512317374526013373 0ustar debian/my/snort_rules_update debian/snort-pgsql.templates0000664000000000000000000001334112317374213013406 0ustar Template: snort-pgsql/startup Type: select __Choices: boot, dialup, manual Default: boot _Description: Snort start method: Snort can be started during boot, when connecting to the net with pppd or only manually with the /usr/sbin/snort command. Template: snort-pgsql/interface Type: string Default: eth0 _Description: Interface(s) which Snort should listen on: This value is usually 'eth0', but this may be inappropriate in some network environments; for a dialup connection 'ppp0' might be more appropiate (see the output of '/sbin/ifconfig'). . Typically, this is the same interface as the 'default route' is on. You can determine which interface is used for this by running '/sbin/route -n' (look for '0.0.0.0'). . It is also not uncommon to use an interface with no IP address configured in promiscuous mode. For such cases, select the interface in this system that is physically connected to the network that should be inspected, enable promiscuous mode later on and make sure that the network traffic is sent to this interface (either connected to a 'port mirroring/spanning' port in a switch, to a hub or to a tap). . You can configure multiple interfaces, just by adding more than one interface name separated by spaces. Each interface can have its own specific configuration. Template: snort-pgsql/address_range Type: string Default: 192.168.0.0/16 _Description: Address range for the local network: Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 addresses or 192.168.1.42/32 for just one. Multiple values should be comma-separated (without spaces). . Please note that if Snort is configured to use multiple interfaces, it will use this value as the HOME_NET definition for all of them. Template: snort-pgsql/disable_promiscuous Type: boolean Default: false _Description: Should Snort disable promiscuous mode on the interface? Disabling promiscuous mode means that Snort will only see packets addressed to the interface it is monitoring. Enabling it allows Snort to check every packet that passes the Ethernet segment even if it's a connection between two other computers. Template: snort-pgsql/invalid_interface Type: error _Description: Invalid interface Snort is trying to use an interface which does not exist or is down. Either it is defaulting inappropriately to 'eth0', or you specified one which is invalid. Template: snort-pgsql/send_stats Type: boolean Default: true _Description: Should daily summaries be sent by e-mail? A cron job can be set up to send daily summaries of Snort logs to a selected e-mail address. . Please choose whether you want to activate this feature. Template: snort-pgsql/stats_rcpt Type: string Default: root _Description: Recipient of daily statistics mails: Please specify the e-mail address that should receive daily summaries of Snort logs. Template: snort-pgsql/options Type: string _Description: Additional custom options: Please specify any additional options Snort should use. Template: snort-pgsql/stats_treshold Type: string Default: 1 _Description: Minimum occurrences before alerts are reported: Please enter the minimum number of alert occurrences before a given alert is included in the daily statistics. Template: snort-pgsql/please_restart_manually Type: note _Description: Snort restart required As Snort is manually launched, you need to run '/etc/init.d/snort' for the changes to take place. Template: snort-pgsql/config_parameters Type: error _Description: Obsolete configuration file This system uses an obsolete configuration file (/etc/snort/snort.common.parameters) which has been automatically converted into the new configuration file format (at /etc/default/snort). . Please review the new configuration and remove the obsolete one. Until you do this, the initialization script will not use the new configuration and you will not take advantage of the benefits introduced in newer releases. Template: snort-pgsql/configure_db Type: boolean Default: true _Description: Set up a database for snort-pgsql to log to? No database has been set up for Snort to log to. Before continuing, you should make sure you have: . - the server host name (that server must allow TCP connections from this machine); - a database on that server; - a username and password to access the database. . If some of these requirements are missing, reject this option and run with regular file logging support. . Database logging can be reconfigured later by running 'dpkg-reconfigure -plow snort-pgsql'. Template: snort-pgsql/db_host Type: string _Description: Database server hostname: Please specify the host name of a database server that allows incoming connections from this host. Template: snort-pgsql/db_database Type: string _Description: Database name: Please specify the name of an existing database to which the database user has write access. Template: snort-pgsql/db_user Type: string _Description: Username for database access: Please specify a database server username with write access to the database. Template: snort-pgsql/db_pass Type: password _Description: Password for the database connection: Please enter the password to use to connect to the Snort Alert database. Template: snort-pgsql/needs_db_config Type: note _Description: Configured database mandatory for Snort Snort needs a configured database before it can successfully start up. In order to create the structure you need to run the following commands AFTER the package is installed: . cd /usr/share/doc/snort-pgsql/ zcat create_postgresql.gz | psql -U -h -W . Fill in the correct values for the user, host, and database names. PostgreSQL will prompt you for the password. . After you have created the database structure, you will need to start Snort manually. debian/changelog0000664000000000000000000033525612317404426011063 0ustar snort (2.9.6.0-0ubuntu1) trusty; urgency=low * New upstream release. * debian/patches/documentation: Removed. * debian/patches/fix_upstream_typos: Updated. * debian/control: - Updated Standards-Version to 3.9.5. - Set build-dependency for libdaq-dev to 2.0. -- Jonathan Davies Fri, 04 Apr 2014 00:14:23 +0000 snort (2.9.5.3-3) unstable; urgency=low * debian/control: Add texlive-binaries and texlive-font-utils to Build-Depends-Indep to make sure that buildds have the binaries required to build the documentation as suggested by Hideki Yamane. Kept the texlive metapackage however in debian/control just int case. (Closes: 713254) * Debconf updated Translations: - Updated Russian translation, contributed by Yuri Kozlov (Closes: 722987) -- Javier Fernández-Sanguino Peña Mon, 21 Oct 2013 19:39:20 +0200 snort (2.9.5.3-2) unstable; urgency=low * Debconf templates and debian/control reviewed by the debian-l10n-english team as part of the Smith review project. (Closes: 720061) * Debconf updated Translations: - Update Spanish translation, contributed by Javier Fernandez-Sanguino - Updated Russian translation, contributed by Yuri Kozlov (Closes: 722987) - Updated German translation, contributed by Chris Leick (Closes: 723769) - Updated Portuguese translation, contributed by Miguel Figueiredo (Closes: 723779) - Add Simplified Chinese debconf, contributed by Yi Mingjing (Closes: 723818) - Updated Czech translation, contributed by Michal Šimůnek (Closes: 724289) - Updated French translation, contributed by JP Guillonneau (Closes: 724300) - Updated Janapese translation (Closes: 724706) - Updated Italian translation provided by Daniele Forsi (Closes: 724707) - Updated Danish translation provided by Joe Hansen (Closes: 724932) - Updated Swedish translation provided by Martin Bagge (Closes: 725104) -- Javier Fernández-Sanguino Peña Tue, 24 Sep 2013 03:39:00 +0200 snort (2.9.5.3-1) unstable; urgency=low * New upstream release. - Remove faq from the build since it is no longer provided upstream * Lintian fix typo in debian/snort-rules-default.README.Debian * debian/patches: Refresh all patches with new upstream - config_disabled_rules: Disable more .rules files which are not provided in the upstream sources (but might be in the VRT Sourcefire) * debian/control: Add latex2html to Build-Depends-Indep as the html.sty file is required for building the documentation -- Javier Fernández-Sanguino Peña Fri, 16 Aug 2013 20:51:02 +0200 snort (2.9.3.1-1) experimental; urgency=low * New upstream release, target towards experimental due to the current freeze. * The most relevant change in this release is that support by Snort to output directly in a database has been dropped, which means that the snort-pgsql and snort-mysql packages are no longer possible. This is documented in the NEWS file. Also relevant is that support for Prelude is no longer available. * Since this release does not include the snort database packages any longer, bugs associated with them are no longer relevant (Closes: #526511, #567495, #292699, #276565, #527113, #388963, #388962, #321046, #369951) * debian/rules: Update the configuration options to adjust to those used in the snort.conf script provided upstream * debian/patches/fix_upstream_typos: Do typo fixes to more source files * debian/patches/config: Add more comments in the default configuration file, enable at least one output plugin (unified2) and set some configurations values as recommended in Jason Weir's "Building a Debian\Snort based IDS" available in http://www.snort.org/docs (Closes: #193544) * debian/patches/*: Refresh the patches to apply to the new upstream release * debian/po/*: Refresh all templates since the previous templates for database configuration have gone along with the snort database 'flavor' packages. * debian/snort-common.preinst: Remove the /etc/snort/database.conf on upgrades * debian/snort.preinst: Control output of usermod * debian/snort-common.{config,templates}: - Add code to detect old configuration files with content (which might happen on upgrades to 2.9.3 coming from the snort-mysql or snort-pgsql packages) and warn the user if they exist. - Update the list of valid preprocessors for this release -- Javier Fernández-Sanguino Peña Wed, 08 Aug 2012 22:12:35 +0200 snort (2.9.2.2-3) unstable; urgency=medium [ Upload target towards Wheezy fixing some important bugs and substantially improving the information provided on the packages to clarify user expectations ] * Acknowledge previous NMU * debian/patches/config: Update the patch to: - use absolute paths instead of relative paths to point to the white list and black list used by the reputation pre-processor. - disable the reputation as we do not ship any white/black lists by default (which causes it to fail at startup) and also because this preprocessor is experimental. Both changes fix the bug that prevented the package from being configured due to errors when starting up Snort with the default configuration (Closes: #677810) - Add a comment to /etc/snort/snort.conf documenting for users reading the file that preinstalled rules are surely out of date. * debian/patches/config_disabled_rules: Comment out shellcode rules as these have a huge impact in performance unless properly tuned. * debian/patches/rules: Fix the definition of many SIP rules (defined as 'alert ip any any'. These were generating a lot of false positives in environment were enabled. Regardless of the change comment out SIP rules since they are outdate can generate many false alarms unless properly defined. (Closes: #626596, #680303). * debian/control: Adjust description of snort-rules-default to indicate users that the ruleset provided should not be considered up-to-date. Encourage users to obtain additional/upgraded rules elsewhere. * debian/snort-rules-default.README.Debian: Include more information to potential users on the issues related to the default ruleset provided (and why it is out of date) as well as pointers as to where obtain additional rulesets. Some of this information is also in the NEWS file but is easy to miss to new users. -- Javier Fernández-Sanguino Peña Tue, 07 Aug 2012 23:53:24 +0200 snort (2.9.2.2-2.1) unstable; urgency=low [ gregor herrmann ] * Non-maintainer upload. * Drop quilt framework, the package uses source format "3.0 (quilt)". * Fix FBTFS when called with build-arch: - don't remove configure-stamp in debian/clean_sources.sh; otherwise build-basic gets called again - update target dependencies in debian/rules -- Nicholas Bamber Fri, 22 Jun 2012 10:49:16 +0100 snort (2.9.2.2-2) unstable; urgency=low * Fix "FTBFS with multiarch libmysqlclient-dev" using the patch supplied by Gregor Herrmann : + apply patch from Ubuntu / Jean-Louis Dupond: - debian/rules: use mysql_config to find libraries to fix FTBFS with multiarch libmysqlclient. + debian/control: Build-Depends: drop virtual libmysqlclient15-dev, make libmysqlclient-dev versioned to get mysql_config's --variable= switch. (Closes: #650060) -- Javier Fernández-Sanguino Peña Sun, 02 Jun 2012 17:56:00 +0200 snort (2.9.2.2-1) unstable; urgency=low * New upstream version (bug fix release) (Closes: #666125) - Provides portvar $FILE_DATA_PORTS in etc/snort.conf (Closes: #661944) * Acknowledge NMU (Closes: #669524) * debian/check-snort-conf.sh: New script to check the validity of the etc/snort.conf file provided * debian/patches/series, debian/patches/config_disabled_rules, debian/patches/config: Create independent patch to comment the rules files which are not provided in the Debian package. -- Javier Fernández-Sanguino Peña Sun, 06 May 2012 01:01:30 +0200 snort (2.9.2-3.1) unstable; urgency=low * Non-maintainer upload. * Correct tex .sty path (Closes: #669524) -- Emfox Zhou Mon, 30 Apr 2012 15:57:48 +0800 snort (2.9.2-4) unstable; urgency=low * Fix typo (appropiate --> apppropriate) in all the Snort templates. Also update translations and manually unfuzzy them -- Javier Fernandez-Sanguino Pen~a Tue, 14 Feb 2012 00:38:01 +0100 snort (2.9.2-3) unstable; urgency=low * Restore code from the 2.8.5.2-5 package onwards which was lost when the version of experimental was moved to the archive. - Now /var/lib/snort is created through package configuration, as it should have been - Remove md5sum files when purging (Closes: #657038) * debian/rules: - Enable IPv6 support which was optional in version 2.8 for the Snort binary package. This is not enabled for the database binary packages (snort-pgsql and snort-mysql) as the database schemas do not support IPv6. (Closes: #633064) (LP: #703707) - Include the quilt makefile and add dependencies in -stamp and clean targets * debian/snort.init.d: - Do not abort if the package is not configured to use a database but the db-pending-config semaphore is found. Remove it instead and continue. This can happen if a database-related package was installed, removed and then 'snort' is installed afterwards. (LP: #316878, #639755, #722488, #754230, #798608, #876615, #816634) (LP: #891904, #918250) * debian/snort-{mysql,pgsql}.postrm: - Remove the db-pending-config semaphore file when removing the package. This prevents errors with the snort.init.d logic if a database package is left unconfigured and then replaced with the snort (non-database) package. * debian/README-database.Debian: Indicate that database support will be deprecated in 2.9 and document that IPv6 is not supported either * debian/control: - Add Build-Depends on quilt - Add VCS entries - Put the complete maintainer's name in UTF-8 - Change Uploaders, add Andrew Pollock and remove Pascal Hakim - Update Standards Version -- Javier Fernández-Sanguino Peña Wed, 25 Jan 2012 22:24:30 +0100 snort (2.9.2-2) unstable; urgency=low * debian/control: Add net-tools to Depends: of snort, snort-mysql and snort-pgsql since 'ifconfig' is required for the configuration script to work. (Closes: #656445) * debian/snort{,-mysql,-psql}.postinst: Create the checksum directory if it does not exist right at the beginning since it might not be created. (Closes: #656445) -- Javier Fernandez-Sanguino Pen~a Thu, 19 Jan 2012 20:34:02 +0100 snort (2.9.2-1) unstable; urgency=low [ Andrew Pollock ] * New upstream release, upload to unstable - Fixes CVE-2009-3641: DoS while printing specially-crafted IPv6 packet using the -v option (Closes: 553584) - The package no longer build-depends on iptables-dev and the negated list of architectures is no longer used (Closes: 634660) - debian/patches/config: Patch the configuration file to remove include files not currently available (Closes: #619446) - This version is fully supported rule-wise (LP: #872582) * Switch to dpkg-source 3.0 (quilt) format * Port across all changes from Snort 2.8.5.2-5 and later in unstable * debian/snort.postinst: create the directory that the checksum for snort.debian.conf will be created in if it doesn't already exist * debian/rules: tell dh_makeshlibs to not call ldconfig in the preinst/postinst of snort-common-libraries * debian/rules: don't install README.WIN32 into snort-doc [ Javier Fernandez-Sanguino Peña ] * debian/rules: - Set enable-zlib when configuring all packages to force it to be enabled as this is required by the http_inspect preprocessor which is enabled by default (Closes: #631854) - Included (commented) the patch provided by Clint Byrum and included in Ubuntu to prevent snort from FTFS with libmysqlclient-dev which will be multiarch in the future. The patch uses mysql_config to find libraries to fix FTBFS with multiarch libmysqlclient. Not enabled since the version of libmysqlclient in unstable currently does not support the --variable=pkglibdir option * debian/snort{,-inline}.config: Use LC_ALL=C when calling ifconfig to make the postinst work when ifconfig's output is internationalised (Closes: 577033) * debian/control: Fix link in the rules package, point to http://www.snort.org/snort-rules/ (Closes: 646547) * debian/my/snort-stat: Modify so that alerts with Priority but without classification are analysed when parsing syslog information. Also set the class to 'Undefined' instead of leaving it empty. (Closes: 590061) * po-debconf translation updates: - Danish, provided by Joe Dalton (Closes: 638678) - Dutch, provided by Jeroen Schot (Closes: 654239) -- Javier Fernandez-Sanguino Pen~a Fri, 13 Jan 2012 21:54:25 +0100 snort (2.8.5.2-9.1) unstable; urgency=low * Non-maintainer upload. * Empty dependency_libs in libtool la file(s). http://wiki.debian.org/ReleaseGoals/LAFileRemoval Closes: #621859 -- Andreas Metzler Sat, 18 Jun 2011 14:08:33 +0200 snort (2.8.5.2-9) unstable; urgency=low * debian/rules: Change gs-common Build-Depends-Indep to ghostscript fo fix FTBFS, thanks to Andreas Metzler for the solution. (Closes: 618197) -- Javier Fernandez-Sanguino Pen~a Sun, 10 Apr 2011 10:57:55 +0200 snort (2.8.5.2-8) unstable; urgency=low * debian/snort{,-mysql,-pgsql}.config: Remove the '-o' from DEBIAN_SNORT_OPTIONS that was prepended by the postinst script in version 2.8.5.2-2 on upgrades. * debian/snort{,-mysql,-pgsql}.prerm: Change /usr/sbin/nessus to /usr/sbin/snort -- Javier Fernandez-Sanguino Pen~a Thu, 22 Jan 2011 12:18:03 +0100 snort (2.8.5.2-7) unstable; urgency=low * debian/snort{,-mysql,-pgsql}.config: Remove the '-p' from DEBIAN_SNORT_OPTIONS that is prepended by the postinst script (if disable promiscuous is set) before adding it to the debconf value to prevent this option from being readded again and again on reinstall. (Closes: #608635) * debian/snort{,-mysql,-pgsql}.postinst: Remove the temporary file used to test if the configuration files has not been modified when upgrading to a new version. -- Javier Fernandez-Sanguino Pen~a Sun, 02 Jan 2011 20:47:26 +0100 snort (2.8.5.2-6) unstable; urgency=high * debian/snort{,-mysql,-pgsql}.postinst: Introduce code to be able to manage the situation in which a local admin has introduced changes in the /etc/snort/snort.debian.conf configuration file manually. Keep the local changes and leave the file untouched on upgrades. (Closes: #608590) * debian/snort-{mysql,-pgsql}.postinst: - Introduce code to be able to manage the situation in which a local admin has introduced changes in /etc/snort/database.conf and has not used dpkg-reconfigure. Keep the local changes and do not touch the file on upgrades. - Generate the database.conf regardless of the status of the db-pending-config file as we need the configuration file in any case. * debian/snort{,-mysql,-pgsql}.config: Read the values of the configuration file /etc/snort/snort.debian.conf and use them to set to preseed all the debconf values. This ensures that local changes are reloaded into debconf if any changes are made in the file and makes it possible to regenerate the file with dpkg-reconfigure. * debian/snort{,-mysql,-inline,-pgsq}.config: Make it possible to debug the scripts through the use of the DEBIAN_SCRIPT_DEBUG environment variable * debian/snort-{mysql,pgsql}.config: Fix error in call of template which belongs to the snort package. Use the proper template now. * debian/README-database.Debian: Fix syntax error in MySQL example calls and reword the text a bit to clarify that the provided information are just examples on how to setup the databases. * debian/po/: Use debconf-updatepo to remove obsolete translations from PO files. * debian/NEWS: Remove the indication that database.conf should not be manually edited. -- Javier Fernandez-Sanguino Pen~a Sat, 01 Jan 2011 23:40:30 +0100 snort (2.8.5.2-5) unstable; urgency=high * Final RC bug fix: * snort-common: Create the database.conf file on package's configuration not on the preinstallation script (Closes: #607801) * Lintian fixes: * debian/control: Upgrade standards version, no changes required * debian/snort.init.d: add $remote_fs to Required-Start and Required-Stop * debian/snort.templates: Move the config_error template over to debian/snort-common.templates as it is used there * debian/snort-{mysql,pgsql}.templates: remove the config_error template there as it is not used * debian/control: Upgrade the Build-Depends on debhelper * src/parser.c: Typo fix argu*e*ment -> argument * src/preprocessors/spp_perfmonitor.c, src/dynamic-preprocessors/dns/spp_dns.c: Typo fix: sep*e*rated --> separated * rules/web-misc.rules: Limit the depth when searching for an HTTP version to prevent false positives from apt-get User-Agent string (LP: #258155) * debian/snort.init.d: Separate warning message from main messages. * debian/TODO: review contents and update -- Javier Fernandez-Sanguino Pen~a Sun, 26 Dec 2010 13:20:25 +0100 snort (2.9.0.1-2) experimental; urgency=low * [ The Merry Xmas for experimental users Release ! ] * Forward port the changes introduced in the unstable package to experimental tool to make for smoother upgrades to the upstream release. -- Javier Fernandez-Sanguino Pen~a Fri, 24 Dec 2010 19:52:48 +0100 snort (2.8.5.2-4) unstable; urgency=high * [ The Merry Xmas and Merry RC bug fixing Release! ] * debian/snort-common.preinst: - Fix how the files are generated and use Perl instead of bash's echo as the latter will interpret content in the configuration file and will botch it - Fix typo in the configuration file which moved the configuration file to database.conf instead of just the database configuration. - Only generate content in database.conf if the default configuration file contains the DBSTART line from previous versions. - Be cautious, if an empty configuration file is generated then abort. (Closes: 607951) * debian/snort.preinst: Do not output information from usermod as this is not needed * Disable an error in rules/comunity-smtp.rules that prevents snort from loading due to the use of !any (Closes: 607751) * debian/snort-{pgsql,mysql}.postinst: Fix syntax error in postinst scripts (Closes: 607678) -- Javier Fernandez-Sanguino Pen~a Fri, 24 Dec 2010 19:39:51 +0100 snort (2.8.5.2-3) unstable; urgency=low * Move the database configuration code for the -mysql and -pgsql packages into an independent file (/etc/snort/database.conf). This prevents the debconf script from modifying /etc/snort/snort.conf, which is a conffile. And, consequentely, prevents upgrade prompts for users as well as some other issues when upgrading (Closes: #603428, #566308) * Adding snort-common-preinst to split off exiting config or touch the new database config file on new installations to ensure it exists. * Modify etc/snort.conf to include the new database configuration file. * Modify snort-{mysql,pgsql}.postinst to use new configuration file. * Modify snort-{mysql,pgsql,common}.postrm to purge new configuration file if it exists. Thanks to Alexander Reichle-Schmehl for the initial patch used to fix this issue * debian/NEWS: describe the new change on database handling * debian/snort{,-inline,-mysql,-pgsql}.prerm: Move the code in charge of killing snort astray children over to the proper location and also ignore errors if there are (process might appear spurously in the process table due to race conditions) (Closes: 557729) -- Javier Fernandez-Sanguino Pen~a Mon, 20 Dec 2010 15:25:49 +0100 snort (2.9.0.1-1) experimental; urgency=low * New upstream release. * Change configure.in to use 'dumbnet' instead of 'dnet' since the library is renamed in Debian * debian/control: - Make it Build-Depend on libdumbnet-dev since this release now requires it (it was previously optional) - Remove iptables-dev (no longer required) (Closes: 634660) * debian/rules: - Do not use --enable-smbalerts (no longer available) when configuring * Remove the following documentation from the installation as it is no longer available: doc/README.FLEXRESP, doc/README.FLEXRESP2 * Upload to experimental until I get wider testing. -- Javier Fernandez-Sanguino Pen~a Thu, 11 Nov 2010 00:32:49 +0100 snort (2.8.5.2-2) unstable; urgency=low * Remove the reverse_order debconf option since Snort no longer supports the -o option. The default now in Snort is to have Pass|Alert|Log (Closes: 565567) * Change error message in the init.d script to point to /var/log/daemon.log for Snort log messages. -- Javier Fernandez-Sanguino Pen~a Fri, 22 Jan 2010 00:12:52 +0100 snort (2.8.5.2-1) unstable; urgency=low * New upstream release - Fixes CVE-2009-3641: possible DoS due to crafted IPv6 packet when then -v option is enabled * Fix src/snort.c since it is not buildable, it seems that the distributed source code has a bug. -- Javier Fernandez-Sanguino Pen~a Mon, 11 Jan 2010 23:53:05 +0100 snort (2.8.4.1-6) unstable; urgency=low * Package rebuild to fix libmysql depedency (Closes: #548831) * Remove use_static_footprint_sizes option from the stream5_tcp disassembler in etc/snort.conf as the use in production systems is actually discouraged [ see http://sourceforge.net/mailarchive/message.php?msg_name=d3a3e6ac0912080843i17a0302te36548e032b4b013%40mail.gmail.com ] * Lintian fixes: - Remove dh_undocumented from debian/rules - Add ${misc:Depends} to all binary packages - Use updated debhelper version (5) - Update Standards-Version (3.8.3) -- Javier Fernandez-Sanguino Pen~a Wed, 09 Dec 2009 02:05:57 +0100 snort (2.8.4.1-5) unstable; urgency=low * Fix snort-stat so that it can generate proper emails even if Classification is missing from the alert log, use fix suggested by Pavel Mateja. -- Javier Fernandez-Sanguino Pen~a Sun, 01 Nov 2009 00:43:02 +0100 snort (2.8.4.1-4) unstable; urgency=low * Fix init.d so that if 'restart' is executed when no instance is running (no pidfile) it will try to start all of instances, just if 'start' was executed. (Closes: #540450) * Add information on how the init.d script works (Closes: #512810) * Fix name of file in README-database.Debian, remove the database information from the main README.Debian file. (LP: #302218) * Fix bug in debian/clean-sources.sh script (Closes: #547316) * Use a patch provided by Dave Walker to prevent starting snort-mysql|pgsql if the database is not configured yet. This bug cannot be really fixed until we use dbconfig-common here to ask for all the database information to the user through Debconf. (LP: #222091) (Closes: #545082) -- Javier Fernandez-Sanguino Pen~a Wed, 23 Sep 2009 01:35:05 +0200 snort (2.8.4.1-3) unstable; urgency=low * Change the log message in debian/snort.init.d so people are not led to believe they need a /etc/snort/snort.$iface.conf configuration file, /etc/snort/snort.conf is usually just fine. * Lintian fixes: - Fix long lines in changelog - Fix debconf priority in configuration scripts (error -> high) - Do not install README.WIN32 in snort-doc's documentation - Do not ignore errors on snort-rules-default.{postrm, preinst} -- Javier Fernandez-Sanguino Pen~a Sun, 02 Aug 2009 18:27:04 +0200 snort (2.8.4.1-2) unstable; urgency=low * Rebuild and upload to unstable. (Closes: 528496) * As acknowledged by upstream and confirmed by users, this release fixes a segfault in snort-mysql (Closes: 536144) * Updated Russian po-debconf translation provided by Yuri Kozlov (Closes: 528677) * Change syslogd dependency in snort, snort-pgsql and snort-mysql to rsyslog since that is the default syslog daemon now. (Closes: 526916) * Remove the syslog dependency from snort-common and snort-rules-default -- Javier Fernandez-Sanguino Pen~a Sat, 01 Aug 2009 17:50:30 +0200 snort (2.8.4.1-1) experimental; urgency=low * New upstream release. * Only provided the latest release notes at debian/snort-common.docs, move older RELEASE notes to docs/ * Update the doc list at debian/snort-doc.docs with the contents from doc/ (new READMEs). Add also the old RELEASE notes for reference. -- Javier Fernandez-Sanguino Pen~a Tue, 09 Jun 2009 02:33:43 +0200 snort (2.7.0-26) unstable; urgency=low * Fix bug in snort-pgsql and snort-mysql's configuration script introduced in the previous upload. They were using the wrong debconf keys which made maintainer scripts fail. (Closes: #526915) -- Javier Fernandez-Sanguino Pen~a Tue, 05 May 2009 01:29:37 +0200 snort (2.7.0-25) unstable; urgency=low * Use src/output-plugins/spo_database.c from the 2.8.4.1 release. This version includes the necessary code to configure the mysql connection so that it reconnects to the database in case the connection gets lost. This might happen if too few events are logged in Snort and the database connection timeouts. (Closes: #449568) * Copy over src/ipv6_port.h from 2.8.4.1 and include it in src/output-plugins/spo_database.c * Update Japanese translation for the templates, thanks to Hideki Yamane (Closes: 510704) * Move the code that detects if interfaces are down over to snort-pgsql and snort-mysql. This way, if the interface defined is not available it will prompt again, raising the debconf priority (Closes: #502084) (LP: #477590, #655116) * Change all the config_parameters debconf input from 'medium' to 'error' * Change all the needs_db_config debconf questions from 'medium' to 'high' since users that do not see this note will end up with a non-functioning package. -- Javier Fernandez-Sanguino Pen~a Sun, 03 May 2009 23:40:26 +0200 snort (2.7.0-24) unstable; urgency=low * Remove the LogMessage associated with fragmented traffic since it shows up even in systems that do not have ttl_limit set. -- Javier Fernandez-Sanguino Pen~a Sat, 28 Feb 2009 13:03:22 +0100 snort (2.7.0-23) unstable; urgency=high * Fix error in call to LogMessage (missing parameters) which caused a segfault when fragmented packages were received and ttl_limit was set. This bug was introduced in the patch to fix CVE-2008-1804. Urgency set to 'high' as in some circunstances it makes Snort fail to start on startup or die after working for only a few minutes. Also, this could be used as a DoS attack against an IDS sensor rendering it useless.(Closes: 503992) -- Javier Fernandez-Sanguino Pen~a Sat, 21 Feb 2009 12:11:33 +0100 snort (2.7.0-22) unstable; urgency=low * Include patch from dato to make the package binNMU-safe * Remove debian/CVS and debian/my/CVS * Fix bug in snort-stat that made it miss alerts generated by preprocessors (they only contain Priority) as well as fix the setting of $alert->{PRIORITY} for alerts generated by rules. Thanks for Gabor Gombas for the patch. (Closes: #500215) * Lintian fixes: - Use Standards Version 3.8.0, no changes needed. - Make snort-rules-default.postrm run with 'set +e' and append '|| true' to rmdir calls so that the script does not abort if the directories are not empty. -- Javier Fernandez-Sanguino Pen~a Wed, 05 Nov 2008 00:15:40 +0100 snort (2.7.0-21) unstable; urgency=low * Reupload to unstable, build with proper libraries. Fix mess introduced by previous upload. -- Javier Fernandez-Sanguino Pen~a Wed, 29 Oct 2008 00:01:54 +0100 snort (2.7.0-20.3) testing-proposed-updates; urgency=low * Reupload to testing to *really* depend on newer libpcre. * Include patch from dato to make the package binNMU-safe * Remove debian/CVS and debian/my/CVS -- Javier Fernandez-Sanguino Pen~a Tue, 04 Nov 2008 22:35:26 +0100 snort (2.7.0-20.2) testing-proposed-updates; urgency=high * Upload to testing-proposed-updates to fix security bug CVE-2008-1804 (see below). This package cannot go through sid since the sid build uses a newer libpcre version not available in lenny. (Closes: #483160) -- Javier Fernandez-Sanguino Pen~a Tue, 28 Oct 2008 21:32:48 +0100 snort (2.7.0-20) unstable; urgency=high [ CVE-2008-1804 ] * Fix error in preprocessors/spp_frag3.c that prevented Snort from properly identifying packet fragments that had dissimilar TTL values, which allowed remote attackers to bypass detection rules by using a different TTL for each fragment. Also update src/generators.h to include the new FRAG3_MIN_TTL defines (Closes: #483160) -- Javier Fernandez-Sanguino Pen~a Wed, 22 Oct 2008 01:33:34 +0200 snort (2.7.0-19) unstable; urgency=low * Make the snort_rules_update example script use bash instead of sh. (Closes: #489662) -- Javier Fernandez-Sanguino Pen~a Sat, 09 Aug 2008 22:31:47 +0200 snort (2.7.0-18) unstable; urgency=low * Romain debconf translation provided by Eddy Petrior (Closes: 486137) * Swedish debconf translation provided by Martin Bagge (Closes: 491785) -- Javier Fernandez-Sanguino Pen~a Mon, 28 Jul 2008 22:39:37 +0200 snort (2.7.0-17) unstable; urgency=low * Include the README-database-upgrade.Debian in the documentation of the database packages, I forgot to do this in -15 -- Javier Fernandez-Sanguino Pen~a Fri, 02 May 2008 11:52:12 +0200 snort (2.7.0-16) unstable; urgency=low * Lintian fixes: - NEWS file now says unstable instead of experimental - copyright file is now UTF-8 - wrap around files in the changelog - remove empty /usr/src directory from snort-common-libraries - fix spelling error in NEWS file - fix manpage error in snort.8 - change doc-base sections to Network/Monitoring -- Javier Fernandez-Sanguino Pen~a Fri, 02 May 2008 10:28:21 +0200 snort (2.7.0-15) unstable; urgency=low * Update to Standards-Version 3.7.3: - Have the logrotate script call invoke-rc.d if available to do the 'right thing' if the admin has configured Snort to not run by default. * Copyright review: - Add copyright statements to the debian/copyright - Note that the Snort source code is distributed as GPL 2 only (not version 3) - Create a copyright_review.sh shell script to review the contents of the sources and find new copyright statements - Point in debian/copyright to the GPL-2 file, not to GPL (which is v3) * Expand brace-expanded content in debian/rules to prevent bashism (Closes: #478627) * Modify the provided snort_rules_update to use oinkcodes, note in the script that the use of 'oinkmaster' should be preferred (Closes: 314483) * Remove Homepage: from binaries package when redundant with the source package. * Handle in the init.d script the case of interfaces being available but not up, thanks to Drew Parsons for an exhaustive analysis and patch (Closes: #471462) * Remove header files from the snort-common-libraries package. If users request it back I will create a snort-common-libraries-dev package providing these headers (Closes: 440842) * Database upgrade: - Added README-database-upgrade.Debian to describe the steps that need to be done to upgrade the Database, also update upstream's (cursory) documentation to describe the v107 changes (Closes: 445334) - [src/output-plugins/spo_database.c] Modify the text messages to point users to the proper location of documentation in Debian systems as well as to the (Debian-specific) documentation related to databases. - Tell users (through NEWS.Debian) that the schema changed from 2.6 to 2.7 and they will need to upgrade their database. * Include the RELEASE NOTES for older releases and provide all of them (for the 2.3, 2.4, and 2.6 releases) as users might find them useful for upgrade purposes (Changelog might be too detailed) * Debconf templates and debian/control reviewed by the debian-l10n- english team as part of the Smith review project. Thanks to Christian Perrier for his hard work getting this done (Closes: #469803) * [Debconf translation updates] - Italian translation, updated by Gianluca Cotr (Closes: #477056) - Galician translation, updated by Jacobo Tarrio (Closes: #474622) - Portuguese translation, updated by Traduz (Closes: #475086) - German translation, updated by Erik Schanze (Closes: #477082) - Vietnamese translation, updated by Clytie Siddall (Closes: #477324, #478223) - French translation, updated by Christian Perrier (Closes: #478229, #478230) - Czech translation, updated by Jan Outrata (Closes: #478246) - Russian translation, updated by Yuri Kozlov (Closes: 478303) - Dutch translation, updated by Peter Vandenabeele - Spanish translation, updated by myself * [New Debconf translations] - Basque translation, provided by Piarres Beobide (Closes: #475457) - Finnish translation, provided by Esko Esko Arajärvi (Closes: #475648, #478211) -- Javier Fernandez-Sanguino Pen~a Sun, 27 Apr 2008 21:58:37 +0200 snort (2.7.0-14) unstable; urgency=high * Move installation of the snort.default file from the install-indep rule to the install rule. This error was preventing /etc/snort/default from being created in the Snort binary packages and, consequently, the init.d would fail to start properly and the package would not install (Closes: #471895, #473282) * Add libgnutls-dev Build-Depend (Closes: #476651) * Fix typo in the name of the community rules in snort.conf, thanks to David Gil for providing a patch (Closes: #470881) -- Javier Fernandez-Sanguino Pen~a Sun, 20 Apr 2008 21:39:47 +0200 snort (2.7.0-13) unstable; urgency=low * Make the build: target be an empty one, instead of having it depend on both build-arch and build-indep * Remove texlive-latex-recommended from Build-Depends-Indep as suggested by James Vega -- Javier Fernandez-Sanguino Pen~a Sun, 16 Mar 2008 00:16:47 +0100 snort (2.7.0-12) unstable; urgency=low * Add texlive-latex-recommended to Build-Depends-Indep since refcount.sty and kvoptions.sty are used * Have the binary-{arch,indep} depend on install-{arch,indep} instead of in the install target. - Move install calls related to snort-common to the install-indep target * Add some sty files to the build-indep checks in debian/rules so that the documentation is not compiled unless all are available. Yes, buildds are stupid enough to pre-install latex, make the previous checks insufficient and *still* call the build (not build-arch) target! (Closes: #445113) * Unindent comments in debian/rules so that they do not show up. -- Javier Fernandez-Sanguino Pen~a Sat, 15 Mar 2008 20:13:34 +0100 snort (2.7.0-11) unstable; urgency=low * Make the init.d script not depend on the availability of iproute. (Closes: #463020, #466674) * Added a Recommends on iproute, as it can be used to improve the behaviour of the initd script. * Modify the init.d script to remove also the lockfiles for PIDFILEs * Move snort-doc to Suggests in the snort package and add it to snort-pgsl and snort-mysql too. * Fix FTBFS on GNU/kFreeBSD (due to unsatisfied Build-Depends on iptables-dev), thanks to Petr Salinger for the fix (Closes: #466073) * Modify src/snort.c to prevent it from showing a message when it tries to remove the PIDFILE. This fails in Debian since Snort is not running as the root user and the daemon cannot modify /var/run. The code is changed so that the error message related to not being able to remove the PIDFILE is only presented if running as root or writing the PIDFILE to a directory that is not /var/run. (Closes: #462423) * Po-debconf translation updates: - Fix error in Italian translation (Closes: #462865) - Japanese translation update, provided by Hideki Yamane (Closes: #463650) -- Javier Fernandez-Sanguino Pen~a Sun, 24 Feb 2008 22:21:09 +0100 snort (2.7.0-10) unstable; urgency=low * Add a new ALLOW_UNAVAILABLE definition in /etc/default/snort which makes the init.d not complain if a configured interface is not available. Also make the init.d script not break if no instances are configured through debconf (to make it possible to use snort using just if-up.d by providing a given interface instance as a 'start' parameter) (Closes: #458823) * Fix typo in templates, unfuzzy translations I can "understand" and which seem to have fixed the typo themselves. * Po-debconf updates: - Update German translation provided by Erik Schanze (Closes: #462674) - Updated Italian translation provided by Gianluca Cotr (Closes: #462865) - Romanian translation provided by Eddy Petrisor (Closes: #460344) -- Javier Fernandez-Sanguino Pen~a Sun, 27 Jan 2008 11:12:05 +0100 snort (2.7.0-9) unstable; urgency=low * Modify debian/rules to prevent autobuilders from building the binary-independent components: (Closes: #445113) (Thanks dato for the tip) * Create a new Build-Depends-Indep with all the TeX components used to build documentation * Since autobuilders call build, which in turns calls build-indep, hack the debian rules file so that the documentation is only built if ps2pdf, dvips and pslatex are available. * Enable prelude support in all variants (Closes: #458790) * Debconf translation updates: - Dutch, provided by Peter Vandenabeele - Vietnamese, provided by Clytie Siddall (Closes: #458161) - Portuguese, provided by Miguel Figueiredo (Closes: #458214) - Galician, provided by Jacobo Tarrio (Closes: #458533) - French, provided by Christian Perrier (Closes: #458621) -- Javier Fernandez-Sanguino Pen~a Mon, 31 Dec 2007 00:31:13 +0100 snort (2.7.0-8) unstable; urgency=low * Rewrite debian/rules: - the documentation does not get build on the binary-arch target, (Closes: #445113) - there is now a install-dep and install-arch - install-* dependencies do not depend on build - create a 'clean-sources' target, used only by the 'clean' target - create a clean_sources.sh script to clean the sources properly before each run - call 'clean_sources.sh' before a binary (pgsql, mysql...) is built to prevent the binary-* rule from calling 'distclean' at the end of each run (and thus making issues more difficult to debug) - generate a configure target and use it when building both -arch and -indep (needed to generate doc/Makefile) - copy, instead of moving, the binaries, so the 'install' target is more idempotent (still have to use dh_install more to make it so) * Change Maintainer's email address * Create a mechanism to generate all the templates using a "template of templates" since all the questions where the same with small differences per package. - Also fixed snort-inline templates, which were not correct (pointed to the wrong configuration file) - Update Spanish translation myself * Change the init.d script so it behaves like LSB demands: - Do not exit with error if there are no running instances and we try to stop - With 'status', exit with a 1/3 error based on the existence (or not of the pidfiles) - Dot not exit with error when trying to start an instance that is already started (use running() for that) - Check if the user is root before attempting to star/stop/restart - Adjust to LSB exit values (instead of just using always '1', use 3-6 to indicate several different errors) * Lintian cleanup: - Move Homepage: from the description to a pseudo-header in debian/control - do not ignore distclean errors - remove call to dh_suidregister, we did not use it - add DEBHELPER token to snort-common.postinst - update config.guess and config.sub with automake's 1.7 versions (this is not done automatically in the package, however) - replace ${Source-Version} substvar with ${binary:version} - Move the configuration check of snort-common over to the config script and leave the postinst only to check the status of the init.d script. Also, modify the snort-common.postinst so it only does the configuration check if invoke-rc.d (if installed) - Fix 'malformed-title-in-templates' in all templates by removing the ending dot - Fix the 'malformed-prompt-in-templates' by adjusting the contents of all the titles affected - Shorten the length of the 'interface' template - Fix syntax on debian/NEWS - Remove empty dirs -- Javier Fernandez-Sanguino Pen~a Thu, 27 Dec 2007 09:14:00 +0100 snort (2.7.0-7) unstable; urgency=low * Remove empty comment line in lsb headers -- Javier Fernandez-Sanguino Pen~a Mon, 01 Oct 2007 03:01:26 +0200 snort (2.7.0-6) unstable; urgency=low * Create a separate snort-libraries package and move all the libraries that were previously (wrongly) included in the snort-common package there (Closes: #439642) * Add proper LSB headers, license and copyright to the init.d file * Also add proper messages to the init script and proper checks to generate the correct errors when non-root users try to run the script. Exit status of the script should now reflect better the problems found. * Removed dependencies on essential packages (coreutils) * Recode Debian changelog to UTF-8 -- Javier Fernandez-Sanguino Pen~a Mon, 01 Oct 2007 01:24:32 +0200 snort (2.7.0-5) unstable; urgency=low * Initialise variables in preinst to prevent collisions with predefined environment variables (Closes: #443481) -- Javier Fernandez-Sanguino Pen~a Fri, 21 Sep 2007 22:49:25 +0200 snort (2.7.0-4) unstable; urgency=low * Fix phrase in the NEWS file -- Javier Fernandez-Sanguino Pen~a Wed, 29 Aug 2007 18:26:45 +0200 snort (2.7.0-3) unstable; urgency=low * Move over the package to unstable. * Fix FBTFS at Ubuntu due to snort_manual.tex still using latex2html's html.sty. Thanks Michael Bienia for spotting this and point at the issue with a patch (Closes: 436244) * Fixed a typo in the French translation (Closes: 432840) * Fix documentation errors in debian/README-database.debian. (Closes: 416400) -- Javier Fernandez-Sanguino Pen~a Mon, 06 Aug 2007 23:28:02 +0200 snort (2.7.0-2) experimental; urgency=low * Fix generation of the common snort binary, which was distributed without prelude support. * Fix location of dynamic engines in snort.conf * Change signatures 1443 and 1444 since there was an error in their definition ( Cannot use 'rawbytes' and 'http_uri' as modifiers for the same "content" nor use 'rawbytes' with "uricontent". ) -- Javier Fernandez-Sanguino Pen~a Wed, 01 Aug 2007 02:49:50 +0200 snort (2.7.0-1) experimental; urgency=low * New upstream release (Closes: #435417, #404991, #320920, #323985) - Fixes DOS attack: CVE-2006-6931 - "Backtracking Algorithmic Complexity" DoS against IDS engine (Closes: #407421) * Introduce all the rules available from the 2.4 release which are GPL and are non-VRT certified, that is, all rules which are outside of the range [3,465-1,000,000]. This amounts to a total of 3935 rules (820 of which are Community released). * In order to handle rulesets with mixed GPL and non-GPL rules two scripts have been made available in the source rules/ subdirectory: - remove-non-gpl.pl - Given a rules file removes all rules outside the above range - purge-non-gpl.sh - Given a directory dumps on the local directory only rules outside this range. In order to limit maintainer overhead the header for modified rulesets has not been changed. * Include the VRT license file. This file is kept for reference under the rules/ dir, although *no* rule in this package is under that non-free license. * Include a NEWS.Debian item describing the license change and the rules distributed within this package. not in the database packages (Closes: #320920) * As a consequence of the above Build-Depend on libprelude-dev, iptables-dev * Provide support for Prelude in both snort and snort-inline packages but * The examples are now included in the -common package instead of having them in all the binary packages This package provides support to make an experimental separate binary package for inline support: snort-inline, which most of the configuration is shared with the snort binary package but the PPP related options have been removed. However, snort-inline does not support libnet 1.1 so we cannot provide it yet. This has been changed in Snort's code but it's far from complete: - Make the configure script work with libnet 1.1. - Port parts of the API (some declarations) to 1.1 -- Javier Fernandez-Sanguino Pen~a Tue, 31 Jul 2007 23:35:06 +0200 snort (2.3.3-15) unstable; urgency=low * Include all the community signatures available as of today into the snort-signatures package. This means 820 new signatures go in. * Sync mappings: * Updated the gen-msg.map under rules/ with the maps under etc/ * Updated the sid-msg.map under etc/ with the maps under rules/ -- Javier Fernandez-Sanguino Pen~a Tue, 31 Jul 2007 21:57:46 +0200 snort (2.3.3-14) unstable; urgency=low * Use the patch provided by Matt Kraai to fix the FTBFS due to the tetex -> Texlive transition. Also make the package Build-Depend on texlive and texlive-latex-base instead of tetex-bin and tetex-extra (Closes: 419454) -- Javier Fernandez-Sanguino Pen~a Sun, 22 Apr 2007 16:41:50 +0200 snort (2.3.3-13) unstable; urgency=low * Translations added: - Tamil translation, provided by Tirumurti Vasudevan (Closes: #413830) - Russian translation, provided by Yuriy Talakan' (Closes: #411822) -- Javier Fernandez-Sanguino Pen~a Tue, 13 Mar 2007 16:30:52 +0100 snort (2.3.3-12) unstable; urgency=low * Translations updated: - Czech (Closes: #408619) - Swedish * New translations - Galician, provided by Jacobo Tarrio (Closes: #409651) - Italian, provided by Gianluca Cotrino. Slightly edited to fix header. (Closes: #411270) - Romanian, provided by Eddy Petrisor (Closes: #409505) - Portuguese, provided by Miguel Figueiredo -- Javier Fernandez-Sanguino Pen~a Sun, 18 Feb 2007 12:25:45 +0100 snort (2.3.3-11) unstable; urgency=low * Restore German translation (somehow removed in previous upload), courtesy of Erik Schanze (Closes: #397017) -- Javier Fernandez-Sanguino Pen~a Tue, 2 Jan 2007 17:26:10 +0100 snort (2.3.3-10) unstable; urgency=low * Fix snort-mysql template to prevent translators from duplicating work (two templates were nearly identical except for a double space) [ Translations update ] * Updated Spanish translation * Updated Japanese translation, courtesy of Hideki Yamane (Closes: #391894) * Updated German translation, courtesy of Erik Schanze (Closes: #397017) * Updated Dutch translation, courtesy of Peter Vandenabeele. * Updated Vietnamese translation, courtesy of Clytie Siddall * Fix error in Catalan translation (which made msgstat fail) -- Javier Fernandez-Sanguino Pen~a Thu, 21 Dec 2006 19:52:38 +0100 snort (2.3.3-9) unstable; urgency=low * Do not try to remove /etc/snort in postrm if it does not exist anymore when purging (Closes: #389766) * Simplify coreutils dependencies (Closes: #381836) -- Javier Fernandez-Sanguino Pen~a Sun, 1 Oct 2006 23:29:20 +0200 snort (2.3.3-8) unstable; urgency=medium * Fix security issue CVE-2006-2769, potential evasion in URI content buffers. This evasion only applies to Apache protected servers since that server supports some characters. The patch used is from 2.4.5 and is *not* the one provided by Demarc (which is not fully comprehensive and is much more intrusive). Since this is an evasion issue and not a real security issue thus the 'medium' urgency even though it fixes security bug (Closes: #381726) From upstream (snort.org webpage, News item "Possible Evasion in http_inspect"): «The Apache web server supports special characters in HTTP requests that do not affect the processing of the particular request. The current target-based profiles for Apache in the http_inspect preprocessor do not properly handle these requests, resulting in the possibility that an attacker can bypass detection of rules that use the "uricontent" keyword by embedding special characters in a HTTP request.» «It is important to note that this is an evasion and not a vulnerability. This means that while it is possible for an attacker to bypass detection, Snort sensors and the networks they protect are not at a heightened risk of other attacks.» * Backport fix of another (different) potential evasion in Stream4 (also in the Snort 2.4.5 release, no CVE name) * Relocate Czech translation, it was not under debian/po * Add a warning in /etc/default/snort that the SNORT_USER will be modified (with usermod) every time you reinstall the package (don't change it to 'root'!) -- Javier Fernandez-Sanguino Pen~a Thu, 10 Aug 2006 00:44:36 +0200 snort (2.3.3-7) unstable; urgency=low * *Really* recompile to use latest libmysqlclient libraries (Closes: #366748) -- Javier Fernandez-Sanguino Pen~a Sat, 3 Jun 2006 15:20:57 +0200 snort (2.3.3-6) unstable; urgency=medium * Recompile to use latest libmysqlclient libraries (Closes: #366748) * Remove the following unused dependencies as suggested by Stefan Huehner: libsnmp4.2-dev and libssl-dev (and their --with calls in debian/rules) . I'm still keeping the coreutils | fileutils dependency since I still want to compile this package in woody.(Closes: #365874) * Also remove DH_COMPAT from debian/rules as suggested by Stefan Huehner in #365874 * Move 'debian/my/lisapaper.txt' to snort-doc.docs and remove from snort, snort-pgsql and snort-mysql doc files (Closes: #340091) * Have faq.tex use hyperref.sty instead of latex2html's html.sty and comment the \latexonly definitions. This makes latex2html unnecessary to build the package (Closes: #365872) * doc-base files now point to the compressed PDF documents (lintian fix) * Updated debconf translations: - French translation provided by Christian Perrier (Closes: #359285) -- Javier Fernandez-Sanguino Pen~a Mon, 29 May 2006 20:05:29 +0200 snort (2.3.3-5) unstable; urgency=low * Updated Build-Dependencies to use libmysqlclient15-dev instead of the old libmysqlclient10 library (Closes: #356706) * Add a 'DEBIAN_SNORT_SEND_STATS' option (controlled by debconf) to allow users to define if snort should send daily stats. Users that want to change the frequency should manually move over the cron.daily script to other cron.XXX locations (Closes: #353035) * Updated debconf translations: - Dutch translation with patch provided by Peter Vandenabeele - Spanish Debconf translation ('send_stats' template) * Do not indent '@' in the e-mail of users that receive the stats (Closes: #335803) * Preliminary code (only in snort.config) to detect if the default interface is up when configuring Snort, the Debconf question priority is raised if the interface is not up or it does not exist and the user is pestered if he still provides an invalid answer (unless he doesn't see the question, which is the case if running with debconf priority set to 'high', in this case, we bail out) Note: will introduce this in the DB packages after it gets some testing out there. * Change the Debconf priority of the note that warns that the configuration is not working to 'critical' (was 'high') * Acknowledge NMU made by Margarita: * Drop automake1.6 dependency in Build-Depends (Closes: #335143) * Updated config.guess and config.sub with the latest versions available to prevent FTBFS on GNU/k*BSD (Closes: #342446) * Updated german debconf translation with patch provided by Erik Schanze (Closes: #345855) -- Javier Fernandez-Sanguino Pen~a Wed, 22 Mar 2006 02:09:01 +0100 snort (2.3.3-4) unstable; urgency=low * Build-Depend on newer automake version: 1.7 (Closes: #335143) -- Javier Fernandez-Sanguino Pen~a Tue, 17 Jan 2006 02:10:41 +0100 snort (2.3.3-3) unstable; urgency=low * Properly remove the snort user on purge. -- Javier Fernandez-Sanguino Pen~a Thu, 20 Oct 2005 01:13:47 +0200 snort (2.3.3-2.1) unstable; urgency=low * NMU to drop automake1.6 dependency (Closes: #335143) * Updated config.guess and config.sub (Closes: #342446) * Updated german debconf translation (Closes: #345855) -- Margarita Manterola Sun, 22 Jan 2006 21:54:43 -0300 snort (2.3.3-2) unstable; urgency=high * Backport the following changes introduced in 2.4.1. Upstream changelog: * src/log.c: Fix problem in sniffer mode when incomplete TCP option data is received. Thanks A Hernandez for the find. (Closes: #328134) Note: This is a "security" bug but no CVE is assigned, it is actually something that can happen only if a Snort user willingly shoots himself on the foot (uses ASCII logging mode) or if he uses the fast output mode with some non-default options. For a detailed view see: Martin Roesch's mail "Snort DoS Fallacies" to snort-users and bugtraq: http://marc.theaimsgroup.com/?l=bugtraq&m=112665341207363&w=2 http://marc.theaimsgroup.com/?l=snort-users&m=112657845119746&w=2 http://marc.theaimsgroup.com/?l=snort-users&m=112667020331513&w=2 http://marc.theaimsgroup.com/?l=snort-devel&m=112672013010948&w=2 and also http://www.snort.org/pub-bin/snortnews.cgi#58 To summarise: The only recommended alert methods in a production sensor are unified, syslog or database. And unified is The Right Way to run a sensor (others have important performance issues under high load ) NOTE to Debian Security teams: I don't believe this bug merits a DSA (or a DTSA for that matter) (Closes: #328134) * Backport the following changes introduced in 2.4.2. Upstream changelog: * src/output-plugins/spo_log_database.c: * schemas/create_mysql: Fixes to address schema being a keyword in MySQL 5.0. Thanks Wes Young, Adolfo Gomez, and Aleem Mawji for the updates. (Closes: #327791) * Added Swedish translation provided by Daniel Nylander (Closes: #330834) -- Javier Fernandez-Sanguino Pen~a Fri, 30 Sep 2005 21:21:43 +0200 snort (2.3.3-1) unstable; urgency=low * New upstream release. * Use upstream's FAQ in PDF format instead of debian/my/FAQ.txt, also have the FAQ available only in the snort-doc package (after fixing the Makefile so that the faq.tex file does not get removed on distclean) * Fix typo in snort.8 manpage (Closes: #326538) * Fixed address of the FSF in debian/copyright * Updated debconf translations: - Vietnamese provided by Clytie Siddall -- Javier Fernandez-Sanguino Pen~a Wed, 31 Aug 2005 19:47:16 +0200 snort (2.3.2-8) unstable; urgency=low * _Really_ use debhelper compat version 4 now * Remove debian/*conffiles since debhelper now marks them as config files -- Javier Fernandez-Sanguino Pen~a Sat, 27 Aug 2005 01:50:40 +0200 snort (2.3.2-7) unstable; urgency=low * Fix lintian warnings * Fix error in database config scripts (when not upgrading, the wait_for_db_config key does not exist) (Closes: #325223) * Updated debconf translations: - French provided by Christian Perrier -- Javier Fernandez-Sanguino Pen~a Thu, 25 Aug 2005 21:52:19 +0200 snort (2.3.2-6) unstable; urgency=low * Add Dependency on "debconf | debconf-2.0" as requested by Joey Hess * Use Debhelper compatibility version 4 * New mechanism for database packages: - Introduce a mechanism to create /etc/snort/db-pending-config on initial installation of the database packages. - Have the init.d script abort the start attempt if the /etc/snort/db-pending-config file exists. - Describe how to setup the database support in README-database.Debian and install this document in the database packages. (Closes: #205683, #219696, #265735, #265878, #290104, #291616) * po-debconf changes: (still waiting a little bit before switching to dbconfig-common) - Sinchronise all the debconf templates of the different snort variants. - Change the wait_for_db_config message, now called 'needs_db_config' and provides slightly different information. - Fixed typos in German debconf translation courtesy of Jens Seidel (Closes: #313906) - Added Japanese translation contributed by Hideki Yamane (Closes: #310096) - Added Vietnamese translation contributed by Clytie Siddall (Closes: #318695) - Added Czech translation contributed by Jan Outrata (Closes: #321738) - Updated the Spanish translation. - Improve the debconf dialog with suggestions from Justin B Rye (Closes: #306269) - Fix the templates so that all the files use the same strings, that should reduce the workload of translating almost identical lines. (but also fuzzies more of the translations above) -- Javier Fernandez-Sanguino Pen~a Thu, 25 Aug 2005 14:59:29 +0200 snort (2.3.2-5) unstable; urgency=medium * Medium priority since it seems some buildds are not auto building snort ok and this changes fix it. * Use PostgreSQL 8.0 now as requested by Martin Pitt. Basicly just changed the build-depends and use 'pg_config --includedir' when setting the location of the PostgreSQL location. * Changes to configure.in: (Closes: #313499) * Fixed configure.in so that it uses the --with dir directly first (intead of looking for $i/include and stuff like that). * Fixed configure.in so that it outputs the PostgreSQL directories it tested by fixing a typo. * Have all ERROR messages abort with an exit 1 so that the Makefile breaks and we will notice the error if doing an automatic build. -- Javier Fernandez-Sanguino Pen~a Tue, 14 Jun 2005 19:33:49 +0200 snort (2.3.2-4) unstable; urgency=low * Snort, snort-pgsql and snort-mysql now depend on either coreutils or earlier packages which provided 'stat'. This should prevent partial-upgrades of woody systems which prevent snort's init scripts from running (Closes: #311616) -- Javier Fernandez-Sanguino Pen~a Fri, 3 Jun 2005 16:24:50 +0200 snort (2.3.2-3) unstable; urgency=high * Pre-Depend on adduser since we use it on preinst * Changed debian/TODO * Snort-common now Replaces old snort versions (1.8.4beta1-1) since the configuration files where moved there from snort. Save for the ppp configuration file which was moved from snort-common to snort. Snort now Replaces snort-common versions previous to 2.0.2-3, that introduced the change, cannot conflict since we will end up with circular dependencies. (Closes: #311257) * Check MD5sums before rule files are moved from the old location to the new one in snort-rules-default's preinst when upgrading. If the files have not been changed from the ones provided by the woody version then remove them (Closes: #311263) -- Javier Fernandez-Sanguino Pen~a Wed, 1 Jun 2005 09:47:04 +0200 snort (2.3.2-2) unstable; urgency=low * Have snort-common Conflict on versions prior to the Source-Version to prevent users upgrading snort-common without upgrading snort. (Closes: #300785 * Fixed homepage location of Snort (Closes: #300727) * Fixed snort-stat so it can be used when the -y option is used with Snort, thanks to the patch provided by Chirik (Closes: #200276) * Updated German translation courtesy of Erik Schanze -- Javier Fernandez-Sanguino Pen~a Tue, 22 Mar 2005 01:26:55 +0100 snort (2.3.2-1) unstable; urgency=low * New upstream release. - Fixes some bugs in preprocessors - Rules updates * Fixed format of NEWS file, updated the version of the changelog entry so that everybody will read it on next upgrade (Closes: #299334) * Added debconf french translation provided by Christian Perrier (Closes: #299016) * Updated debconf dutch translation provided by Peter Vandenabeele (Closes: #296152) * The PPP script will now use the new /etc/default/snort mechanism (Closes: 298003 -- Javier Fernandez-Sanguino Pen~a Mon, 14 Mar 2005 13:26:45 +0100 snort (2.3.0-7) unstable; urgency=low * Do not change the permissions of /var/log/snort/ and /etc/snort/snort.conf if the administrator has setup an override using dpkg-statoverride (Closes: #296927) * Updated translation to Catalan with the one provided by Aleix Badia i Bosch -- Javier Fernandez-Sanguino Pen~a Sat, 26 Feb 2005 13:09:14 +0100 snort (2.3.0-6) unstable; urgency=low * Added tetex-extra to Build-Depends (Closes: #296814) * Refer to the proper file in debconf template (Closes: #296809) * Updated the spanish debconf translation. -- Javier Fernandez-Sanguino Pen~a Fri, 25 Feb 2005 00:43:19 +0100 snort (2.3.0-5) unstable; urgency=low * Upload of the experimental package to unstable Even though I don't get to fix #205683 and friends (and I would like to, before the release) This release Closes #283816, #241995, #289405, #247603 * Do not rotate log files if empty (Closes: #193299) * Added dutch translation (Closes: #247603) * Added yet another TODO item -- Javier Fernandez-Sanguino Pen~a Tue, 22 Feb 2005 21:36:40 +0100 snort (2.3.0-4) experimental; urgency=low * Call dh_installdocs with -i or -a depending on target, rename (Closes: #295228, #294755) * NEWS.Debian file to NEWS -- Javier Fernandez-Sanguino Pen~a Tue, 15 Feb 2005 08:33:34 +0100 snort (2.3.0-3) experimental; urgency=low * Create manual in build-indep location (Closes: #294755) * Fixed location of snort_manual and lisapaper in their respective doc-base files. * Added a reference to the FAQ through a new doc-base file. -- Javier Fernandez-Sanguino Pen~a Sat, 12 Feb 2005 12:23:35 +0100 snort (2.3.0-2) experimental; urgency=low * Improved postrm purge action by removing also obsolete configuration (since it's no longer in the conffiles) and the group. Also, synced all postrm scripts (mysql did not included the rmdir /etc/snort code) -- Javier Fernandez-Sanguino Pen~a Wed, 9 Feb 2005 08:44:05 +0100 snort (2.3.0-1) experimental; urgency=low (First attempt at experimental, to avoid breaking installations running sid) * New upstream release * This version now uses libnet1, changed Build-Depends (Closes: #241995) * Introduced /etc/default/snort and removed /etc/snort/common.parameters this makes it easier to check for common situations (parsing the parameter file is quite complicated). The old common.parameters file is moved over to /etc/default/snort automatically, but retained in case the parsing has not been done properly (and will not be used until the common.parameters file is removed). This is described in the NEWS.Debian file. * Fixed the postint call so that the passwd and group are checked before they are created. Also fix chown call (still used '.' instead of ':') * Introduce a check for the status of Snort's logdirectory, it checks if it belongs to Snort (Closes: #247603) * This release provides debconf support for snort sensors in multiple interfaces (Closes: #283816) * Run update-debconf, seems I had not done this when I last made changes in the templates in 2.2.0-8 * Included the documentation available, including signatures. Also added the LaTeX manual included as well as the additional Build-Depends on tetex-bin and gs-common * Updated the FAQ (was about time!) from http://www.snort.org/docs/FAQ.txt * Added a README.docs file (pointing people to more documents) * Updated translations: - German, provided by Erik Schanze (Closes: #289405) -- Javier Fernandez-Sanguino Pen~a Wed, 26 Jan 2005 09:18:53 +0100 snort (2.2.0-9) unstable; urgency=low * Removed old (obsolete) converstion of PPPENV in /var/tmp in postinst which actually might open up security holes when using dialup access and installing/upgrading the package. * Updated translations: - Japanese, provided by Hideki Yamane (closes: #283128) - French, provided by Christian Perrier (closes: #284559) -- Javier Fernandez-Sanguino Pen~a Mon, 20 Dec 2004 01:35:21 +0100 snort (2.2.0-8) unstable; urgency=low * Updated the README.Debian file with proper information on how to setup multiple interfaces and rewrote the Debconf question to specify that it can be used to define multiple interfaces (Closes: #283816) * Added some additional TODO notes -- Javier Fernandez-Sanguino Pen~a Wed, 1 Dec 2004 17:04:38 +0100 snort (2.2.0-7) unstable; urgency=low * Make snort-common Arch: all (Closes: #278987) * The installation will now check if you are using a configuration that will not be able to work with the current Snort version and will forewarn you. The package installation will still fail (if Snort is started automatically) but the administrator will be pointed to where the error is (Closes: #165107) * Use dh_installman instead of dh_installmanpages and provide proper PACKAGE.manpages file since dh_installmanpages now fails to create the snort-common package properly. * Updated to the latest rules snapshot * Added an 'update-rules' target in debian/rules that downloads the latest rules snapshot and installs it in the package. [ Translations ] * Dutch update, provided by cobaco (Closes: #278719) * Japanese update, provided by Hideki Yamane (Closes: #279028) * French update, provided by Christian Perrier (Closes: #279833) * German update, provided by Erik Schanze (Closes: #280964) -- Javier Fernandez-Sanguino Pen~a Sat, 30 Oct 2004 22:47:34 +0200 snort (2.2.0-6) unstable; urgency=low * Added a 'config-check' option in init.d to test the user's configuration file. This could be used to determine (in postinst) if snort should be restarted and warn the user (not yet done). This will help fix #165107, #165351 (since similar user mistakes would be detected), #276565 and #247665. * Added more information to the TODOs * Moved DEBIAN_TRESHOLD to DEBIAN_THRESHOLD (save for the debconf value in order to avoid reseting it) (Closes: #256581) * Removed double space in template (Closes: #275936) * The snort-rules package now Suggests: snort instead of depending on it (Closes: #249697) * Updated rules with the latest snapshot. -- Javier Fernandez-Sanguino Pen~a Mon, 25 Oct 2004 23:47:45 +0200 snort (2.2.0-5) unstable; urgency=low * Rules update -- Javier Fernandez-Sanguino Pen~a Wed, 13 Oct 2004 12:11:21 +0200 snort (2.2.0-4) unstable; urgency=medium * Fix typo introduced in previous upload that prevents ppp init script from loading properly common.parameters (Closes: #275439) -- Javier Fernandez-Sanguino Pen~a Fri, 8 Oct 2004 09:50:06 +0200 snort (2.2.0-3) unstable; urgency=high * Added config-file discovery to ppp init.scripts so that Snort is started (-c) with the proper configuration file if available or snort.conf if not. Setting high severity so that users running Snort with PPP don't end up with a full /var filesystem (Closes: #268707) * Fixed bashism in /etc/ppp/if-up.d/snort * Modified the init.d an if-up.d scripts so that /etc/snort/snort.common.parameters is only used if it exists. * Snort-rules-default now Recommends: oinkmaster now that it is in the archive (accepted 01 Oct 2004), this does not close #191105 since IMHO a better signature update mechanism should be introduced. Also updated the related TODO item. * Added a FAQ Q&A regarding rule updates in README.Debian * Added code to detect for deprecated preprocessors and warn the user, curretnly the code will not touch the configuration files himself and will not detect if you are using the standard package configuration file. It will prevent users from having configuration issues, however (Closes: #247665) * Modified the init.d file so you can use 'status' to determine if the Snort sensors are up or not. * Updated the 2.2 rule set with the snapshot provided at snort.org, new rules include detection of the recent JPEG exploit (Closes: #274244) * Fixed typo in templates (unfuzzied modified entries) and updated JA translation provided by Hideki Yamane (Closes: #273138) -- Javier Fernandez-Sanguino Pen~a Sat, 2 Oct 2004 12:41:50 +0200 snort (2.2.0-2) unstable; urgency=low * Taking over maintainership of this package (Closes: #265343) * Have Snort{,-mysql,-pgsql} depend on the same versions of the common packages (was not done in the previous release) * Updated JA translation (Closes: #271755) * Added a list of todo items in debian/TODO -- Javier Fernandez-Sanguino Pen~a Wed, 15 Sep 2004 10:42:43 +0200 snort (2.2.0-1) unstable; urgency=low + The 'Please Adopt Me!' release. + Fixed build-depends on libpcap0.8-dev closes: #263923 + Fixed failure to start on multiple interfaces, each interface now uses it's own configuration file. Closes: #248908 + Snort{,-mysql,-pgsql} depend on the same versioned rules + common Closes: #257078 + NL, DE, pt_BR, FR, JA translations added Closes: #265508, #264301, #246553, #246374, #239206 + New upstream release closes: #262297 -- Sander Smeenk Sun, 15 Aug 2004 15:24:39 +0200 snort (2.1.2-2) unstable; urgency=low ! Once again: Thanks Mario 'BitKoenig' Holbe for your great help: + Moved 'dialup' interface guessing from ppp/ip-up to postinst + Cleanup restart: only restart current running interfaces This also cleans up: 'dialup' logcheck failure, if no snort running + Prepare for multisensor support + Use start-stop-daemon --retry instead of sleep and kill -9 + Use invoke-rc.d only, if it exists Closes: #191574 + Correct please_restart to please_restart_manually + Re-Unified prerm and postinst scripts + Fix the backward-compatible just-kill-them-all in prerm; do we really need it? It definitely didn't work before and since the old-package prerm is called anyways, we shouldn't. + Simplify snort.debian.conf creation + snort-doc/examples now has a snort-rules auto-update script! Closes: #242521, thanks Marcel! + Updated fr.po by Christian Perrier Closes: #244048, thanks Christian! + Recent changes to init / ip-{up,down} scripts fixed this bug: Closes: #226236 + Fixed database schema's in {pg,my}sql packages. This does not fix the 'schema is not installed when debconf prompts for it'-problem. Closes: #244017 + Problem with snort-pgsql.template fixed. Closes: #244175 -- Sander Smeenk Sun, 18 Apr 2004 14:39:19 +0200 snort (2.1.2-1) unstable; urgency=low + New upstream release + Templates corrected (reflect same text at shared options, typos) + -b switch removed from snort startup, log_tcpdump changed to snort.log Closes: #241425, #171190 + French debconf translation by Christian Perrier Closes: #241991 + Added checks on purge of snort-rules-default. Fixed breakage Closes: #239542 + Firewall interaction is explained in the FAQ Closes: #217174 + Snort now has snort.common.options, and no -b anymore. Closes: #217244 + Changed helptext in snort.debian.conf to be more generic. Closes: #196694 + Improved dialup suppport. MANY Thanks to Mario 'BitKoenig' Holbe for his great work on this subject and the changes to the init script! Closes: #226236 -- Sander Smeenk Sun, 4 Apr 2004 15:12:27 +0100 snort (2.1.1-1) unstable; urgency=low + New upstream release Closes: #238427 + Added catalan debconf templates (debian/po/ca.po) Closes: #236644 + Fixed packaging bugs. + Applied following changes by Javier Fernández-Sanguino Peña. Thanks!! * Snort group is now created using --system in all packages Closes: #231580 * Both the cron.daily script and the postinst scripts set a default value for STATS_RCPT and STATS_TRESHOLD to avoid buggy behaviours if the user does not setup a proper value when interfacing with debconf. Still, these values should be checked in the config scripts. (Closes: #173331) * Snort-stat now exists if there are no results which will avoid it from sending empty emails (Closes: #217913, #174508, #192401, #172529) * Improved the explanations in several templates (Closes: #217173) * Updated Japanese translation (and fixed some po format errors, hopefully without damaging the po file) (Closes: #226680) * Included Catalan debconf translation (Closes: #236644) * Updated pt-BR debconf translation (Closes: #228244) * Re-Added (partial) spanish debconf translation (it seems that the work I did back in december 2001 has not been moved to po-debconf!) -- Sander Smeenk Wed, 17 Mar 2004 18:46:28 +0100 snort (2.1.0-4) unstable; urgency=low + Fixed FTBFS with -B flag specified to dpkg-buildpackage Thanks Pascal Hakim. + Restart target in init.d script requires a sleep on slow systems. Thanks Marco Gaiarin. + Updated the ja.po templates -- Sander Smeenk Wed, 1 Mar 2004 00:00:00 +0100 snort (2.1.0-3) unstable; urgency=low + Split binary-indep packages from binary-arch target Closes: #226072, #157708, #185806 + ip-up.d script now correctly guesses the PPPENV settings Closes: #225956 + Updated the fr.po templates Closes: #225906 -- Sander Smeenk Sun, 04 Jan 2004 12:51:38 +0100 snort (2.1.0-2) unstable; urgency=low + Added example init.d script to manage multiple sensors. + No longer kills custom daemons at init.d stop Closes: #181637 + Fixed build-dependency on libpcre3-dev Closes: #225707 + Fixed manpage to reflect new SIGHUP handling Closes: #122689 + Already implemented 'statesaving' dialup scripts Closes: #101725 + Changed default flow-portscan configuration Closes: #225506 -- Sander Smeenk Fri, 02 Jan 2004 13:01:54 +0100 snort (2.1.0-1) unstable; urgency=low + New upstream version + Depend on perl-modules for perlscripts Closes: #212805 + Fixed breakage of upgrades when conffiles were removed by user Closes: #207970 + Added japanese translation of templates Closes: #224191 -- Sander Smeenk Sun, 21 Dec 2003 15:48:55 +0100 snort (2.0.2-3) unstable; urgency=low * ip-up.d/snort and init.d/snort now use the same startup arguments with an extra config file that holds the common parameters. Closes: #217244 + ip-{up,down}.d/snort moved from snort-common to snort{,-mysql,-pgsql} * Clarified debconf questions. Fixed typos, corrected grammar. Closes: #217173 * Updated what documenation files are included. Closes: #217174 -- Sander Smeenk Fri, 24 Oct 2003 18:05:26 +0200 snort (2.0.2-2) unstable; urgency=low * Fixed 'native package' problem Closes: #216326 * Fixed syntaxerrors in init script Closes: #215142 -- Sander Smeenk Sun, 19 Oct 2003 16:11:09 +0200 snort (2.0.2-1) unstable; urgency=low Pascal: * Make snort-rules-default depend on a recent version of snort Closes: #135603 * Delete configuration files and log files on purge. Closes: #180043 Sander: * Fixed the init.d script to not start snort in dialup mode at boot. Closes: #207291, #208003 -- Sander Smeenk Wed, 08 Oct 2003 21:09:34 +1000 snort (2.0.1-3) unstable; urgency=low + Fixed FTBFS: automake1.6 dependency (Closes: #207010) -- Sander Smeenk Mon, 25 Aug 2003 10:45:31 +0200 snort (2.0.1-2) unstable; urgency=low + Snort now co-maintained by Pascal Hakim + fr.po added, forgot the NMU by Christian Perrier + Untranslatable strings marked for translation fixed Closes: #206972, #192952 + create_postgresql.gz has been updated and now uses 'TIMESTAMP' Closes: #206372 + Changed the init.d's "start" section to support dialup mode Closes: #205873 + SNMP support has been removed upstream, I forgot to remove the MIB message from snort-common Closes: #206668 + Since the MIB note was removed, this also fixes inapropriate use of debconf, which Closes: #205085 -- Sander Smeenk Sun, 24 Aug 2003 11:41:23 +0200 snort (2.0.1-1) unstable; urgency=low + New upstream source -- Sander Smeenk Tue, 19 Aug 2003 16:32:46 +0200 snort (2.0.0-3.1) unstable; urgency=low + Eeps! Forgot my versioned dependencies! -- Sander Smeenk Mon, 05 May 2003 21:02:13 +0200 snort (2.0.0-3) unstable; urgency=low + Added 'Provides: Snort' to snort-{pg,my}sql (Closes: #190064) + Moved parameter -b to snort.conf (Closes: #190748) + Seems fixed, according to submitter (Closes: #184596) + Fixed ppp/ip-up.d/snort, first source, then test (Closes: #190999, #191894) + Dependency on libpq3 isn't mandatory since postgresql-dev depends on it. (Closes: #191570) -- Sander Smeenk Mon, 05 May 2003 20:27:03 +0200 snort (2.0.0-2) unstable; urgency=low + Fixed PPP environment variables in ip-up.d. (Closes: #190107) I really don't know how to support multiple instances of snort here + Versioned depends on snort-rules-default (Closes: #190111) + Fixed wrong pid-finding init.d script (Closes: #190154) + cronjob 'snort' renamed to '5snort' again (Closes: #190303) -- Sander Smeenk Wed, 23 Apr 2003 21:00:23 +0200 snort (2.0.0-1) unstable; urgency=high + New Upstream version + SECURITY FIXES (Closes: #189267) - XML logging and SNMP notification seems to be removed upstream ? + The init.d script has added intelligence that will hopefully detect wether snort was running in manual mode / dialup mode when logrotate ran, and leave it in that state (Closes: #186060) + Tried to fix snort-stat by adding -a option (Closes: #186214) + Renamed cronjob 5snort to snort (Closes: #186380) + Rebuilt with new libsnmp-0.4.2 linking (Closes: #186415) + po-debconf patch applied, thanks (Closes: #186881) + Including sid-msg.map and gen-msg.map (Closes: #187291) -- Sander Smeenk Sat, 05 Apr 2003 13:32:18 +0200 snort (1.9.1-4) unstable; urgency=low + Added dependency on perl-modules to snort-common (Closes: #185180) + Attempt 1 at fixing snort-stat again (Closes: #184622) + init.d script tells how to start snort on dialup system (Closes: #181074) + snort-stat supports -a now (scan whole file) (Closes: #184282) -- Sander Smeenk Tue, 18 Mar 2003 21:37:47 +0100 snort (1.9.1-3) unstable; urgency=low + Fixed Override Disparities + Added section to snort-paper (Closes: #183988, #183388) -- Sander Smeenk Wed, 12 Mar 2003 09:04:30 +0100 snort (1.9.1-2) unstable; urgency=low + Fixed PostgreSQL CreateDB-scheme (Closes: #181733) + Fixed snort-doc (Closes: #183988, #183388) + A supposed fix for #181477 introduced a new bug which is now fixed (Closes: #184128, #184071) + Fixed -s commandline argument. It doesn't need an argument. (Closes: #183790) + Startup arguments for init.d invocation and pppd invocation are now 'the same' (Closes: #183554) -- Sander Smeenk Mon, 10 Mar 2003 23:57:12 +0100 snort (1.9.1-1) unstable; urgency=high * SECURITY FIX ISS X-Force has discovered a remotely exploitable buffer overflow condition in Snort. A buffer overflow flaw exists in Snort RPC preprocessing code that is vulnerable to attack. -- Sander Smeenk Mon, 03 Mar 2003 21:15:27 +0100 snort (1.9.0rel-4) unstable; urgency=low + Changed logrotate (Closes: #176495) + Renamed 'portscan2' to 'portscan2.log' (Closes: #173978) + Recompile Fixed PostgreSQL dependency (Closes: #175977) + Applied patch against snort-stat (Closes: #175657) + Added 'portscan2-ignorehosts' example + enabled for $HOME_NET (Closes: #173985) + Marks old 'snort.rules.files' OBSOLETE (Closes: #173981) + Fixed snort-stat manpage to reflect alert.log (Closes: #175364) + Fixed snort-pgsql logging bug with last_cid (Closes: #166722) + Updated snort-rules-default to latest version + Recompile fixed libsnmp5 dependency (Closes: #183094, #182722) + Init scripts fixed (Closes: #181497) + Changed rights on /var/log/snort to snort.adm (Closes: #180216) + Fixed mkdir -p in snort-rules-default preinst (Closes: #180046) -- Sander Smeenk Sat, 25 Jan 2003 16:48:40 +0100 snort (1.9.0rel-3) unstable; urgency=low + Using invoke-rc.d instead of direct /etc/init.d calls (Closes: #165135) -- Sander Smeenk Thu, 17 Oct 2002 11:35:42 +0200 snort (1.9.0rel-2) unstable; urgency=low + Fixed Startup in Manual mode (Closes: #164644) + Fixed failing preinst in snort-rules-default (Closes: #164643) + No more useless cron messages (Closes: #158490) + Manually changed snort.c to fix -s cmdline problem (Closes: #164969) + DISABLED OLD PORTSCAN PREPROCESSOR, REPLACED BY PORTSCAN2 PREPROCESSOR -- Sander Smeenk Wed, 16 Oct 2002 19:58:29 +0200 snort (1.9.0rel-1) unstable; urgency=low + New Upstream Version + Moves old /etc/snort/*.rules to new rules/ directory (Closes: #158447, #160888) + Closes: #158845, leftover bug fixed in previous upload. + Files *were* created with incorrect permissions (Closes: #162386) + Fixed Logrotate (Closes: #158042, #159456) -- Sander Smeenk Sat, 31 Aug 2002 15:59:16 +0200 snort (1.9.0beta4-5) unstable; urgency=low + ASN.1 Decoder turned OFF because of TOO MANY LOGENTRIES! * Fixed Bugs (Closes: #157443) + Commented out the 'Initializing Output Plugins!' message. + Changed to logrotate to rotate logfiles (Closes: #157706) * Unreproducable, but changed to new rotation system (Closes: #156896) + Specified 'portscan2.log' as portscan2 preprocessor logfile + Supports 'any' in the address range question to not trust any side of the network. Wishlist but no bug was filed for this. + Fixed faulty information in templates (Closes: #158708) + Added README.PHP in contrib/ for clearness (Closes: #158714) + snort-stat reported hostname with \n at the end, chomped off now. -- Sander Smeenk Fri, 23 Aug 2002 22:17:20 +0200 snort (1.9.0beta4-4) unstable; urgency=low + Severe postinst breakage when installing newer versions of Snort from scratch. Fixed. + Fixed world-writable logfiles problem (Closes: #155893) + Password-field must be filled in. + snort-mysql's postinst put postgresql config in snort.conf :( -- Sander Smeenk Tue, 20 Aug 2002 13:21:42 +0200 snort (1.9.0beta4-3) unstable; urgency=low + Fixed world-writable logfiles problem (Closes: #155893) + Password-field must be filled in. + snort-mysql's postinst put postgresql config in snort.conf :( -- Sander Smeenk Tue, 20 Aug 2002 11:11:35 +0200 snort (1.9.0beta4-2) unstable; urgency=low + Found nicer way of fixing #155893 (Closes: #155893) + Typo two typos in bugnumbers. Previous #153221 should be (Closes: #153211) Previous #156119 should be (Closes: #156199) Sorry for the mixups. It was late :/ + Fixed b0rking preinsts (Closes: #157085) -- Sander Smeenk Fri, 16 Aug 2002 00:03:41 +0200 snort (1.9.0beta4-1) unstable; urgency=low + Fixes world readable configuration file problem (Closes: #154977, #155484) + XML output should work in this release (Closes: #153845) + MIB's moved to /usr/share/snmp/mibs (Closes: #153221) + snort-stat now uses threshold (Closes: #147197) + SMTP rules have been disabled per default (Closes: #153817) + Fixed typo's in debconf screens (Closes: #154687) + 'Hacked around' the logfiles-not-group-readable problem (Closes: #155893) + Upload accepted (Closes: #156119) + Leftover bugs that have been fixed earlier (Closes: #134979) * Fixed but no-bugreports: + 'Initializing Plugins' log-message removed from src/plugbase.c + Rules have moved from /etc/snort to /etc/snort/rules/ + snort-{pg,my}sql now update the snort.conf file properly + stream4 evasion-detection disabled + more... -- Sander Smeenk Wed, 14 Aug 2002 22:00:24 +0200 snort (1.8.7-4) unstable; urgency=low + Typo in snort-stat, fixed. -- Sander Smeenk Sat, 03 Aug 2002 11:21:49 +0200 snort (1.8.7-3) unstable; urgency=low + snort-stat now shows hostname from where it's reporting. + ruleset tuning (Closes: #155084) + i see no rules with <- direction specifier, snort starts just the way it should with telnet.rules and backdoor.rules (Closes: #153400) + Specific major-version Build-Depends on libsnmp4.2-dev (Closes: #155163) -- Sander Smeenk Sat, 03 Aug 2002 01:34:49 +0200 snort (1.8.7-2) unstable; urgency=low + Fixed situations where snort got restarted by cronscript while being started in dialup-mode. Snort should support -HUP'ing. + Fixed typo in /etc/snort/snort.conf (Closes: #152840, #152671) + Fixed stupid snmpd.conf auto-addition, that was bad (Closes: #153074) + Each MTA supplies 'sendmail' and each system has 'MTA' (Closes: #151678) + Snort-pgsql has debconf 'help' on configuring a DB (Closes: #149661) + Fixed snort-mysql.config problem (Closes: #110952) + Multiple subnets problem fixed (Closes: #146861) * Maintainer Wipes Forehead. -- Sander Smeenk Thu, 11 Jul 2002 21:06:50 +0200 snort (1.8.7-1) unstable; urgency=low + NEW UPSTREAM! * No more local-{first,last} creation in preinst (Closes: #152184) * var EXTERNAL_NET !$HOME_NET in snort.conf (Closes: #152182) -- Sander Smeenk Mon, 8 Jul 2002 10:59:16 +0200 snort (1.8.6-6) unstable; urgency=low * Fixed serious log-rotation problem (Closes: #151922) * Fixed typo in rules file: --enable-snmp versus --with-snmp + Reported in private mail, no bugs to close. * New ruleset & config & classification (Closes: #152070) * Not a bug (Closes: #152068) -- Sander Smeenk Fri, 5 Jul 2002 23:23:09 +0200 snort (1.8.6-5) unstable; urgency=low * Fixed 5snort cronjob, thanks for the patches. + Closes: #151336, #151341, #151393, #151395 * Can't check this problem, it looks fixed to me. + Closes: #94709 * Cronjob has been reworked so it uses /var/log/snort/alert, also snort.conf has been configured to log to syslog by default. + Closes: #146680 * Debconf frontend now supports multiple addresses (ranges) in address_range question. + Closes: #66932 * Bug-submitter thinks this bug is fixes now. + Closes: #104074 * Weird unaligned traps on alpha are unconfirmed snort-related. Also, haven't heard anyone else about this. + Closes: #130675 * Fixed the debconf script's perl-regexp to support multiple subnet-definition separated by commas + Closes: #146945 * Once more fixed /etc/snort/snort.conf _NOT_ to log to syslog, since that would stop logging to /var/log/snort/alert, and that would break the snort-stat cronjob, and more. -- Sander Smeenk Sun, 30 Jun 2002 00:29:26 +0200 snort (1.8.6-4) unstable; urgency=low + Fixed POSIX shell incompatibility (Closes: #150409) + Fixed Suggests instead of Recommends on snort-doc. (Closes: #150768, #150702) + Fixed RULE_PATH setting in snort.conf + Fixed syslog default log-type in snort.conf (Closes: #46680, #124169) + The cronjob in this release _tries_ syslogd-listfiles, and if that is not available defaults to /var/log/auth.log. (Closes: #120991) + Added section in README.Debian about FLEXRESP rules and snort-not-starting because of permission denied (Closes: #132577) + Fixed Subject: in body instead of headers (Closes: #132220, #145836) + Fixed 'misleading comments' in snort.conf (Closes: #145749) + The empty snort.conf problem was fixed in 1.8.6-1? (Closes: #144218) + This was fixed in an earlier release (Closes: #134792) + Applied patch against cronjob (Closes: #151229) + Package 'debianutils' is in base and required, so no dependancies are nescasary (Closes: #145837) + Subjectless email fixed (Closes: #145876) + Cronjob emails daily-alerts instead of weekly (Closes: #145901) + Looks fixed to me (Closes: #136220) + Thanks for the patches everyone!! Greatly appreciated! (Closes: #151257) -- Sander Smeenk Fri, 28 Jun 2002 11:22:13 +0200 snort (1.8.6-3) unstable; urgency=low * New Maintainer! Sander Smeenk + POSTGRESQL SUPPORT WHOO (Closes: #108348) -- Sander Smeenk Tue, 4 Jun 2002 21:28:15 +0200 snort (1.8.6-2) unstable; urgency=low * [debian/snort-rules-default.conffiles] Added missing entries. * [debian/rules] Honour DEB_BUILD_OPTIONS. * [debian/rules] Use a variable to hold configure options that are common to the variant packages. * [debian/rules] Use debhelper *.dirs . * [debian/*.doc-base] New. * Bumped Standards-Version. * Previous uploads fixed more bugs than noted. (Closes: #142508, #143294, #131948) * Enabled SNMP support. * Added Spanish translations to debconf templates. (Closes: #126725) * Changes above by JHM (thanks!) * Added a new snort_stat.pl (Closes: #143875, #131887, #143962) -- Robert van der Meulen Mon, 29 Apr 2002 13:03:24 +0200 snort (1.8.6-1) unstable; urgency=low * Sander Smeenk fixed: + Closes: #111533, #131047 * Changed snort.template and made a clear text about what HOME_NET is used for. I had to remove the de_DE and pt_BR translations though. + Closes: #134063 * The postinst now creates /etc/snort/snort.debian.conf if it doesn't exist by echoing a basic content into the file. Kinda ugly, but it works. + Closes: #132220, #134898, #136848, #139143, #139423 * These are all about snort-stat and empty daily emails. Reported against version 1.7-9, and it seems to be fixed now. + Closes: #109135, #117010 * Typo. Fixed. + Closes: #104447 * Ooooooh ns.somehost.tld is portscanning me! Add the nameservers to the DNS_SERVER value in snort.conf. Although I think this was fixed in 1.8.4beta2 + Closes: #116169 * I added 1 or 2 lines of short descriptive text to each package's description. It should be more clear now. + Closes: #67176, #130242, #133591, #79095, #102320 * These are left-over bugs. Fixed in earlier releases. + Closes: #128689, #131049 * Fixed the init.d script so that it doesn't say "already started" on errors. Snort returns 0(good) or 1(bad), not 2. + Closes: #143268 * The supplied patch didn't contain any valid patchable entries. The script has changed that much that I assume it has been fixed already. * Thanks, smeenk :) -- Robert van der Meulen Fri, 19 Apr 2002 16:21:35 +0200 snort (1.8.4beta1-2) unstable; urgency=low * Fixed 'Depends:' of 'snort' package to depend on new-style snort-common package. (Closes: #131730) * Marked some /etc/ files as conffiles (Closes: #132823) * Fixed build problems on some arches (Closes: #132912, #131741) * Fixed quoting error in virus.rules (Closes: #131947) * Fixed snort-common Replaces: line (Closes: #131701, #133106) * Removed snort.debian.conf from the package (Closes: #132517) * Fixed initscript to allow for multiple subnets (Closes: #125686) -- Robert van der Meulen Sun, 10 Feb 2002 16:11:55 +0100 snort (1.8.4beta1-1) unstable; urgency=low * New upstream release (Closes: #131517, #106093, #115955, #118270, #127564) * Moved config stuff to snort-common (Closes: #109862) * Fixed debconf instuctions for dialup (Closes: #113250) * Fixed snort-stat (Closes: #115873, #116964) * New upstream has icmp-info rules reordered (Closes: #111832) * Gave 'count' a bit more room in email reports (Closes: #102657) * Fixed snort cron script to not kill snort in dialup mode (Closes: #97950) * Fixed snort cron script to not send empty emails (Closes: #112100,#117079) * Fixed HOME_NET variable passing in init script (Closes: #117886) -- Robert van der Meulen Sun, 10 Feb 2002 15:41:40 +0100 snort (1.8p1-1) unstable; urgency=low * New upstream release * Depend on system-log-daemon|syslogd (Closes: #102511) * Fixed snort-stat empty log reports (Closes: #107515, #98944, #103542) * Fixed logfile pattern (Closes: #102787) -- Robert van der Meulen Tue, 14 Aug 2001 20:37:43 +0200 snort (1.7-9) unstable; urgency=low * Removed 'snort.debian.conf' from the 'conffiles' to avoid it being replaced. (Closes: #96950) * Fixed a lot of errors in the manpage. (Closes: #99873, #101868) * Removed '-s' option, and enabled logging to syslog in snort.conf. (Closes: #101873) * Fixed inconsequent ip-up.d and init.d behaviour (Closes: #101874) * Added pt_BR support (Closes: #93219) * Make snort stop before purging/removing. -- Robert van der Meulen Sun, 15 Jul 2001 14:04:35 +0200 snort (1.7-8) unstable; urgency=low * Have snort depend on system-log-daemon (Closes: #99203) * Changed package description (Closes: #99302) * Changed debconf 'extra options' question (Closes: #99303) -- Robert van der Meulen Sun, 17 Jun 2001 19:16:59 +0200 snort (1.7-7) unstable; urgency=low * Added a modified version of 'snort-stat', from Christian Hammers (Closes: #93739) * Changed '5snort' to do syslogd-listfiles --auth, to correctly list logfiles using the 'auth' facility. (Closes: #97467) * Modified crontab file to correctly keep /var/log/snort clean. (Closes: #97465, #97003) -- Robert van der Meulen Tue, 15 May 2001 20:40:03 +0200 snort (1.7-6) unstable; urgency=low * Added more paths in /etc/init.d/snort (Closes: #94651) * Removed non-US dependency on libssl096 (Closes: #92748) * Fixed old man-page synopsis bug (Closes: #90889) * Added 'please restart' notice for dialup users that upgrade(Closes: #90979). * Fixed 'snort.conf' indiscrepancy (comma-separated versus whitespace-separated) (Closes: #93742) * Added '-d' option for startup (Closes: #78667) * Added snort FAQ (Closes: #91219) -- Robert van der Meulen Mon, 30 Apr 2001 01:34:25 +0200 snort (1.7-5) unstable; urgency=low * fixed no-pidfile bug when using dialup interfaces. (Closes: #89133) * forgot to close host-timeout bug (Closes: #87838) * Removed bashisms from cron script (Closes: #88596) * Fixed start-stop-daemon paths in init.d script (Closes: #88678) * Corrected multiple -i startup option typo (Closes: #89131) * Added mysql support (Closes: #89840) * Applied 'unaligned trap on alpha' patches from Paul Slootman (Closes: #85684, #81092) -- Robert van der Meulen Thu, 22 Mar 2001 22:40:51 +0100 snort (1.7-4) unstable; urgency=low * lets-fix-lots-of-bugs release * Fixed snort-stat: - output is now 79 chars wide. (Closes: #70649) - output written to tempfile first, to work around 'host' timing out sometimes. (Closes: #74937) * There is no 'WARNING' message on startup, anymore (Closes: #79289) * Fixed crontab script to reflect /var/log/portscan.log -> /var/log/snort/portscan.log change. (Closes: #85571) * Fixed syntax error in cron file (*shame*) (Closes: #85686) * added check for existence of /var/log/snort/portscan.log in cron file (Closes: #86596 ) * Fixed syslog dependency problem (syslogd|syslog-ng) (Closes: #85807) * Changed crontab file to allow for multiple auth.* files (Closes: #84183) * Snort doesn't crash on empty logfiles. (Closes: #85284 ) * Snort generates correct snort-stat messages on a dialup link now. (Closes: #82504) -- Robert van der Meulen Fri, 2 Mar 2001 23:32:40 +0100 snort (1.7-3) unstable; urgency=low * Fixed a couple of bugs in the startup scripts for dialup. Closes: #85201 * Made postinst modify /etc/snort/snort.debian.conf. Closes: #85156 * 'hardwired' /etc/ppp/ip-up.d/snort to use the PPP interface. Closes: #85218 * Fixed problem with multiple 'auth' logfiles. Closes: #84316 -- Robert van der Meulen Fri, 9 Feb 2001 23:47:19 +0100 snort (1.7-2) unstable; urgency=low * Fixed a small bug in the cron.daily script; snort.conf -> snort.debian.conf -- Robert van der Meulen Tue, 6 Feb 2001 23:47:31 +0100 snort (1.7-1) unstable; urgency=low * New upstream version. * New maintainer * Moved /etc/snort/snort-lib to /etc/snort/snort.conf /etc/snort/snort.conf was a script to set DEBIAN config variables, it now is the base rule file. /etc/snort/snort.debian.conf does the 'old' job. * modified startup parameters for 'new style' -- Robert van der Meulen Sun, 4 Feb 2001 23:31:02 +0100 snort (1.6.3a-5) unstable; urgency=low * Accidently typed "echo" instead of "kill" in init script. Closes: #84345 -- Christian Hammers Thu, 1 Feb 2001 11:05:16 +0100 snort (1.6.3a-4) unstable; urgency=low * Enhanced init.d script. Fixes problems with cron rotations. * Now depends on debhelper. Closes: #75462 * Added german translation for debconf menus. Closes: #83873 * Is no longer accidently a "native Debian" package. Closes: #82097 * Problem with libmysqlclient.so.9 fixed long ago. Closes: #74798, 74806 * Debconf should be work fine now. Closes: #59726, #70711 * Adopted new homepage URL. Closes: #69805 * Problem no longer reproducable. Closes: #67732, #67734 * Added dependency to the virtual package "syslogd". Closes: #84183 -- Christian Hammers Wed, 31 Jan 2001 00:38:22 +0100 snort (1.6.3a-3) unstable; urgency=low * Changed the "interface" debconf question to medium. Closes: #80996 -- Christian Hammers Wed, 31 Jan 2001 00:10:01 +0100 snort (1.6.3a-2) testing unstable; urgency=low * Ok, forgot the ">/dev/null" after a savelog cron command... -- Christian Hammers Sun, 31 Dec 2000 01:11:37 +0100 snort (1.6.3a-1) testing unstable; urgency=low * This is still 1.6.3! Somehow the .orig.tar.gz got renamed so I have to make a new -1 upload. * Added rotation of /var/log/portscan.log. Closes: #80864 -- Christian Hammers Sat, 30 Dec 2000 17:52:58 +0100 snort (1.6.3-8) unstable; urgency=low * writed more good english in debconf template. Closes: #78367 * Adjusted debconf question for email recipient to "medium". -- Christian Hammers Fri, 1 Dec 2000 20:01:38 +0100 snort (1.6.3-7) unstable; urgency=low * Recompiled against new kernel to handle pppeo. (requested by jeffml@pobox.com) -- Christian Hammers Sun, 26 Nov 2000 14:55:25 +0100 snort (1.6.3-6) unstable; urgency=low * Added debhelper to build depends. Closes #75462 -- Christian Hammers Wed, 25 Oct 2000 10:51:23 +0200 snort (1.6.3-5) unstable; urgency=medium * Recompiled against libmysqlclient10. -- Christian Hammers Tue, 17 Oct 2000 11:00:11 +0200 snort (1.6.3-4) unstable; urgency=low * Added dependencies to adduser >= 3.11. Closes: #69425 -- Christian Hammers Sun, 20 Aug 2000 08:53:50 +0200 snort (1.6.3-3) unstable; urgency=low * Made postinst/preinst idempotent. Closes: 67732, 67734 -- Christian Hammers Sun, 20 Aug 2000 08:53:37 +0200 snort (1.6.3-2) unstable; urgency=low * Disabled defrag-preprocessor due to upstream bugs. -- Christian Hammers Mon, 24 Jul 2000 17:21:18 +0200 snort (1.6.3-1) unstable; urgency=low * New upstream release. * Now chrooted to /var/log/snort and running as snort:snort! * More scan detections added. * Applied fixed from Ian Zimmerman. Thanks. Closes: #66057 -- Christian Hammers Sun, 23 Jul 2000 14:11:50 +0200 snort (1.6.2.2-1) unstable; urgency=low * New upstream release 1.6.2.2. Minor patches. -- Christian Hammers Sun, 9 Jul 2000 23:21:16 +0200 snort (1.6.1-1) unstable; urgency=low * Many new scans for known vulnerabilities included! -- Christian Hammers Sat, 8 Jul 2000 17:06:47 +0200 snort (1.6-1) unstable; urgency=low * New upstream major release. -- Christian Hammers Tue, 4 Jul 2000 18:40:34 +0200 snort (1.5.1-12) unstable; urgency=low * Removed warning for port 53 source port traffic because old BINDs generated them. Closes: #65107 -- Christian Hammers Tue, 6 Jun 2000 19:07:06 +0200 snort (1.5.1-11) frozen unstable; urgency=low * Package could not be build on powerpc because there were some obsolete AM_PROG_INSTALL (now AC_PROG_INSTALL) statements in aclocal.m4. Closes: #57916 * Improved documentation about reading the tcpdump-style binary log file. Closes: #57789 -- Christian Hammers Sun, 13 Feb 2000 18:23:58 +0100 snort (1.5.1-10) frozen unstable; urgency=low * Make sure that snort's cron.daily script gets renamed to the new name in snort.preinst so that it won't be called twice. -- Christian Hammers Wed, 9 Feb 2000 12:37:53 +0100 snort (1.5.1-9) frozen unstable; urgency=low * Argh! Forgot to remove a malicious line in cron.daily. Closes: #57611 -- Christian Hammers Wed, 9 Feb 2000 11:10:53 +0100 snort (1.5.1-8) frozen unstable; urgency=low * Added "exit 0" to cron.daily script. -- Christian Hammers Sat, 5 Feb 2000 16:07:05 +0100 snort (1.5.1-7) frozen unstable; urgency=low * Applied upstream patch to get binary mode working. Now this is really 1.5.1 and not 1.5patch1, btw. * switched logging to tcpdump compatible binary mode so that snort is usable on 100MBit networks. Closes: #55949 * fixed daily report of the weekly rotated auth.log. Closes: #56476 * cron job restarts snort correctly. Closes: #56608 * postinst should start snort only if $startup=="boot". * sanified snort.config (thank to Mario Holbe, again) * removed debconf-bug compatibility. Closes: #54990 -- Christian Hammers Sat, 29 Jan 2000 17:57:34 +0100 snort (1.5.1-5) frozen unstable; urgency=low * User may only enter one interface and no comma separated list that confuses the postscript, too. Closes: #55567 * Explained a debconf question. Closes: #55568 * Fixed email address in copyright. * uncommented all backdoor-lib rules that do only whatch for a port >=1024, ignoring the content since they produce too much false-positives. (as requested by chirik@castlefur.com) * Added a note that this isn't actually 1.5.1 but 1.5patch1. * Included "real" manpage that upstream author wrote. -- Christian Hammers Sat, 22 Jan 2000 15:30:32 +0100 snort (1.5.1-4) frozen unstable; urgency=low * Workaroung for debconf bug (#55317). * Do not ask user for IP range when using dialup-mode. (They normally wouldn't know!) * -- Christian Hammers Sat, 22 Jan 2000 15:00:25 +0100 snort (1.5.1-3) frozen unstable; urgency=medium * Fixed cron script. Closes: #54553 * The following was done by --- Mario Holbe --- thanks again! * Fixed quoting of metacharacters in postinst. Closes: #54984 * replaced the snort.options thingy by a sh-based snort.conf - removed it from snort-lib - changed the README.Maintainer comment - changed rule for it - created snort.conf with slightly beautified variables * modified ip-down.d to work with new snort.conf * modified ip-up.d to work with new snort.conf * modified snort.init.d to work with new snort.conf Closes: #54553 - this closes some bugs in 1.5.1-2, which i've not submitted :-) * modified snort-stat to work with new snort.conf Closes: #54555 * modified snort.cron.daily to work with new snort.conf/snort-stat * added new snort/stats_treshold to snort.templates * modified snort.config to work with new config variable * modified snort.postinst to work with new snort.conf * modified snort.postrm to remove snort.conf if purge * all over all: did some beauifying :) -- Christian Hammers Fri, 14 Jan 2000 21:09:42 +0100 snort (1.5.1-2) unstable; urgency=low * I was diligently and added five more debconf options :) Closing: #54227 - receipient of the daily statistic mail - start at boot/ip-up/manual - interface - promiscuous mode - reverse order * Enhanced the snort-stat script with help from Mario Holbe. Closes: #54369 -- Christian Hammers Fri, 14 Jan 2000 21:09:36 +0100 snort (1.5.1-1) unstable; urgency=low * Fixed cron script with the new logging method. Closes: #54226, #54275 * Applied upstream patch1 and one from the mailing list. Closes: #54225, #54224 * Added README.Debian with a small FAQ. * Changed configuration and added a /etc/snort/snort.options file. -- Christian Hammers Tue, 11 Jan 2000 22:56:33 +0100 snort (1.5-2) unstable; urgency=low * Fixed typo. Closes: #54269 -- Christian Hammers Sun, 9 Jan 2000 18:58:45 +0100 snort (1.5-1) unstable; urgency=low * New upstream release. Features speed burst and modularization of the rules file. * Now using syslog facility to log to /var/log/auth.log. (Details are still available in /var/log/snort/) * Daily generation of scan statistic via cron script. -- Christian Hammers Sun, 9 Jan 2000 18:58:39 +0100 snort (1.3.1-8) unstable; urgency=low * Sorry, future timestamps in package. Closes: #51848 (too much Y2K testing, I guess) -- Christian Hammers Sun, 5 Dec 1999 16:49:56 +0100 snort (1.3.1-7) unstable; urgency=medium * Changed prio to high since it's an grave bug that was closed. * Closes: #51130 -- Christian Hammers Tue, 15 Feb 2000 00:34:59 +0100 snort (1.3.1-6) unstable; urgency=medium * Snort stalles after installation due to debconf misuse. * Closes: #51130 -- Christian Hammers Wed, 24 Nov 1999 00:29:39 +0100 snort (1.3.1-5) unstable; urgency=low * Added debconf support to enter address range. -- Christian Hammers Mon, 22 Nov 1999 20:13:41 +0100 snort (1.3.1-4) unstable; urgency=low * Extended archiving of log files. Closes: #50176 -- Christian Hammers Mon, 22 Nov 1999 00:56:38 +0100 snort (1.3.1-3) unstable; urgency=low * Registered cron script as config file. Closes: #48391 -- Christian Hammers Wed, 27 Oct 1999 18:36:06 +0200 snort (1.3.1-2) unstable; urgency=low * Added the non-promiscuous flag (-p) to the man-page. -- Christian Hammers Sun, 24 Oct 1999 18:52:20 +0200 snort (1.3.1-1) unstable; urgency=low * New upstream version. * Many bugfixes. -- Christian Hammers Thu, 14 Oct 1999 00:20:35 +0200 snort (1.2.1-3) unstable; urgency=low * Included the LISA'99 Conference paper as documentation. * FHS compliant. * Improved /etc/cron.daily script. Fixes: #44568. -- Christian Hammers Fri, 10 Sep 1999 01:55:22 +0200 snort (1.2.1-2) unstable; urgency=low * Added a nice manpage (thanks to Peter T. Breuer). Closes #44127. -- Christian Hammers Tue, 7 Sep 1999 17:15:51 +0200 snort (1.2.1-1) unstable; urgency=low * New upstream release with fixes and speed improvement. (fixes: #43049) -- Christian Hammers Mon, 30 Aug 1999 21:15:10 +0200 snort (1.2-2) unstable; urgency=low * Made cron.daily a bit quieter. (fixes: #43049) -- Christian Hammers Mon, 16 Aug 1999 23:05:16 +0200 snort (1.2-1) unstable; urgency=low * New upstream version with great performance improve. -- Christian Hammers Mon, 2 Aug 1999 20:37:09 +0200 snort (1.1-2) unstable; urgency=low * Made better default IP in config file and fixed typo. -- Christian Hammers Tue, 13 Jul 1999 00:02:48 +0200 snort (1.1-1) unstable; urgency=low * Initial Release. -- Christian Hammers Mon, 12 Jul 1999 21:30:57 +0200 debian/rules0000775000000000000000000002015312317374526010263 0ustar #!/usr/bin/make -f #-*- makefile -*- # Rules file for Snort, developed by Javier Fernandez-Sanguino # Made with the aid of dh_make, by Craig Small # Sample debian/rules that uses debhelper. GNU copyright 1997 by Joey Hess. # Some lines taken from debmake, by Christoph Lameter. # export DH_VERBOSE=1 TMP=`pwd`/debian CFLAGS:=-g -O2 -D_GNU_SOURCE ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) CFLAGS += -g endif ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) INSTALL_PROGRAM += -s endif export CFLAGS CONFFLAGS= --prefix=/usr \ --bindir=\$$\{exec_prefix\}/sbin \ --mandir=\$$\{exec_prefix\}/share/man \ --enable-zlib \ --enable-ipv6 \ --enable-gre \ --enable-mpls \ --enable-targetbased \ --enable-ppm \ --enable-perfprofiling \ --enable-active-response \ --enable-normalizer \ --enable-reload \ --enable-react \ --enable-flexresp3 aclocal.m4: aclocal-1.9 -I m4/ automake-1.9 -i autoconf clean-sources: # Clean the sources [ ! -f Makefile ] || $(MAKE) distclean cd src && [ ! -f Makefile ] || $(MAKE) distclean # Remove the flag that indicated that the sources were configured -rm -f configure-stamp clean: clean-sources dh_testdir dh_testroot # Clean all the stamps rm -f build*stamp install-stamp configure-stamp # Clean all the different binaries we have created when building the packages' # flavors rm -f src/snort-basic rm -f src/snort # Clean documents cd doc && [ ! -f Makefile ] || $(MAKE) distclean rm -f doc/snort_manual.pdf doc/snort_manual.ps doc/snort_manual.aux \ doc/snort_manual.log doc/snort_manual.toc dh_clean configure: configure-stamp configure-stamp: dh_testdir # Standard package configuration: ./configure $(CONFFLAGS) touch $@ # Basic 'flavor' package # # Other 'flavors' (with different compilation flags) can be generated using # this as a reference build-basic: build-basic-stamp build-basic-stamp: configure-stamp # NOTE: We don't clean the sources on the first compilation dh_testdir $(MAKE) cp src/snort src/snort-basic touch $@ # This is an example of a 'flavor'. A flavor # adds support for some specific configuration flags # that are not used in the basic flavor # #build-flavor: build-flavor-stamp #build-flavor-stamp: # dh_testdir # sh debian/clean_sources.sh # # Support for blah, blah, blah # ./configure $(CONFFLAGS) \ # --enable-some-esoteric-option # $(MAKE) # cp src/snort src/snort-flavor # touch $@ # Note: the binary generated needs to be moved to the proper 'flavor' package too build-arch: build-arch-stamp build-arch-stamp: build-basic-stamp dh_testdir touch $@ build-indep: build-indep-stamp build-indep-stamp: configure-stamp dh_testdir # Build the documentation # Only do this if we have the required binaries and files # Note: I hate hardcoding paths here, but the buildds are stupid @if [ -x /usr/bin/ps2pdf -a -x /usr/bin/pslatex -a \ -x /usr/bin/dvips -a \ -e /usr/share/texlive/texmf-dist/tex/latex/pslatex/pslatex.sty -a \ -e /usr/share/texlive/texmf-dist/tex/latex/oberdiek/kvoptions.sty ] ; \ then \ $(MAKE) -C doc snort_manual.pdf ; \ else \ echo >&2 'WARNING: Not building documentation, environment not available!'; \ fi touch $@ build: build-arch build-indep install: install-indep install-arch install-arch: dh_testdir dh_testroot dh_clean -k -s dh_installdirs -s # Install the common binaries $(MAKE) install prefix=$(TMP)/snort-common/usr/ rm -f $(TMP)/snort-common/usr/sbin/snort # clean dependency_libs find $(TMP)/snort-common/usr/lib -name "*.la" -exec \ sed -i -e "s,^dependency_libs=.*,dependency_libs=''," {} + # Snort binaries install -m 755 -o root -g root src/snort-basic $(TMP)/snort/usr/sbin/snort # Default config # install -m 644 -o root -g root `pwd`/debian/snort.common.parameters $(TMP)/snort/etc/snort/snort.common.parameters install -m 644 -o root -g root `pwd`/debian/snort.default $(TMP)/snort/etc/default/snort # Install init.d initscripts install -m 755 -o root -g root `pwd`/debian/snort.init.d $(TMP)/snort/etc/init.d/snort # Install PPP initscripts install -m 755 -o root -g root `pwd`/debian/my/snort.ip-up.d $(TMP)/snort/etc/ppp/ip-up.d/snort install -m 755 -o root -g root `pwd`/debian/my/snort.ip-down.d $(TMP)/snort/etc/ppp/ip-down.d/snort # Logrotate files install -m 644 -o root -g root `pwd`/debian/snort.logrotate $(TMP)/snort/etc/logrotate.d/snort # Move libraries to the snort-common-libraries package mv $(TMP)/snort-common/usr/lib/* $(TMP)/snort-common-libraries/usr/lib/ rmdir $(TMP)/snort-common/usr/lib/ # Remove headers, as this is not a -dev package # mv $(TMP)/snort-common/usr/src/ $(TMP)/snort-common-libraries/usr/ rm -rf $(TMP)/sort-common/usr/src/ dh_install -s install-indep: dh_testdir dh_testroot dh_clean -k -i dh_installdirs -i # Install Debian specific, scripts and files of the snort-common # package install -m 755 -o root -g root `pwd`/debian/snort.cron.daily $(TMP)/snort-common/etc/cron.daily/5snort install -m 755 -o root -g root `pwd`/debian/my/snort-stat $(TMP)/snort-common/usr/sbin/ install -m 644 -o root -g root `pwd`/etc/snort.conf $(TMP)/snort-common/etc/snort/ install -m 644 -o root -g root `pwd`/etc/unicode.map $(TMP)/snort-common/etc/snort/ install -m 644 -o root -g root `pwd`/etc/threshold.conf $(TMP)/snort-common/etc/snort/ # Install files of the arch-independent packages cp rules/*.rules $(TMP)/snort-rules-default/etc/snort/rules/ # mkdir -p $(TMP)/snort-rules-default/usr/share/snort/ # install -m 644 -o root -g root `pwd`/debian/oldrules.md5 $(TMP)/snort-rules-default/usr/share/snort/oldrules.md5 # install -m 644 etc/sid-msg.map $(TMP)/snort-rules-default/etc/snort/ install -m 644 etc/gen-msg.map $(TMP)/snort-rules-default/etc/snort/ install -m 644 etc/community-sid-msg.map $(TMP)/snort-rules-default/etc/snort/ install -m 644 etc/classification.config $(TMP)/snort-rules-default/etc/snort/ install -m 644 etc/reference.config $(TMP)/snort-rules-default/etc/snort/ # Remove useless directories rm -rf $(TMP)/snort-common/etc/ppp rm -rf $(TMP)/snort-doc/usr/share/doc dh_install -i # Build architecture-independent files here. binary-indep: build-indep install-indep dh_testdir -i dh_testroot -i dh_installdocs -i -XREADME.WIN32 dh_installexamples -i dh_installdebconf -i dh_installman -i # Other adjustments rm -rf $(TMP)/snort-doc/usr/share/doc/snort-doc/CVS rm -rf $(TMP)/snort-doc/usr/share/doc/snort-doc/contrib/CVS chmod +x $(TMP)/snort-common/usr/share/doc/snort-common/examples/snort* cp -a doc/signatures/ $(TMP)/snort-doc/usr/share/doc/snort-doc/ rm -rf $(TMP)/snort-doc/usr/share/man rm -rf $(TMP)/snort-rules-default/usr/share/man rm -rf $(TMP)/snort-common/usr/share/man/man8/snort.* dh_installchangelogs -i ChangeLog dh_link -i dh_strip -i dh_compress -i dh_fixperms -i dh_makeshlibs -i dh_installdeb -i dh_perl -i dh_shlibdeps -i dh_gencontrol -i dh_md5sums -i dh_builddeb -i # Build architecture-dependent files here. binary-arch: build-arch install-arch dh_testdir -a dh_testroot -a dh_installdocs -a dh_installexamples -a dh_installdebconf -a dh_installman -a rm -rf $(TMP)/snort-rules-default/usr/share/man rm -f $(TMP)/snort/usr/share/man/man8/snort-stat.* rm -f $(TMP)/snort-common/usr/share/man/man8/snort.* dh_installchangelogs -a ChangeLog dh_link -a dh_strip -a dh_compress -a dh_fixperms -a dh_makeshlibs -a -Xsnort-common-libraries dh_installdeb -a dh_perl -a dh_shlibdeps -a dh_gencontrol -a dh_md5sums -a dh_builddeb -a source diff: @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false update-rules: mv rules rules.old wget -q -O ../snortrules-snapshot-2_2.tar.gz http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz tar -zxf ../snortrules-snapshot-2_2.tar.gz if [ -d rules ] ; then mv rules.old/Makefile* rules/; rm -rf rules.old; fi # Update the Debconf templates for all packages using the common templates update-templates: debian/snort.TEMPLATE.templates cd debian && sh generate-templates.sh cd debian && debconf-updatepo binary: binary-arch binary-indep .PHONY: build clean binary-indep binary-arch binary install install-indep install-arch debian/snort-common.config0000664000000000000000000000444012317374526013026 0ustar #!/bin/sh -e . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x # This is a list of deprecated preprocessors used to detect # bad configuration that will prevent Snort from running # based on http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/Attic/ OLD_PREPROCESSORS="anomsensor asn1 conversation defrag defrag2 fnord frag2 http_decode httpflow minfrag portscan portscan2 tcp_stream tcp_stream2 tcp_stream3 telnet_negotiation unidecode xlink2state" # List of valid preprocessors (taken from src/preprocessor) # or generated using: # grep RegisterPreprocessor src/preprocessors/* |perl -ne 'print $1."\n" if /\("(.*?)",/' |sort -u # [Currently not used since the user might have custom preprocessors] VALID_PREPROCESSORS="arpspoof arpspoof_detect_host backorifice bo frag3 frag3_engine frag3_global frag3insert frag3rebuild http_encode httpinspect normalize_icmp4 normalize_icmp6 normalize_ip4 normalize_ip6 normalize_tcp perfmon PerfMonitor rpcdecode rpc_decode s5 s5icmp s5ip s5tcp s5udp sfportscan stream5_global stream5_icmp stream5_ip stream5_tcp stream5_udp" CONFIG_FILE=/etc/snort/snort.conf deprecated=0 if test -f $CONFIG_FILE then for prep in $OLD_PREPROCESSORS do found_deprecated=`egrep -i "^preprocessor $prep:+" $CONFIG_FILE | sed -e 's/:.*//'` if [ -n "$found_deprecated" ] ; then deprecated=1 deprecated_list="$found_deprecated $deprecated_list" fi done fi # We should warn the user if we found some deprecated preprocessor # # NOTE: This is done on config to urge the user to # overwrites the configuration later on if he is given the chance. if [ "$deprecated" -eq 1 ] ; then deprecated_list=`echo $deprecated_list |sed -e 's/ $//'` # echo "Your $CONFIG_FILE is using out of date preprocessors ($deprecated_list) you should upgrade!" db_subst snort/deprecated_config DEP_CONFIG "$deprecated_list" || true db_input high snort/deprecated_config || true db_go || true fi # Warn the user if we found a deprecated file with information deprecated_file_list="" if [ -s /etc/snort/database.conf ]; then deprecated_file_list="/etc/snort/database.conf" fi if [ -n "$deprecated_file_list" ]; then db_subst snort/deprecated_file DEP_FILE "$deprecated_file_list" || true db_input high snort/deprecated_file || true db_go || true fi db_stop #DEBHELPER# exit 0 debian/snort-common.dirs0000664000000000000000000000004512317374526012517 0ustar /etc/cron.daily /etc/snort /usr/sbin debian/snort.manpages0000664000000000000000000000001012317374526012053 0ustar snort.8 debian/po/0000775000000000000000000000000012317374526007620 5ustar debian/po/POTFILES.in0000664000000000000000000000013312317374526011372 0ustar [type: gettext/rfc822deb] snort.templates [type: gettext/rfc822deb] snort-common.templates debian/po/es.po0000664000000000000000000010423412317374526010573 0ustar # snort debconf translation to Spanish # Copyright (C) 2004 Software in the Public Interest # This file is distributed under the same license as the snort package. # # Changes: # - Initial translation # Javier Fernandez-Sanguino Pea , 2004 # - Updates # Javier Fernandez-Sanguino Pea , 2005-2012 # # # Traductores, si no conoce el formato PO, merece la pena leer la # documentacin de gettext, especialmente las secciones dedicadas a este # formato, por ejemplo ejecutando: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Equipo de traduccin al espaol, por favor, lean antes de traducir # los siguientes documentos: # # - El proyecto de traduccin de Debian al espaol # http://www.debian.org/intl/spanish/coordinacion # especialmente las notas de traduccin en # http://www.debian.org/intl/spanish/notas # # - La gua de traduccin de po's de debconf: # /usr/share/doc/po-debconf/README-trans # o http://www.debian.org/intl/l10n/po-debconf/README-trans # msgid "" msgstr "" "Project-Id-Version: snort debconf 2.9.3.1-1\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-13 08:03+0200\n" "PO-Revision-Date: 2013-09-24 03:42+0200\n" "Last-Translator: Javier Fernandez-Sanguino Pea \n" "Language-Team: Debian Spanish \n" "Language: es\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=iso-8859-1\n" "Content-Transfer-Encoding: 8bit\n" "X-POFile-SpellExtra: tap MySQL share gz mirroring ifconfig cron ppp conf\n" "X-POFile-SpellExtra: mysql spanning port plow parameters TCP pgsql init\n" "X-POFile-SpellExtra: PPP usr common revsela DEPCONFIG zcat pppd IPs Snort\n" "X-POFile-SpellExtra: CIDR cd dpkg psql sbin PostgreSQL default doc route\n" "X-POFile-SpellExtra: createmysql createpostgresql inspeccionarse snort\n" "X-POFile-SpellExtra: HOMENET eth\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "arranque" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "marcacin telefnica" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "manual" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Mtodo de arranque de Snort:" #. Type: select #. Description #: ../snort.templates:2002 msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "Por favor, escoja cmo debera arrancarse Snort: automticamente en el arranque del sistema, automticamente cuando el sistema se conecte a Internet con pppd o manualmente cuando lo arranque ejecutndolo con /usr/sbin/snort." #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Interfaz/ces donde debera escuchar Snort:" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "Este valor suele ser eth0, pero puede no ser correcto para algunos entornos de red. Si est utilizando una conexin de marcacin telefnica mediante PPP a Internet puede ser ms apropiado utilizar ppp0 (consulte la salida de /sbin/ifconfig)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Generalmente la interfaz que se aade aqu es generalmente la misma que " "tiene definida la ruta por omisin. Para determinar qu interfaz se est " "utilizando para esto, ejecute /sbin/route -n (busque aquellos valores " "asociados a 0.0.0.0)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Tampoco es infrecuente ejecutar Snort en una interfaz sin direccin IP que " "est configurada en modo promiscuo. Para estos casos, seleccione la interfaz " "en el sistema que est fsicamente conectada a la red debera " "inspeccionarse, active el modo promiscuo ms adelante y asegrese que el " "trfico de dicha red se est enviado a esa interfaz (bien conectndola a un " "puerto de un conmutador en modo port mirroring/spanning, bien conectado a " "un concentrador o a un tap)" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Puede configurar mltiples interfaces simplemente aadiendo ms de un nombre " "de interfaz y separndolos por espacios. Cada interfaz puede tener su propia " "configuracin." #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Intervalo de direcciones para la red local:" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Tiene que utilizar el formato CIDR, esto es, 192.168.1.0/24 para un bloque " "de 256 IPs o 192.168.1.42/32 para slo una direccin. Debe separar " "mltiples direcciones por , (comas) y sin espacios." #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Tenga en cuenta que si Snort est configurado para utilizar mltiples " "interfaces se utilizar esta definicin como valor de HOME_NET para todos " "ellos." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Debera Snort deshabilitar el modo promiscuo en la interfaz?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Si deshabilita el modo promiscuo Snort slo analizar paquetes dirigidos a " "la propia interfaz que se est monitorizando. Si lo activa Snort comprobar " "todos los paquetes que pasen por el segmento Ethernet incluso aunque sean " "parte de una conexin entre otros dos sistemas." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Interfaz invlida" #. Type: error #. Description #: ../snort.templates:6001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort est intentando utilizar una interfaz que no existe o est " "desactivada. Es posible que est tomando el valor por omisin eth0 y no " "exista en su sistema o que haya especificado una interfaz invlida." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Deberan enviarse resmenes por correo electrnico?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Puede configurar una tarea en cron que enve resmenes diarios de los " "registros de Snort a una direccin especfica." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Indique si quiere activar esta funcionalidad." #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Destinatario de los correos de estadsticas diarias:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Indique la direccin de correo que debera recibir los resmenes diarios de " "los registros de Snort." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Opciones adicionales a medida:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Indique las opciones adicionales que Snort debera utilizar." #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "" "Nmero mnimo de ocurrencias antes de incluir una alerta en los informes:" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Introduzca el nmero mnimo de ocurrencias de una alerta que deben " "producirse antes de incluir una alerta en las estadsticas diarias." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Es necesario reiniciar Snort" #. Type: note #. Description #: ../snort.templates:11001 msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "Dado que Snort se ejecuta de forma manual tiene que ejecutar service snort restart para que se apliquen los cambios." #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "Fichero de configuracin obsoleto" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Este sistema utiliza un fichero de configuracin obsoleto (/etc/snort/snort." "common.parameters) que ha sido convertido de forma automtica al nuevo " "formato de fichero de configuracin (en /etc/default/snort)." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Por favor, revise el nuevo fichero de configuracin y borre el antiguo. El " "guin del init.d no utilizar la nueva configuracin hasta que lo borre y no " "podr por tanto aprovecharse de las ventajas introducidas en nuevas " "versiones." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "Deprecated options in configuration file" msgstr "Opciones obsolestas en el fichero de configuracin" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "El fichero de configuracin de Snort (/etc/snort/snort.conf) utiliza " "opciones obsoletas que ya no estn disponibles en esta versin de Snort. " "Snort no podr arrancar a menos que tenga un fichero de configuracin " "correcto. Puede sustituir este fichero de configuracin por el que ofrece " "este paquete o arreglarlo manualmente eliminando las opciones obsoletas." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "Se encontraron las siguientes opciones obsoletas en el fichero de " "configuracin: ${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Error de configuracin" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "La configuracin actual de Snort es invlida e impedir que Snort se " "ejecute. Por favor, revsela y corrjala." #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "Puede diagnosticar los errores en su configuracin de Snort ejecutando, como " "superusuario, la siguiente orden: /usr/sbin/snort -T -c /etc/snort/snort." "conf." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "Fichero de configuracin obsoleto" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" "Su sistema tiene ficheros de configuracin obsoletos que no deberan seguir " "utilizndose y que pueden contener opciones obsoletas. Si estos ficheros se " "incluyen a travs del fichero de configuracin estndar (/etc/snort/snort." "conf) pueden hacer que Snort no arranque correctamente." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" "Debe eliminar estos ficheros as como cualquier referencia a ellos en el " "archivo de configuracin etc/snort/snort.conf." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "Se encontraron los siguientes ficheros de configuracin obsoletos: " "${DEP_FILE}" #~ msgid "Set up a database for snort-mysql to log to?" #~ msgstr "" #~ "Quiere configurar una base de datos a la que snort-mysql enviar los " #~ "registros?" #~ msgid "" #~ "No database has been set up for Snort to log to. Before continuing, you " #~ "should make sure you have:" #~ msgstr "" #~ "No se ha configurado ninguna base de datos para Snort. Antes de continuar " #~ "debe asegurarse de disponer de:" #~ msgid "" #~ " - the server host name (that server must allow TCP connections\n" #~ " from this machine);\n" #~ " - a database on that server;\n" #~ " - a username and password to access the database." #~ msgstr "" #~ " - el nombre del servidor (este servidor debe permitir conexiones\n" #~ " TCP desde este sistema),\n" #~ " - el nombre de una base de datos en ese servidor,\n" #~ " - un nombre de usuario y contrasea para acceder a la base de datos." #~ msgid "" #~ "If some of these requirements are missing, reject this option and run " #~ "with regular file logging support." #~ msgstr "" #~ "Si no cumple con algunos de estos requisitos rechace esta opcin y " #~ "ejecute Snort con el soporte normal de registro en ficheros." #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-mysql'." #~ msgstr "" #~ "Puede configurar el volcado de registros en base de datos ms adelante " #~ "ejecutando dpkg-reconfigure -plow snort-mysql." #~ msgid "Database server hostname:" #~ msgstr "Nombre del servidor de base de datos:" #~ msgid "" #~ "Please specify the host name of a database server that allows incoming " #~ "connections from this host." #~ msgstr "" #~ "Especifique el nombre de equipo de un servidor de base de datos que " #~ "permite conexiones de este sistema." #~ msgid "Database name:" #~ msgstr "Nombre de la base de datos:" #~ msgid "" #~ "Please specify the name of an existing database to which the database " #~ "user has write access." #~ msgstr "" #~ "Especifique el nombre de una base de datos existente al que el usuario de " #~ "base de datos tiene acceso." #~ msgid "Username for database access:" #~ msgstr "Nombre de usuario para el acceso a la base de datos:" #~ msgid "" #~ "Please specify a database server username with write access to the " #~ "database." #~ msgstr "" #~ "Especifique el usuario del servidor de base de datos con acceso de " #~ "escritura a la base de datos." #~ msgid "Password for the database connection:" #~ msgstr "Contrasea para la conexin con la base de datos:" #~ msgid "" #~ "Please enter the password to use to connect to the Snort Alert database." #~ msgstr "" #~ "Introduzca una contrasea para acceder a la base de datos de alertas de " #~ "Snort." #~ msgid "Configured database mandatory for Snort" #~ msgstr "Es necesario configurar una base de datos para Snort" #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:" #~ msgstr "" #~ "Snort necesita una base de datos correctamente configurada para poder " #~ "arrancar. Para poder crear la estructura debe ejecutar las rdenes " #~ "mostradas a continuacin DESPUS de instalar el paquete:" #~ msgid "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ msgstr "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. MySQL " #~ "will prompt you for the password." #~ msgstr "" #~ "Introduzca los nombres correctos para el usuario, sistema, y nombre de " #~ "base de datos. MySQL le solicitar la contrasea." #~ msgid "" #~ "After you have created the database structure, you will need to start " #~ "Snort manually." #~ msgstr "" #~ "Deber arrancar Snort manualmente despus de haber creado la estructura " #~ "de la base de datos." #~ msgid "Set up a database for snort-pgsql to log to?" #~ msgstr "Quiere preparar una base de datos para que la utilice snort-pgsql?" #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-pgsql'." #~ msgstr "" #~ "Podr reconfigurar ms adelante el volcado en base de datos con dpkg-" #~ "reconfigure -plow snort-pgsql." #~ msgid "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ msgstr "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ "" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Introduzca los nombres correctos para el usuario, sistema, y nombre de " #~ "base de datos. PostgreSQL le solicitar la contrasea." #~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" #~ msgstr "" #~ "Deberan cambiarse el orden de las pruebas a Pasar|Alertar|Registrar?" #~ msgid "" #~ "Snort's default testing order is Alert|Pass|Log; if you accept this " #~ "option, the order will be changed to Pass|Alert|Log, which can make it " #~ "simpler to use Snort with some packet-filtering tools." #~ msgstr "" #~ "El orden de pruebas por omisin para Snort es Alertar|Pasar|Registrar, si " #~ "acepta esta opcin el orden se modificar a Pasar|Alertar|Registrar que " #~ "puede ser ms sencillo para utilizar Snort con algunas herramientas de " #~ "filtrado de paquetes." #~ msgid "You are running Snort manually" #~ msgstr "Est ejecutando Snort manualmente" #~ msgid "There is an error in your configuration" #~ msgstr "Su configuracin tiene un error" #~ msgid "Your configuration file is deprecated" #~ msgstr "Su fichero de configuracin es obsoleto" #~ msgid "boot, dialup, manual" #~ msgstr "arranque, conexin, manual" #~ msgid "When should Snort be started?" #~ msgstr "Cuando debera arrancarse Snort?" #~ msgid "" #~ "If you want you can specify 'any', to not trust any side of the network." #~ msgstr "" #~ "Si quiere, puede especificar any (cualquiera) si no confa en ningn " #~ "lado de su red." #~ msgid "" #~ "One of the interfaces you specified is not valid (it might not exist on " #~ "the system or be down). Please introduce a valid interface when answering " #~ "the question of which interface(s) should Snort listen on." #~ msgstr "" #~ "Una de las interfaces que ha especificado no es vlida (puede que no " #~ "exista en su sistema o no tenga enlace). Debe introducir una interfaz " #~ "vlida cuando se le pregunte en qu interfaz (o interfaces) debera " #~ "escuchar Snort." #~ msgid "" #~ "If you did not configure an interface then the package is trying to use " #~ "the default ('eth0') which does not seem to be valid in your system." #~ msgstr "" #~ "El paquete ha intentado utilizar la interfaz por omisin (eth0) si no " #~ "ha configurado un interfaz aqu, y esta interfaz para que no es vlida en " #~ "su sistema." #~ msgid "" #~ "If you change Snort's rules testing order to Pass|Alert|Log, they will be " #~ "applied in Pass->Alert->Log order, instead of standard Alert->Pass->Log. " #~ "This will prevent people from having to make huge Berky Packet Filter " #~ "command line arguments to filter their alert rules." #~ msgstr "" #~ "Si cambia el orden de prueba de las reglas de snort a Pasar|Alertar|" #~ "Registrar, se aplicar?n el orden Pasar->Alertar->Registrar en lugar del " #~ "modo estndar Alertar->Pasar->Registrar. Esto evita que se tengan que " #~ "incluir muchos argumentos de lnea de comandos con filtrado de paquetes " #~ "para filtrar sus propias reglas de alertas." #~ msgid "" #~ "This Snort installation provides a cron job that runs daily and " #~ "summarises the information of Snort logs to a selected email address. If " #~ "you want to disable this feature say 'no' here." #~ msgstr "" #~ "Esta instalacin de Snort incluye una tarea del cron que se ejecuta " #~ "diariamente y realiza un resumen de informacin de los registros de Snort " #~ "que luego enva por correo electrnico a la direccin indicada. Responda " #~ "no a esta pregunta si desea deshabilitar esta funcionalidad." #~ msgid "" #~ "A cron job running daily will summarise the information of the logs " #~ "generated by Snort using a script called 'snort-stat'. Introduce here the " #~ "recipient of these mails. The default value is the system administrator. " #~ "If you keep this value, make sure that the mail of the administrator is " #~ "redirected to a user that actually reads those mails." #~ msgstr "" #~ "Se ejecuta diariamente una tarea del cron para resumir la informacin " #~ "de los registros generados por Snort utilizando un programa llamado " #~ "snort-stat. Indique aqu el receptor de dichos mensajes. El valor por " #~ "defecto es el administrator del sistema. Si mantiene este valor asegrese " #~ "de que los correos de dicha cuenta son reenviados o ledos por algn " #~ "usuario." #~ msgid "" #~ "If you want to specify custom options to Snort, please specify them here." #~ msgstr "Si quiere aadir opciones adicionales a Snort, especifquelas aqu." #~ msgid "" #~ "Please restart Snort using:\n" #~ " /etc/init.d/snort start\n" #~ "to let the settings take effect." #~ msgstr "" #~ "Por favor reinicie a Snort con:\n" #~ " /etc/init.d/snort start\n" #~ "para que los cambios tengan efecto." #~ msgid "" #~ "Your Snort configuration is not correct and Snort will not be able to " #~ "start up normally. Please review your configuration and fix it. If you do " #~ "not do this, Snort package upgrades will probably break. To check which " #~ "error is being generated run '/usr/sbin/snort -T -c /etc/snort/snort." #~ "conf' (or point to an alternate configuration file if you are using " #~ "different files for different interfaces)" #~ msgstr "" #~ "Su configuracin de Snort no es correcta y no se podr arrancar ste con " #~ "normalidad. Por favor, revise su configuracin y arreglela. Las " #~ "actualizaciones del paquete Snort fallarn si no lo hace. Para comprobar " #~ "el error que se genera ejecute /usr/sbin/snort -T -c /etc/snort/snort." #~ "conf (o utilice otro fichero de configuracin si utiliza ficheros " #~ "distintos para distintas interfaces)" #~ msgid "" #~ "You only need to do this the first time you install snort-mysql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "mysql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-mysql " #~ "package with 'dpkg-reconfigure -plow snort-mysql'" #~ msgstr "" #~ "Slo tiene que hacer sto la primera vez que instale snort-mysql. Andes " #~ "de seguir adelante asegrese de que (1) el nombre de servidor del equipo " #~ "que ejecuta la base de datos mysql permite realizar conexiones tcp desde " #~ "ste equipo, (2) hay una base de datos en ese servidor, (3) el nombre de " #~ "usuario y contrasea de acceso a la base de datos. Si no tiene _todos_ " #~ "estos, escoja no y contine con la configuracin habitual de registro, " #~ "o arregle esto. Siempre puede configurar la base de datos ms adelante " #~ "reconfigurando snort-mysql utilizando: dpkg-reconfigure -plow snort-" #~ "mysql" #~ msgid "Make sure this user has been created and has write access." #~ msgstr "" #~ "Asegrese de que el usuario ha sido creado y tiene permisos de escritura." #~ msgid "Snort needs a configured database to log to before it starts" #~ msgstr "" #~ "Snort necesita tener una base de datos configurada antes de arrancar" #~ msgid "" #~ "You only need to do this the first time you install snort-pgsql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "pgsql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-pgsql " #~ "package with 'dpkg-reconfigure -plow snort-pgsql'" #~ msgstr "" #~ "Slo tiene que hacer sto la primera vez que instale snort-pgsql. Antes " #~ "de seguir adelante asegrese de que (1) el nombre de servidor del equipo " #~ "que ejecuta la base de datos mysql permite realizar conexiones tcp desde " #~ "ste equipo, (2) hay una base de datos en ese servidor, (3) el nombre de " #~ "usuario y contrasea de acceso a la base de datos. Si no tiene _todos_ " #~ "estos, escoja no y contine con la configuracin habitual de registro, " #~ "o arregle esto. Siempre puede configurar la base de datos ms adelante " #~ "reconfigurando snort-pgsql utilizando: dpkg-reconfigure -plow snort-" #~ "pgsql" #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W \n" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Snort necesita una base de datos correctamente configurada para poder " #~ "arrancar.Para poder crear la estructura debe ejecutar las rdenes " #~ "mostradas a continuacin DESPUS de instalar el paquete:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_pgsql.gz | psql -U -h -W " #~ "\n" #~ "Rellene correctamente los valores para el usuario, servidor y nombre de " #~ "la base de datos. PostgreSQL le solicitar la contrasea." #~ msgid "" #~ "Please enter the name(s) of the interface(s) which Snort should listen " #~ "on. The names of the available interfaces are provided by either " #~ "running 'ip link show' of 'ifconfig'. This value usually is 'eth0', but " #~ "you might want to vary this depending on your environment, if you are " #~ "using a dialup connection 'ppp0' might be more appropiate." #~ msgstr "" #~ "Por favor, introduzca el nombre de la interfaz o interfaces en la que " #~ "Snort debe escuchar. Puede obtener los nombres de las interfaces " #~ "ejecutando ip link show. Este valor suele ser eth0, pero quizs desee " #~ "variarlo dependiendo de su entorno. Si est utilizando una conexin " #~ "telefnica a Internet basada en PPP puede ser ms apropiado utilizar " #~ "ppp0." #~ msgid "Please enter the address range that Snort will listen on." #~ msgstr "Introduzca el intervalo de direcciones que monitorizar Snort." #~ msgid "" #~ "Disable promiscuous mode if you are configuring Snort on an interface " #~ "without a configured IP address." #~ msgstr "" #~ "Debera deshabilitar el modo promscuo si est configurando Snort en una " #~ "interfaz sin direcciones IP." #~ msgid "Please enter the hostname of the mysql database server to use." #~ msgstr "" #~ "Introduzca el nombre de servidor de la base de datos mysql que va a " #~ "utilizar." #~ msgid "Please enter the name of the database to use." #~ msgstr "Por favor, indique el nombre de la base de datos a utilizar." #~ msgid "Please enter the name of the database user you want to use." #~ msgstr "" #~ "Por favor, introduzca el nombre de usuario de la base de datos que quiere " #~ "utilizar." #~ msgid "Please enter the hostname of the pgsql database server to use." #~ msgstr "" #~ "Introduzca el nombre de servidor de la base de datos psql que va a " #~ "utilizar." #~ msgid "" #~ "Your system has an obsolete configuration file (/etc/snort/snort.common." #~ "parameters) which has been automatically converted into the new " #~ "configuration file format (at /etc/default/snort). Please review the new " #~ "configuration and remove the obsolete one. Until you do this, the init.d " #~ "script will not use the new configuration and you will not take advantage " #~ "of the benefits introduced in newer releases." #~ msgstr "" #~ "Su sistema tiene un fichero de configuracin obsoleto (/etc/snor/snort." #~ "common.parameters) que ha sido convertido de forma automtica al nuevo " #~ "formato de fichero de configuracin (en /etc/default/snort). Por favor, " #~ "revise el nuevo fichero de configuracin y borre el antigo. El guin del " #~ "init.d no utilizar la nueva configuracin hasta que lo borre y no podr " #~ "aprovecharse de las ventajas introducidas en nuevas versiones." #~ msgid "" #~ "Your system has an obsolete configuration file (/etc/snort/snort.common." #~ "parameters) which has been automatically converted into the new " #~ "configuration file format (at /etc/default/snort). Please review the new " #~ "configuration and remove the obsolete one. Until you do this, the init.d " #~ "script will not use the new configuration and you will not take advantage " #~ "of the benefits introduced in newer releases." #~ msgstr "" #~ "Su sistema tiene un fichero de configuracin obsoleto (/etc/snor/snort." #~ "common.parameters) que ha sido convertido de forma automtica al nuevo " #~ "formato de fichero de configuracin (en /etc/default/snort). Por favor, " #~ "revise el nuevo fichero de configuracin y borre el antigo. El guin del " #~ "init.d no utilizar la nueva configuracin hasta que lo borre y no podr " #~ "aprovecharse de las ventajas introducidas en nuevas versiones." #~ msgid "" #~ "Please enter the name(s) of the interface(s) which Snort should listen " #~ "on. The names of the available interfaces are provided by either running " #~ "'ip link show' of 'ifconfig'. This value usually is 'eth0', but you might " #~ "want to vary this depending on your environment, if you are using a " #~ "dialup connection 'ppp0' might be more appropiate." #~ msgstr "" #~ "Por favor, introduzca el nombre de la interfaz o interfaces en la que " #~ "Snort debe escuchar. Puede obtener los nombres de las interfaces " #~ "ejecutando ip link show. Este valor suele ser eth0, pero quizs desee " #~ "variarlo dependiendo de su entorno. Si est utilizando una conexin " #~ "telefnica a Internet basada en PPP puede ser ms apropiado utilizar " #~ "ppp0." #~ msgid "On which interface should Snort listen?" #~ msgstr "En qu interfaz debera escuchar Snort?" #~ msgid "" #~ "Notice that Snort is usually configured to inspect all traffic coming " #~ "from the Internet, so the interface you add here is usually the same the " #~ "'default route' is on. You can determine which interface is used for " #~ "this running either 'ip route show' or '/sbin/route -n' (look for " #~ "'default' or '0.0.0.0')." #~ msgstr "" #~ "Tenga en cuenta que generalmente se configura a Snort para que analice " #~ "todo el trfico que viene de Internet, as que la interfaz que se aade " #~ "aqu es generalmente la misma que tiene definida la ruta por omisin. " #~ "Para determinar qu interfaz se est utilizando para esto, ejecute bien " #~ "ip route show o bien /sbin/route -n (busque aquellos valores " #~ "asociados a default o 0.0.0.0)." #~ msgid "Should Snort disable promiscous mode on the interface?" #~ msgstr "Debera Snort deshabilitar el modo promscuo en la interfaz?" #~ msgid "" #~ "The configuration file found the following deprecated content: " #~ "${DEP_CONFIG}" #~ msgstr "" #~ "Se encontraron las siguientes opciones obsoletas en el fichero de " #~ "configuracin: ${DEP_CONFIG}" #~ msgid "" #~ "Please enter the interface name wich snort should listen on. F.e. eth0 " #~ "Usually this is the interface the 'default route' is on. See '/sbin/ip " #~ "ro sh' or '/sbin/route -n' and look for 'default' or '0.0.0.0'." #~ msgstr "Introduzca el nombre de la interfaz " debian/po/ca.po0000664000000000000000000011201712317374526010545 0ustar # snort (debconf) translation to Catalan. # Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. # Aleix Badia i Bosch 2005 # msgid "" msgstr "" "Project-Id-Version: snort_2.0.1-2_templates\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-29 00:16+0200\n" "PO-Revision-Date: 2005-02-26 10:41+0100\n" "Last-Translator: Aleix Badia i Bosch \n" "Language-Team: Debian L10n Catalan \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=ISO-8859-1\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "" #. Type: select #. Description #: ../snort.templates:2002 #, fuzzy #| msgid "" #| "Snort can be started during boot, when connecting to the net with pppd or " #| "only when you manually start it via /usr/sbin/snort." msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "El Snort es pot iniciar a l'arrencada del sistema, quan el sistema es " "connecti a la xarxa a travs de pppd o iniciar-lo manualment via /usr/sbin/" "snort." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "On which interface Snort should listen? (only one!)" msgid "Interface(s) which Snort should listen on:" msgstr "Quina interfcie hauria d'escoltar el Snort? (noms una!)" #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "Please enter the interface name which snort should listen on. The name of " #| "the available interfaces are provided by running 'ip link show'. This " #| "value usually is 'eth0', but you might want to vary this depending on " #| "your environment, if you are using a dialup connection 'ppp0' might be " #| "more appropiate." msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Introduu el nom de la interfcie que haur d'escoltar el snort. El nom de " "les interfcies disponibles el podeu aconseguir executant l'ordre 'ip link " "show'. El valor acostuma a ser 'eth0', per us pot interessar modificar-lo " "en funci de l'entorn, si utilitzeu el marcatge directe probablement us " "interessi ms el valor 'ppp0'." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "Notice that Snort is usually configured to inspect all traffic coming " #| "from the Internet, so the interface you add here is usually the same the " #| "'default route' is on. You can determine which interface is used for " #| "this running either '/sbin/ip ro sh' or '/sbin/route -n' (look for " #| "'default' or '0.0.0.0')." msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Recordeu que el Snort acostuma a estar configurat per analitzar tot el " "trfic d'internet, la interfcie a afegir acostuma a ser la mateixa que la " "de la 'ruta per defecte'. Podeu obtenir la interfcie executant l'ordre '/" "sbin/ip ro sh' o '/sbin/route -n' (cerqueu 'default' o '0.0.0.0'). " #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "It is also not uncommon to run Snort on an interface with no IP and " #| "configured in promiscuous mode, if this is your case, select the " #| "interface in this system that is physically connected to the network you " #| "want to inspect, enable promiscuous mode later on and make sure that the " #| "network traffic is sent to this interface (either connected to a 'port " #| "mirroring/spanning' port in a switch, to a hub or to a tap)" msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Tamb es pot donar la situaci d'executar el Snort en una interfcie sense " "IP i configurada en mode promiscu, si s el vostre cas, seleccioneu la " "interfcie que est fsicament connectada a la xarxa que voleu analitzar, " "posteriorment habiliteu el mode promiscu i assegureu-vos que el trfic de la " "xarxa s'envia a la interfcie (connectada a un port 'port mirroring/" "spanning' d'un commutador, a un concentrador o a un tap)" #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "You can configure multiple interfaces here, just by adding more than one " #| "interface name separated by spaces. Each interface can have its specific " #| "configuration." msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Podeu configurar mltiples interfcie afegint ms d'un nom d'interfcie " "separat per espais. Cada interfcie pot tenir una configuraci especfica." #. Type: string #. Description #: ../snort.templates:4001 #, fuzzy #| msgid "Please enter the address range that Snort will listen on." msgid "Address range for the local network:" msgstr "Introduu el rang d'adreces que escoltar el Snort." #. Type: string #. Description #: ../snort.templates:4001 #, fuzzy #| msgid "" #| "You have to use CIDR form, i.e. 192.168.1.0/24 for a block of 256 IPs or " #| "192.168.1.42/32 for just one. Specify multiple addresses on a single line " #| "separated by ',' (comma characters), no spaces allowed!" msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Heu d'utilitzar el format CIDR, ex. 192.168.1.0/24 per un bloc de 256 IPs o " "192.268.1.42/32 per una. Especifiqueu mltiples adreces separades per " "',' (carcters de coma) en una sola lnia, no utilitzeu espais." #. Type: string #. Description #: ../snort.templates:4001 #, fuzzy #| msgid "" #| "Notice that if you are using multiple interfaces this definition will be " #| "used as the HOME_NET definition of all of them." msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Recordeu que si utilitzeu mltiples interfcies aquesta definici " "s'utilitzar com a definici HOME_NET de totes." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "S'hauria d'inhabilitar el mode promiscu de la interfcie?" #. Type: boolean #. Description #: ../snort.templates:5001 #, fuzzy #| msgid "" #| "Disabling promiscuous mode means that Snort will only see packets " #| "addressed to it's own interface. Enabling it allows Snort to check every " #| "packet that passes ethernet segment even if it's a connection between two " #| "other computers." msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Si s'inhabilita el mode promiscu, el Snort nicament veur els paquets " "adreats a la seva prpia interfcie. Si s'habilita, el Snort pot comprovar " "cada paquet que passa pel segment ethernet, encara que sigui entre d'altres " "ordinador." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "" #. Type: error #. Description #: ../snort.templates:6001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "" #. Type: string #. Description #: ../snort.templates:8001 #, fuzzy #| msgid "Who should receive the daily statistics mails?" msgid "Recipient of daily statistics mails:" msgstr "Qui hauria de rebre els missatges estadstics diaris?" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "" #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "" #. Type: string #. Description #: ../snort.templates:10001 #, fuzzy #| msgid "" #| "An alert needs to appear more times than this number to be included in " #| "the daily statistics." msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Una alerta s'inclour a les estadstiques diries quan aparegui un nombre de " "vegades superior a l'indicat." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "" #. Type: note #. Description #: ../snort.templates:11001 msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" #. Type: error #. Description #: ../snort.templates:12001 #, fuzzy #| msgid "This system uses an obsolete configuration file" msgid "Obsolete configuration file" msgstr "El sistema utilitza un fitxer de configuraci obsolet" #. Type: error #. Description #: ../snort.templates:12001 #, fuzzy msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "El sistema t un fitxer de configuraci obsolet (/etc/snort/snort.common." "parameters) que s'ha convertit automticament al nou format de fitxer de " "configuraci (a /etc/default/snort). Comproveu el nou fitxer de configuraci " "i suprimiu l'obsolet. Fins que no ho feu, la seqncia de l'init.d no " "utilitzar la nova configuraci i no podreu utilitzar les caracterstiques " "afegides en les noves versions." #. Type: error #. Description #: ../snort.templates:12001 #, fuzzy msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "El sistema t un fitxer de configuraci obsolet (/etc/snort/snort.common." "parameters) que s'ha convertit automticament al nou format de fitxer de " "configuraci (a /etc/default/snort). Comproveu el nou fitxer de configuraci " "i suprimiu l'obsolet. Fins que no ho feu, la seqncia de l'init.d no " "utilitzar la nova configuraci i no podreu utilitzar les caracterstiques " "afegides en les noves versions." #. Type: note #. Description #: ../snort-common.templates:2001 #, fuzzy #| msgid "This system uses an obsolete configuration file" msgid "Deprecated options in configuration file" msgstr "El sistema utilitza un fitxer de configuraci obsolet" #. Type: note #. Description #: ../snort-common.templates:2001 #, fuzzy #| msgid "" #| "Your Snort configuration file (/etc/snort/snort.conf) uses deprecated " #| "options no longer available for this Snort release. Snort will not be " #| "able to start unless you provide a correct configuration file. You can " #| "substitute your configuration file with the one provided in this package " #| "or fix it manually by removing deprecated options." msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "El fitxer de configuraci actual (/etc/snort/snort.conf) utilitza opcions " "obsoletes que ja no estaran disponibles per a aquesta versi del Snort. No " "el podreu iniciar si no utilitzeu un fitxer de configuraci correcte. Podeu " "substituir el fitxer de configuraci pel proporcionat pel paquet o arreglar-" "lo manualment suprimint les opcions obsoletes." #. Type: note #. Description #: ../snort-common.templates:2001 #, fuzzy #| msgid "" #| "The following deprecated options were found in your configuration file: " #| "${DEP_CONFIG}" msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "S'han trobat les opcions obsoletes segents:\n" "${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 #, fuzzy #| msgid "This system uses an obsolete configuration file" msgid "Deprecated configuration file" msgstr "El sistema utilitza un fitxer de configuraci obsolet" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 #, fuzzy #| msgid "" #| "The following deprecated options were found in your configuration file: " #| "${DEP_CONFIG}" msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "S'han trobat les opcions obsoletes segents:\n" "${DEP_CONFIG}" #, fuzzy #~| msgid "Do you want to set up a database for snort-mysql to log to?" #~ msgid "Set up a database for snort-mysql to log to?" #~ msgstr "" #~ "Voleu configurar una base de dades on el snort-mysql hi registri dades?" #, fuzzy #~| msgid "" #~| "Make sure it has been set up correctly to allow incoming connections " #~| "from this host!" #~ msgid "" #~ "Please specify the host name of a database server that allows incoming " #~ "connections from this host." #~ msgstr "" #~ "Abans de permetre les connexions a aquest ordinador, assegureu-vos que " #~ "estigui configurat correctament." #, fuzzy #~| msgid "" #~| "Make sure this database has been created and your database user has " #~| "write access to this database." #~ msgid "" #~ "Please specify a database server username with write access to the " #~ "database." #~ msgstr "" #~ "Assegureu-vos que la base de dades existeixi i que el vostre usuari hi " #~ "tingui perms d'escriptura." #, fuzzy #~| msgid "Please enter the password for the database connection" #~ msgid "Password for the database connection:" #~ msgstr "Introduu la contrasenya per la connexi amb la base de dades." #, fuzzy #~| msgid "Please enter a password to connect to the Snort Alert database." #~ msgid "" #~ "Please enter the password to use to connect to the Snort Alert database." #~ msgstr "" #~ "Introduu la contrasenya per connectar-vos a la base de dades d'alertes " #~ "del Snort." #, fuzzy #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:" #~ msgstr "" #~ "Creeu l'estructura de la base de dades utilitzant la segent ordre:\n" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p \n" #~ "Ompliu correctament les dades de l'usuari, ordinador central i nom de la " #~ "base de dades. El MySQL us demanar la contrasenya." #, fuzzy #~ msgid "" #~ "After you have created the database structure, you will need to start " #~ "Snort manually." #~ msgstr "" #~ "Un cop creada l'estructura de la base de dades, premeu 'd'acord' per " #~ "continuar." #, fuzzy #~| msgid "Do you want to set up a database for snort-pgsql to log to?" #~ msgid "Set up a database for snort-pgsql to log to?" #~ msgstr "" #~ "Voleu configurar una base de dades on el snort-pgsql hi registri dades?" #, fuzzy #~| msgid "Should Snort's rules testing order be changed to Pass|Alert|Log?" #~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" #~ msgstr "" #~ "S'hauria de canviar l'ordre de comprovaci de les regles del Snort per " #~ "Pass|Alert|Log?" #, fuzzy #~| msgid "You are running Snort manually." #~ msgid "You are running Snort manually" #~ msgstr "Esteu executant el Snort manualment." #~ msgid "There is an error in your configuration" #~ msgstr "Hi ha una error en la configuraci" #~ msgid "Your configuration file is deprecated" #~ msgstr "El fitxer de configuraci s obsolet" #~ msgid "boot, dialup, manual" #~ msgstr "arrencada, marcatge directe, manual" #~ msgid "When should Snort be started?" #~ msgstr "Quan s'hauria d'iniciar el Snort?" #~ msgid "" #~ "If you want you can specify 'any', to not trust any side of the network." #~ msgstr "" #~ "Per no establir una relaci de confiana amb cap part de la xarxa, podeu " #~ "especificar 'any'." #~ msgid "" #~ "If you change Snort's rules testing order to Pass|Alert|Log, they will be " #~ "applied in Pass->Alert->Log order, instead of standard Alert->Pass->Log. " #~ "This will prevent people from having to make huge Berky Packet Filter " #~ "command line arguments to filter their alert rules." #~ msgstr "" #~ "Si canvieu l'ordre de comprovaci de les regles del Snort per Pass|Alert|" #~ "Log, s'aplicaran en l'ordre Pass->Alert->Log, en comptes de l'estndard " #~ "Alert->Pass->Log. Aquesta opci permetr que els usuaris no hagin " #~ "d'utilitzar una gran quantitat d'arguments de la lnia d'ordres del Berky " #~ "Packet Filter per filtrar les regles d'alerta." #~ msgid "" #~ "A cron job running daily will summarise the information of the logs " #~ "generated by Snort using a script called 'snort-stat'. Introduce here the " #~ "recipient of these mails. The default value is the system administrator. " #~ "If you keep this value, make sure that the mail of the administrator is " #~ "redirected to a user that actually reads those mails." #~ msgstr "" #~ "Una tasca programada diriament resumir la informaci dels registres del " #~ "Snort utilitzant una seqncia anomenada 'snort-stat'. Introduu el " #~ "destinatari dels correus electrnics. El valor predeterminat s " #~ "l'administrador del sistema. Si manteniu el valor assegureu-vos que el " #~ "correu electrnic de l'administrador es redireccioni a una usuari que " #~ "llegeixi els missatges." #, fuzzy #~| msgid "" #~| "If you want to specify custom options to Snort, please specify them here." #~ msgid "" #~ "If you want to specify custom options to Snort, please specify them here." #~ msgstr "Si voleu definir opcions personalitzades del Snort, feu-ho aqu." #~ msgid "" #~ "Please restart Snort using:\n" #~ " /etc/init.d/snort start\n" #~ "to let the settings take effect." #~ msgstr "" #~ "Per fer efectius els canvis reinicieu el Snort utilitzant:\n" #~ " /etc/init.d/snort start" #~ msgid "" #~ "Your Snort configuration is not correct and Snort will not be able to " #~ "start up normally. Please review your configuration and fix it. If you do " #~ "not do this, Snort package upgrades will probably break. To check which " #~ "error is being generated run '/usr/sbin/snort -T -c /etc/snort/snort." #~ "conf' (or point to an alternate configuration file if you are using " #~ "different files for different interfaces)" #~ msgstr "" #~ "La configuraci del Snort no s correcte i no es podr iniciar " #~ "correctament. Reviseu la configuraci i arregleu-ne els errors. Si no ho " #~ "feu probablement no es podran realitzar correctament les actualitzacions " #~ "del paquet Snort. Per comprovar l'error executeu l'ordre '/usr/sbin/snort " #~ "-T -c /etc/snort/snort.conf' (si utilitzeu diferents fitxers per a " #~ "diferents interfcies feu referncia a un altre fitxer de configuraci)" #~ msgid "" #~ "You only need to do this the first time you install snort-mysql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "mysql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-mysql " #~ "package with 'dpkg-reconfigure -plow snort-mysql'" #~ msgstr "" #~ "Aquestes tasques noms les heu de realitzar la primera vegada que " #~ "installeu el snort-mysql. Abans de continuar assegureu-vos de tenir(1) " #~ "el nom d'un servidor central on s'estigui executant un servidor de mysql " #~ "que permeti connexions tcp d'aquest ordinador. (2) una base de dades, (3) " #~ "un nom d'usuari i una contrasenya per accedir-hi. Si no teniu tots els " #~ "elements de la llista, solucioneu-ho o seleccioneu l'opci 'no' i " #~ "utilitzeu el suport tradicional de registre per fitxer. Posteriorment, " #~ "sempre podreu configurar el mode de registre reconfigurant el paquet " #~ "snort-mysql utilitzant 'dpkg-reconfigure -plow snort-mysql'" #~ msgid "Make sure this user has been created and has write access." #~ msgstr "" #~ "Assegureu-vos que l'usuari estigui creat i tingui perms d'escriptura." #, fuzzy #~ msgid "Snort needs a configured database to log to before it starts" #~ msgstr "" #~ "El Snort necessita una base de dades configurada per registrar-hi les " #~ "dades." #~ msgid "" #~ "You only need to do this the first time you install snort-pgsql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "pgsql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-pgsql " #~ "package with 'dpkg-reconfigure -plow snort-pgsql'" #~ msgstr "" #~ "Aquestes tasques noms les heu de dur a terme la primera vegada que " #~ "installeu el snort-pgsql. Abans de continuar assegureu-vos de tenir(1) " #~ "el nom d'un servidor central on s'estigui executant el servidor de pgsql " #~ "i que permeti connexions tcp d'aquest ordinador. (2) una base de dades en " #~ "aquest servidor. (3) un nom d'usuari i una contrasenya per accedir a la " #~ "base de dades. Si no teniu tots els elements de la llista, solucioneu-ho " #~ "o seleccioneu l'opci 'no' i utilitzeu el suport tradicional de registre " #~ "per fitxer. Posteriorment, sempre podreu configurar el mode de registre " #~ "reconfigurant el paquet snort-pgsql a travs de l'ordre 'dpkg-reconfigure " #~ "-plow snort-pgsql'" #, fuzzy #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W \n" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Creeu l'estructura de la base de dades utilitzant l'ordre segent:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_pgsql.gz | pgsql -U -h -W \n" #~ "Ompliu correctament les dades de l'usuari, ordinador central i nom de la " #~ "base de dades. El PostgreSQL us demanar la contrasenya." #~ msgid "On which interface(s) should Snort listen?" #~ msgstr "Quina interfcie(s) hauria d'escoltar el Snort?" #, fuzzy #~ msgid "" #~ "Please enter the name(s) of the interface(s) which Snort should listen " #~ "on. The names of the available interfaces are provided by either " #~ "running 'ip link show' of 'ifconfig'. This value usually is 'eth0', but " #~ "you might want to vary this depending on your environment, if you are " #~ "using a dialup connection 'ppp0' might be more appropiate." #~ msgstr "" #~ "Introduu el nom de la interfcie(s) que hauria d'escoltar el snort. El " #~ "nom de les interfcies disponibles el podeu aconseguir executant l'ordre " #~ "'ip link show'. El valor acostuma a ser 'eth0', per us pot interessar " #~ "modificar-lo en funci de l'entorn, si utilitzeu el marcatge directe " #~ "probablement us interessi ms el valor 'ppp0'." #~ msgid "Please enter the address range that Snort will listen on." #~ msgstr "Introduu el rang d'adreces que escoltar el Snort." #~ msgid "" #~ "Disable promiscuous mode if you are configuring Snort on an interface " #~ "without a configured IP address." #~ msgstr "" #~ "Si esteu configurant el Snort en una interfcie sense una adrea d'IP " #~ "inhabiliteu el mode promiscu." #~ msgid "Please enter the hostname of the mysql database server to use." #~ msgstr "" #~ "Introduu el nom de l'ordinador central del servidor de base de dades de " #~ "MySQL a utilitzar." #~ msgid "Please enter the name of the database to use." #~ msgstr "Introduu el nom de la base de dades a utilitzar." #~ msgid "Please enter the name of the database user you want to use." #~ msgstr "Introduu el nom de usuari de la base de dades que voleu utilitzar." #~ msgid "Please enter the password for the database connection." #~ msgstr "Introduu la contrasenya per a la connexi amb la base de dades." #~ msgid "Please enter the hostname of the pgsql database server to use." #~ msgstr "" #~ "Introduu el nom de l'ordinador central del servidor de base de dades de " #~ "pgsql a utilitzar." #~ msgid "" #~ "Your system has an obsolete configuration file (/etc/snort/snort.common." #~ "parameters) which has been automatically converted into the new " #~ "configuration file format (at /etc/default/snort). Please review the new " #~ "configuration and remove the obsolete one. Until you do this, the init.d " #~ "script will not use the new configuration and you will not take advantage " #~ "of the benefits introduced in newer releases." #~ msgstr "" #~ "El sistema t un fitxer de configuraci obsolet (/etc/snort/snort.common." #~ "parameters) que s'ha convertit automticament al nou format de fitxer de " #~ "configuraci (a /etc/default/snort). Comproveu el nou fitxer de " #~ "configuraci i suprimiu l'obsolet. Fins que no ho feu, la seqncia de " #~ "l'init.d no utilitzar la nova configuraci i no podreu utilitzar les " #~ "caracterstiques afegides en les noves versions." #, fuzzy #~ msgid "" #~ "Your system has an obsolete configuration file (/etc/snort/snort.common." #~ "parameters) which has been automatically converted into the new " #~ "configuration file format (at /etc/default/snort). Please review the new " #~ "configuration and remove the obsolete one. Until you do this, the init.d " #~ "script will not use the new configuration and you will not take advantage " #~ "of the benefits introduced in newer releases." #~ msgstr "" #~ "El sistema t un fitxer de configuraci obsolet (/etc/snort/snort.common." #~ "parameters) que s'ha convertit automticament al nou format de fitxer de " #~ "configuraci (a /etc/default/snort). Comproveu el nou fitxer de " #~ "configuraci i suprimiu l'obsolet. Fins que no ho feu, la seqncia de " #~ "l'init.d no utilitzar la nova configuraci i no podreu utilitzar les " #~ "caracterstiques afegides en les noves versions." #, fuzzy #~ msgid "" #~ "Your system has an obsolete configuration file (/etc/snort/snort.common." #~ "parameters) which has been automatically converted into the new " #~ "configuration file format (at /etc/default/snort). Please review the new " #~ "configuration and remove the obsolete one. Until you do this, the init.d " #~ "script will not use the new configuration and you will not take advantage " #~ "of the benefits introduced in newer releases." #~ msgstr "" #~ "El sistema t un fitxer de configuraci obsolet (/etc/snort/snort.common." #~ "parameters) que s'ha convertit automticament al nou format de fitxer de " #~ "configuraci (a /etc/default/snort). Comproveu el nou fitxer de " #~ "configuraci i suprimiu l'obsolet. Fins que no ho feu, la seqncia de " #~ "l'init.d no utilitzar la nova configuraci i no podreu utilitzar les " #~ "caracterstiques afegides en les noves versions." #, fuzzy #~ msgid "" #~ "Please enter the name(s) of the interface(s) which Snort should listen " #~ "on. The names of the available interfaces are provided by either running " #~ "'ip link show' of 'ifconfig'. This value usually is 'eth0', but you might " #~ "want to vary this depending on your environment, if you are using a " #~ "dialup connection 'ppp0' might be more appropiate." #~ msgstr "" #~ "Introduu el nom de la interfcie(s) que hauria d'escoltar el snort. El " #~ "nom de les interfcies disponibles el podeu aconseguir executant l'ordre " #~ "'ip link show'. El valor acostuma a ser 'eth0', per us pot interessar " #~ "modificar-lo en funci de l'entorn, si utilitzeu el marcatge directe " #~ "probablement us interessi ms el valor 'ppp0'." #~ msgid "On which interface should Snort listen?" #~ msgstr "Quina interfcie hauria d'escoltar el Snort?" #~ msgid "" #~ "Notice that Snort is usually configured to inspect all traffic coming " #~ "from the Internet, so the interface you add here is usually the same the " #~ "'default route' is on. You can determine which interface is used for " #~ "this running either 'ip route show' or '/sbin/route -n' (look for " #~ "'default' or '0.0.0.0')." #~ msgstr "" #~ "Recordeu que el Snort acostuma a estar configurat per analitzar tot el " #~ "trfic d'internet, la interfcie a afegir acostuma a ser la mateixa que " #~ "la de la 'ruta per defecte'. Podeu obtenir-la executant l'ordre 'ip route " #~ "show' o '/sbin/route -n' (cerqueu 'default' o '0.0.0.0')." #~ msgid "Should Snort disable promiscous mode on the interface?" #~ msgstr "S'hauria d'inhabilitar el mode promiscu de la interfcie?" #~ msgid "What address range should Snort consider to be local?" #~ msgstr "Quin rang d'adreces hauria de considerar local el Snort?" #~ msgid "" #~ "You have to use CIDR form, i.e. 192.168.1.0/24 for a block of 256 IPs or " #~ "192.168.1.42/32 for just one. Specify multiple addresses on a single " #~ "line, seperated by ',' (comma characters). No spaces allowed!" #~ msgstr "" #~ "Heu d'utilitzar el format CIDR, ex. 192.168.1.0/24 per un bloc de 256 IPs " #~ "o 192.268.1.42/32 per nicament una. Especifiqueu mltiples adreces " #~ "separades per ',' (carcters de coma) i en una sola lnia. Els espais no " #~ "estan permesos!" #~ msgid "" #~ "Disabling the promiscuous mode means that Snort will only see packets " #~ "addressed to its own interface. Enabling allows it to check every packet " #~ "that passes the ethernet even if it's a connection between two other " #~ "computers" #~ msgstr "" #~ "Si s'inhabilita el mode promiscu, el Snort nicament veur els paquets " #~ "adreats a la seva prpia interfcie. Cal que l'habiliteu per comprovar " #~ "cada paquet que passa per la xarxa ethernet, encara que sigui entre " #~ "altres ordinadors." #~ msgid "When should snort be started?" #~ msgstr "Quan s'hauria d'iniciar el Snort?" #~ msgid "Please enter the address range that snort will listen on." #~ msgstr "Introduu el rang d'adreces que escoltar el Snort." #~ msgid "" #~ "You have to use CIDR form, i.e. 192.168.1.0/24 for a block of 256 IPs or " #~ "192.168.1.42/32 for just one. Specify multiple addresses on a single " #~ "line, separated by ',' (comma characters). No spaces allowed!" #~ msgstr "" #~ "Heu d'utilitzar el format CIDR, ex. 192.168.1.0/24 per un bloc de 256 IPs " #~ "o 192.268.1.42/32 per nicament una. Especifiqueu mltiples adreces " #~ "separades per ',' (carcters de coma) i en una sola lnia. Els espais no " #~ "estan permesos!" #~ msgid "" #~ "Disabling the promiscuous mode means that snort will only see packets " #~ "addressed to it's own interface. Enabling allows it to check every packet " #~ "that passes the ethernet even if it's a connection between two other " #~ "computers" #~ msgstr "" #~ "Si s'inhabilita el mode promiscu, el Snort nicament veur els paquets " #~ "adreats a la seva prpia interfcie. Cal que l'habiliteu per comprovar " #~ "cada paquet que passa per la xarxa ethernet, encara que sigui entre " #~ "altres ordinadors." #~ msgid "Should snort's rules testing order be changed to Pass|Alert|Log?" #~ msgstr "" #~ "S'hauria de canviar l'ordre de comprovaci de les regles del Snort per " #~ "Pass|Alert|Log?" #~ msgid "" #~ "If you change snort's rules testing order to Pass|Alert|Log, they will be " #~ "applied in Pass->Alert->Log order, instead of standard Alert->Pass->Log. " #~ "This will prevent people from having to make huge BPF command line " #~ "arguments to filter their alert rules." #~ msgstr "" #~ "Si canvieu l'ordre de comprovaci de les regles del Snort per Pass|Alert|" #~ "Log, s'aplicaran en l'ordre Pass->Alert->Log, en compte del estndard " #~ "Alert->Pass->Log. Aquesta opci permetr que els usuaris no hagin " #~ "d'utilitzar una grna quantitat d'arguments de la lnia d'ordres de BPF " #~ "per filtrar les regles d'alerta." #~ msgid "" #~ "You only need to do this the first time you install snort-pgsql. Before " #~ "you go on, make sure you have the following things at hand: - The " #~ "hostname of a machine running a pgsql server, set up to allow TCP\n" #~ " connections to the database (from this host).\n" #~ "- A database on the database server - A username and password for a user " #~ "that has write access to this database. If you don't have _all_ of these, " #~ "either select 'no' and run with regular file logging support, or fix this " #~ "first. You can always configure database logging later, by reconfiguring " #~ "the snort-pgsql package." #~ msgstr "" #~ "Aquestes tasques noms les heu de realitzar la primera vegada que " #~ "installeu el snort-mysql. Abans de continuar assegureu-vos de tenir(1) " #~ "el nom d'un servidor central on s'estigui executant el servidor de PgSQL " #~ "i que permeti connexions tcp d'aquest ordinador. (2) una base de dades en " #~ "aquest servidor. (3) un nom d'usuari i una contrasenya per accedir a la " #~ "base de dades. Si no teniu tots els elements de la llista, solucioneu-ho " #~ "o seleccioneu l'opci 'no' i utilitzeu el suport tradicional de registre " #~ "per fitxer. Posteriorment, sempre podreu configurar el mode de registre " #~ "reconfigurant el paquet snort-pgsql." #~ msgid "" #~ "Please create the database structure now, using the following command:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -u -h \n" #~ "Filling in the correct values for the user, host, and database names. The " #~ "pgsql tool will prompt you for the password." #~ msgstr "" #~ "Creeu l'estructura de la base de dades utilitzant la segent ordre:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | pgsql -u -h " #~ "\n" #~ "Omplint correctament les dades de l'usuari, ordinador central i nom de la " #~ "base de dades. El PgSQL us demanar la contrasenya." #~ msgid "Please enter a password to connect to the SNORT Alert database" #~ msgstr "" #~ "Introduu la contrasenya per la connexi a la base dades d'alerta de " #~ "l'Stnort" #~ msgid "You are running snort manually." #~ msgstr "Esteu executant el Snort manualment." #~ msgid "" #~ "Please restart snort using:\n" #~ " /etc/init.d/snort start\n" #~ "to let the settings take effect." #~ msgstr "" #~ "Per l'efectivitat dels canvis reinicieu el Snort utilitzant:\n" #~ " /etc/init.d/snort start\n" debian/po/ro.po0000664000000000000000000007533412317374526010614 0ustar # translation of ro.po to Romanian # Romanian translations for PACKAGE package # Traducerea în limba română pentru pachetul PACKAGE. # Copyright (C) 2007 THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # # Eddy Petrisor , 2007. # Eddy Petrișor , 2007, 2008. msgid "" msgstr "" "Project-Id-Version: ro\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-29 00:16+0200\n" "PO-Revision-Date: 2008-05-17 13:04+0300\n" "Last-Translator: Eddy Petrișor \n" "Language-Team: Romanian \n" "Language: ro\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=3; plural=n==1 ? 0 : (n==0 || (n%100 > 0 && n%100 < " "20)) ? 1 : 2;\n" "X-Generator: KBabel 1.11.4\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "la pornirea sistemului" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "la conectarea „dialup”" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "manuală" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Metoda de pornire a lui Snort:" #. Type: select #. Description #: ../snort.templates:2002 #, fuzzy #| msgid "" #| "Snort can be started during boot, when connecting to the net with pppd or " #| "only manually with the /usr/sbin/snort command." msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Snort poate fi pornit fie la pornirea sistemului, fie la conectarea la " "internet cu pppd, fie manual via /usr/sbin/snort." #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "interfața/interfețele pe care să asculte Snort:" #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "This value is usually 'eth0', but this may be inappropriate in some " #| "network environments; for a dialup connection 'ppp0' might be more " #| "appropriate (see the output of '/sbin/ifconfig')." msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Această valoare este de obicei „eth0”, însă această valoare ar putea fi " "nepotrivită în unele rețele; pentru conexiuni „dialup”, „ppp0” ar putea fi " "mai indicată (a se vedea informațiile afișate de „/sbin/ifconfig”)." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "Typically, this is the same interface as the 'default route' is on. You " #| "can determine which interface is used for this by running '/sbin/route -" #| "n' (look for '0.0.0.0')." msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "De obicei, aceasta este interfața pe care este definită ruta implicită. " "Puteți detecta care interfață este folosită în acest scop rulând „/sbin/" "route -n” (căutați „0.0.0.0”)." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "It is also not uncommon to use an interface with no IP address configured " #| "in promiscuous mode. For such cases, select the interface in this system " #| "that is physically connected to the network that should be inspected, " #| "enable promiscuous mode later on and make sure that the network traffic " #| "is sent to this interface (either connected to a 'port mirroring/" #| "spanning' port in a switch, to a hub or to a tap)." msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "De asemenea, nu este deloc neobișnuit a rula Snort pe o interfață fără " "adresă IP care este configurată în modul promiscuu. Dacă e cazul, selectați " "interfața care este conectată fizic la rețeaua care ar trebui inspectată, " "activați apoi modul promiscuu și asigurați-vă că traficul de rețea este " "trimis către acestă interfață (fie prin conectarea la un port de tip " "„oglindă” într-un switch, fie la un hub sau un interceptor)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Puteți configura mai multe interfețe prin simpla adăugare a mai mult de un " "singur nume de interfață, separatorul fiind spațiul. Fiecare interfață poate " "avea propria configurație specifică." #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Intervalul de adrese pentru rețeaua locală:" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Folosiți forma CIDR, de exemplu, 192.168.1.0/24 pentru un bloc de 256 de " "adrese IP sau 192.168.1.42/32 doar pentru o adresă. Valorile multiple " "trebuie separate cu (fără spații)." #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "A se reține că dacă Snort este configurat să folosească mai multe interfețe, " "va folosi această valoare ca definiția lui HOME_NET pentru toate." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Se activează modul promiscuu pe interfață?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Dezactivarea modului promiscuu înseamnă că Snort va „vedea” doar pachetele " "adresate interfeței monitorizate. Activarea acestuia îi va permite lui Snort " "să verifice fiecare pachet care trece prin segmentul Ethernet, chiar dacă " "este o conexiune între alte două calculatoare." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Interfața nu e validă" #. Type: error #. Description #: ../snort.templates:6001 #, fuzzy #| msgid "" #| "Snort is trying to use an interface which does not exist or is down. " #| "Either it is defaulting inappropriately to 'eth0', or you specified one " #| "which is invalid." msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort încearcă să folosească o interfață care nu există sau care nu este " "„ridicată”. Fie recurge în mod implicit și greșit la „eth0”, fie ați " "precizat o interfață care nu este validă." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Doriți mesaje electronice zilnice cu sumarul?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Se poate configura un serviciu cron care să trimită zilnic la o anumită " "adresă de poștă electronică sumare ale jurnalelor lui Snort." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Alegeți dacă doriți să activați această facilitate." #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Destinatarul mesajelor zilnice cu statistici:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Precizați adresa de poștă electronică unde se vor recepționa sumarele " "zilnice ale jurnalelor Snort." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Opțiuni adiționale particularizate:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Precizați orice alte opțiuni pe care să le folosească Snort." #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "Numărul minim de apariții pentru raportarea unei alerte:" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Introduceți numărul minim de apariții ale unei anumite alerte necesar pentru " "a fi inclusă în statisticile zilnice." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Este necesară repornirea lui Snort" #. Type: note #. Description #: ../snort.templates:11001 #, fuzzy #| msgid "" #| "As Snort is manually launched, you need to run '/etc/init.d/snort' for " #| "the changes to take place." msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "Deoarece Snort este pornit manual, trebuie să rulați „/etc/init.d/snort” " "pentru ca schimbările să fie luate în considerare." #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "Fișier de configurare depășit" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Acest sistem folosește un fișier de configurare învechit (/etc/snort/snort." "common.parameters) care a fost convertit automat la noul format de fișier (/" "etc/default/snort)." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Verificați noul fișier de configurare și ștergeți-l pe cel vechi. Până " "atunci, scriptul init.d nu va folosi configurația nouă și nu veți profita de " "beneficiile introduse în versiunile mai noi." #. Type: note #. Description #: ../snort-common.templates:2001 #, fuzzy #| msgid "Deprecated configuration file" msgid "Deprecated options in configuration file" msgstr "Fișier de configurare depășit" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "Fișierul de configurare pentru Snort (/etc/snort/snort.conf) folosește " "opțiuni depășite care nu mai sunt disponibile în această versiune de Snort. " "Snort nu va putea porni decât dacă furnizați un fișier de configurare " "corect. Fie permiteți înlocuirea fișierului de configurare cu cel furnizat " "de pachet sau să îl reparați manual prin ștergerea opțiunilor depășite." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "În fișierul de configurare au fost găsite următoarele opținuni învechite: " "${DEP_CONFIG}." #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Eroare de configurare" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "Actuala configurație Snort nu este validă și îl va împiedica pe acesta să " "pornească normal. Revizuiți-o și corectați-o." #. Type: error #. Description #: ../snort-common.templates:3001 #, fuzzy #| msgid "" #| "To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -" #| "T -c '." msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "Pentru diagnosticarea unui fișier de configurare a lui Snort, folosiți „/usr/" "sbin/snort -T -c ”." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "Fișier de configurare depășit" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 #, fuzzy #| msgid "" #| "The following deprecated options were found in the configuration file: " #| "${DEP_CONFIG}" msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "În fișierul de configurare au fost găsite următoarele opținuni învechite: " "${DEP_CONFIG}." #~ msgid "Set up a database for snort-mysql to log to?" #~ msgstr "" #~ "Se pregătește o bază de date în care snort-mysql va face jurnalizarea?" #~ msgid "" #~ "No database has been set up for Snort to log to. Before continuing, you " #~ "should make sure you have:" #~ msgstr "" #~ "Nu s-a pregătit nici o bază de date în care Snort să țină jurnalele. " #~ "Înainte de a continua, ar trebui să vă asigurați că aveți:" #~ msgid "" #~ " - the server host name (that server must allow TCP connections\n" #~ " from this machine);\n" #~ " - a database on that server;\n" #~ " - a username and password to access the database." #~ msgstr "" #~ " - numele serverului (acel server trebuie să permită conexiuni TCP\n" #~ " inițiate de pe acest sistem);\n" #~ " - o bază de date pe acel server;\n" #~ " - un nume de utilizator și o parolă pentru a accesa baza de date." #~ msgid "" #~ "If some of these requirements are missing, reject this option and run " #~ "with regular file logging support." #~ msgstr "" #~ "Dacă unele dintre aceste cerințe nu sunt satisfăcute, refuzați această " #~ "opțiune și rulați cu jurnalizare în fișiere obișnuite." #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-mysql'." #~ msgstr "" #~ "Jurnalizarea într-o bază de date poate fi reconfigurată mai târziu, cu " #~ "comanda „dpkg-reconfigure -plow snort-mysql”." #~ msgid "Database server hostname:" #~ msgstr "Numele serverului cu baza de date:" #~ msgid "" #~ "Please specify the host name of a database server that allows incoming " #~ "connections from this host." #~ msgstr "" #~ "Precizați numele unui server de baze de date care permite primirea de " #~ "conexiuni de pe acest calculator." #~ msgid "Database name:" #~ msgstr "Numele bazei de date:" #~ msgid "" #~ "Please specify the name of an existing database to which the database " #~ "user has write access." #~ msgstr "" #~ "Precizați numele unei baze de date deja existente la care utilizatorul de " #~ "baze de date are drept de scriere." #~ msgid "Username for database access:" #~ msgstr "Numele de utilizator pentru accesul la baza de date:" #~ msgid "" #~ "Please specify a database server username with write access to the " #~ "database." #~ msgstr "" #~ "Precizați un utilizator de baze de date care are drept de scriere în baza " #~ "de date." #~ msgid "Password for the database connection:" #~ msgstr "Parola pentru conectarea la baza de date:" #~ msgid "" #~ "Please enter the password to use to connect to the Snort Alert database." #~ msgstr "" #~ "Introduceți parola folosită pentru conectarea la baza de date pentru " #~ "alertele Snort." #~ msgid "Configured database mandatory for Snort" #~ msgstr "Este obligatorie o bază de date configurată pentru Snort" #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:" #~ msgstr "" #~ "Snort are nevoie de o bază de date configurată anterior pentru a putea " #~ "porni. Pentru a crea structura, trebuie să rulați următoarele comenzi " #~ "DUPĂ ce pachetul este instalat:" #~ msgid "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ msgstr "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ "" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. MySQL " #~ "will prompt you for the password." #~ msgstr "" #~ "Introduceți valorile corecte pentru utilizator, numele serverului și " #~ "numele bazei de date. MySQL vă va cere interactiv parola." #~ msgid "" #~ "After you have created the database structure, you will need to start " #~ "Snort manually." #~ msgstr "" #~ "După ce ați creat structura bazei de date, va trebui să porniți manual " #~ "Snort-ul." #~ msgid "Set up a database for snort-pgsql to log to?" #~ msgstr "" #~ "Se pregătește o bază de date în care snort-pgsql va face jurnalizarea?" #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-pgsql'." #~ msgstr "" #~ "Jurnalizarea într-o bază de date poate fi reconfigurată mai târziu, cu " #~ "comanda „dpkg-reconfigure -plow snort-pgsql”." #~ msgid "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ msgstr "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ "" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Introduceți valorile corecte pentru utilizator, numele serverului și " #~ "numele bazei de date. PostgreSQL vă va cere interactiv parola." #~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" #~ msgstr "Se schimbă ordinea testelor lui Snort în Trece|Alertă|Jurnal?" #~ msgid "" #~ "Snort's default testing order is Alert|Pass|Log; if you accept this " #~ "option, the order will be changed to Pass|Alert|Log, which can make it " #~ "simpler to use Snort with some packet-filtering tools." #~ msgstr "" #~ "Ordinea implicită de testare a lui Snort este Alertă|Trece|Jurnal; dacă " #~ "acceptați această opțiune, ordinea se va schimba în Trece|Alertă|Jurnal, " #~ "lucru care poate face mai facilă utilizarea lui Snort cu anumite unelte " #~ "de filtrare a pachetelor." #~ msgid "You are running Snort manually" #~ msgstr "Rulați Snort manual" #~ msgid "There is an error in your configuration" #~ msgstr "Există o eroare în configurația dumneavoastră" #~ msgid "Your configuration file is deprecated" #~ msgstr "Fișierul dumneavoastră de configurare este învechit" #~ msgid "boot, dialup, manual" #~ msgstr "la pornire, dialup, manual" #~ msgid "When should Snort be started?" #~ msgstr "Când trebuie pornit Snort?" # XXX: it would be nice if "any" would be translatable, too # XXX: of course, the postinst script uses the non-translated string #~ msgid "" #~ "If you want you can specify 'any', to not trust any side of the network." #~ msgstr "" #~ "Dacă doriți puteți alege 'any' (eng. pentru 'oricare'), dacă nu aveți " #~ "încredere în nici o parte a rețelei." #~ msgid "" #~ "One of the interfaces you specified is not valid (it might not exist on " #~ "the system or be down). Please introduce a valid interface when answering " #~ "the question of which interface(s) should Snort listen on." #~ msgstr "" #~ "Una dintre interfețele precizate de dumneavoastră nu este validă (poate " #~ "nu există în sistem sau nu era activă). Introduceți o interfață validă " #~ "când se răspunde la întrebarea legată de interfața/interfețele pe care " #~ "trebuie să asculte Snort." #~ msgid "" #~ "If you did not configure an interface then the package is trying to use " #~ "the default ('eth0') which does not seem to be valid in your system." #~ msgstr "" #~ "Dacă nu ați configurat o interfață atunci pachetul va încerca să " #~ "folosească valoarea implicită ('eth0') care nu pare a fi validă în " #~ "sistemul dumneavoastră." #~ msgid "" #~ "If you change Snort's rules testing order to Pass|Alert|Log, they will be " #~ "applied in Pass->Alert->Log order, instead of standard Alert->Pass->Log. " #~ "This will prevent people from having to make huge Berky Packet Filter " #~ "command line arguments to filter their alert rules." #~ msgstr "" #~ "Dacă schimbați ordinea de testare a regulilor în Trece|Alarmă|Jurnal, " #~ "regulile vor fi aplicate în ordinea Trece->Alarmă->Jurnal, în loc de " #~ "ordinea standard Alarmă->Trece->Jurnal. Acest lucru va permite oamenilor " #~ "să nu fie forțați să creeze liste imense de argumente pentru Filtrul de " #~ "pachete Berkley pentru a filtra regulile de alertare." #~ msgid "" #~ "This Snort installation provides a cron job that runs daily and " #~ "summarises the information of Snort logs to a selected email address. If " #~ "you want to disable this feature say 'no' here." #~ msgstr "" #~ "Această instalare de Snort furnizează o sarcină de cron care rulează " #~ "zilnic și sumarizează informațiile din jurnalele lui Snort către o adresă " #~ "de poștă electronică selectată. Dacă doriți să dezactivați acestă " #~ "facilitate alegeți 'nu'." #~ msgid "" #~ "A cron job running daily will summarise the information of the logs " #~ "generated by Snort using a script called 'snort-stat'. Introduce here the " #~ "recipient of these mails. The default value is the system administrator. " #~ "If you keep this value, make sure that the mail of the administrator is " #~ "redirected to a user that actually reads those mails." #~ msgstr "" #~ "O sarcină de cron care rulează zilnic va sumariza informațiilor din " #~ "jurnalele generate de Snort folosind un script numit 'snort-stat'. " #~ "Introduceți destinatarul acestor mesaje. Valoarea implicită este " #~ "administratorul de sistem. Dacă păstrați această valoare, asigurați-vă că " #~ "mesajele către adresa administratorului sunt redirectate către un " #~ "utilizator care chiar citește acele mesaje." #, fuzzy #~ msgid "" #~ "If you want to specify custom options to Snort, please specify them here." #~ msgstr "" #~ "Dacă doriți să folosiți opțiuni particularizate pentru Snort, precizați-" #~ "le aici." #~ msgid "" #~ "Please restart Snort using:\n" #~ " /etc/init.d/snort start\n" #~ "to let the settings take effect." #~ msgstr "" #~ "Reporniți Snort folosind:\n" #~ " /etc/init.d/snort start\n" #~ "pentru a permite opțiunilor de configurare să își facă efectul." #~ msgid "" #~ "Your Snort configuration is not correct and Snort will not be able to " #~ "start up normally. Please review your configuration and fix it. If you do " #~ "not do this, Snort package upgrades will probably break. To check which " #~ "error is being generated run '/usr/sbin/snort -T -c /etc/snort/snort." #~ "conf' (or point to an alternate configuration file if you are using " #~ "different files for different interfaces)" #~ msgstr "" #~ "Configurația dumneavoastră pentru Snort nu este corectă și Snort nu va " #~ "putea să pornească normal. Revizuiți și reparați configurația. Dacă nu, " #~ "probabil că actualizările lui Snort se vor solda cu erori. Pentru a " #~ "verifica ce erori sunt generate, rulați '/usr/sbin/snort -T -c /etc/snort/" #~ "snort.conf' (sau indicați un alt fișier de configurare, dacă folosiți " #~ "fișiere diferite pentru diferitele interfețe)" #~ msgid "" #~ "You only need to do this the first time you install snort-mysql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "mysql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-mysql " #~ "package with 'dpkg-reconfigure -plow snort-mysql'" #~ msgstr "" #~ "Trebuie să faceți acest lucru doar prima dată când instalați snort-mysql. " #~ "Înainte de a continua, asigurați-vă că aveți (1) numele calculatorului pe " #~ "care rulează serverul mysql configurat să accepte conexiuni tcp de pe " #~ "acest calculator, (2) o bază de date pe acel server, (3) un nume și o " #~ "parolă pentru a accesa baza de date. Dacă nu aveți _toate_ acestea, fie " #~ "selectați 'nu' și rulați cu suport pentru jurnalizare în fișiere, fie " #~ "rezolvați această problemă. Puteți oricând, mai târziu, să configurați " #~ "baza de date de jurnalizare prin reconfigurarea pachetului snort-mysql cu " #~ "'dpkg-reconfigure -plow snort-mysql'" #~ msgid "Make sure this user has been created and has write access." #~ msgstr "" #~ "Asigurați-vă că acest utilizator de bază de date are acces să scrie." #, fuzzy #~ msgid "Snort needs a configured database to log to before it starts" #~ msgstr "" #~ "Snort are nevoie de o bază de date configurată pentru a jurnalizare " #~ "înainte de a porni." #~ msgid "" #~ "You only need to do this the first time you install snort-pgsql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "pgsql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-pgsql " #~ "package with 'dpkg-reconfigure -plow snort-pgsql'" #~ msgstr "" #~ "Trebuie să faceți acest lucru doar prima dată când instalați snort-pgsql. " #~ "Înainte de a continua, asigurați-vă că aveți (1) numele calculatorului pe " #~ "care rulează serverul pgsql configurat să accepte conexiuni tcp de pe " #~ "acest calculator, (2) o bază de date pe acel server, (3) un nume și o " #~ "parolă pentru a accesa baza de date. Dacă nu aveți _toate_ acestea, fie " #~ "selectați 'nu' și rulați cu suport pentru jurnalizare în fișiere, fie " #~ "rezolvați această problemă. Puteți oricând, mai târziu, să configurați " #~ "baza de date de jurnalizare prin reconfigurarea pachetului snort-pgsql cu " #~ "'dpkg-reconfigure -plow snort-pgsql'" #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W \n" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Snort are nevoie de o bază de date configurată anterior pentru a putea " #~ "porni. Pentru a crea structura, trebuie să rulați următoarele comenzi " #~ "DUPĂ ce pachetul este instalat:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ "\n" #~ "Completați valorile corecte pentru utilizator, calculator și " #~ "numele_bazei_de_date. PostgreSQL vă va cere parola." #~ msgid "" #~ "Please enter the name(s) of the interface(s) which Snort should listen " #~ "on. The names of the available interfaces are provided by either " #~ "running 'ip link show' of 'ifconfig'. This value usually is 'eth0', but " #~ "you might want to vary this depending on your environment, if you are " #~ "using a dialup connection 'ppp0' might be more appropiate." #~ msgstr "" #~ "Introduceți numele interfeței/interfețelor pe care să asculte Snort. " #~ "Numele interfețelor disponibile sunt furnizate prin rularea 'ip link " #~ "show' sau 'ifconfig'. De obicei, această valoare este 'eth0', dar este " #~ "posibil să doriți să schimbați acest lucru, dependent de situație, iar " #~ "dacă folosiți o conexiune dialup, 'ppp0' probabil este mai potrivită." #~ msgid "Please enter the address range that Snort will listen on." #~ msgstr "Introduceți intervalul de adrese pe care să asculte Snort." #~ msgid "" #~ "Disable promiscuous mode if you are configuring Snort on an interface " #~ "without a configured IP address." #~ msgstr "" #~ "Dezactivați modul promiscuu dacă Snort este configurat pe o interfață " #~ "fără adresă IP." #~ msgid "Please enter the hostname of the mysql database server to use." #~ msgstr "" #~ "Introduceți numele calculatorului al cărui bază de date mysql va fi " #~ "folosită." #~ msgid "Please enter the name of the database to use." #~ msgstr "Introduceți numele bazei de date care va fi folosită." #~ msgid "Please enter the name of the database user you want to use." #~ msgstr "" #~ "Introduceți numele utilizatorului de bază de date pe care doriți să-l " #~ "folosiți." #~ msgid "Please enter the hostname of the pgsql database server to use." #~ msgstr "" #~ "Introduceți numele calculatorului al cărui bază de date pgsql va fi " #~ "folosită." debian/po/ta.po0000664000000000000000000012636712317374526010603 0ustar # translation of snort.po to TAMIL # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # # Dr.T.Vasudevan , 2007. msgid "" msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-29 00:16+0200\n" "PO-Revision-Date: 2007-03-07 17:31+0530\n" "Last-Translator: Dr.T.Vasudevan \n" "Language-Team: TAMIL \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.4\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "" #. Type: select #. Description #: ../snort.templates:2002 #, fuzzy #| msgid "" #| "Snort can be started during boot, when connecting to the net with pppd or " #| "only when you manually start it via /usr/sbin/snort." msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "ஸ்னோர்டை கணினி துவக்கும் போதோ, வலைக்கு பிபிபிடி ஐ பயன் படுத்தி இணைக்கும் போதோ அல்லது " "கைமுறையாக /usr/sbin/snort வழியாகவோ துவக்கலாம்." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "On which interface(s) should Snort listen?" msgid "Interface(s) which Snort should listen on:" msgstr "எந்த இடை முகத்தில் ஸ்னோர்ட் செவி சாய்க்க வேண்டும்?" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "Notice that Snort is usually configured to inspect all traffic coming " #| "from the Internet, so the interface you add here is usually the same the " #| "'default route' is on. You can determine which interface is used for " #| "this running either '/sbin/ip ro sh' or '/sbin/route -n' (look for " #| "'default' or '0.0.0.0')." msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "ஸ்னோர்ட் சாதாரணமாக உள்வரும் எல்லா போக்கு வரத்தை கண்காணிக்க வடிவமைக்கப் படுகிறதுஆகவே நீங்கள் " "இங்கு சேர்க்கும் இடைமுகம் வழக்கமாக முன்னிருப்பு தடம் உள்ளதே ஆகும். நீங்கள் '/sbin/ip ro " "sh' அல்லது '/sbin/route -n' ஐ இயக்கி இதற்கு எந்த இடைமுகம் பயன் படுகிறது என " "தெளியலாம் ('முன்னிருப்பு' அல்லது '0.0.0.0' ஐ கண்காணிக்கவும்.)" #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "It is also not uncommon to run Snort on an interface with no IP and " #| "configured in promiscuous mode, if this is your case, select the " #| "interface in this system that is physically connected to the network you " #| "want to inspect, enable promiscuous mode later on and make sure that the " #| "network traffic is sent to this interface (either connected to a 'port " #| "mirroring/spanning' port in a switch, to a hub or to a tap)" msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "ஐபி இல்லாமலும் வரைமுறை இல்லா பாங்கில் வடிவமைக்கப் பட்ட இடைமுகத்தில் ஸ்னோர்ட்டை இயக்குவதும் " "வழக்கமே. இந்த பாங்கிற்கு நீங்கள் ஆராய விரும்பும் வலைப் பின்னலுக்குபௌதிகமாக இணக்கப் பட்டுள்ள " "இந்த கணினியின் இடைமுகத்தை தேர்ந்தெடுக்கவும். பின்னால்வரைமுறை இல்லா பாங்கை செயல் படுத்தி " "இந்த இடைமுகத்துக்கு போக்கு வரத்து அனுப்பப் படுவதைஉறுதி செய்யவும். (துறை பிரதிபலிப்பான்/ " "மாற்றுத் துறை மாற்றிக்கு அல்லது ஒரு குவியத்துக்கோகுழாய்க்கோ இணைத்து)" #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "You can configure multiple interfaces here, just by adding more than one " #| "interface name separated by spaces. Each interface can have its specific " #| "configuration." msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "நீங்கள் இங்கு பல இடைமுகங்களை வடிவமைக்கலாம். ஒன்றுக்கு மேற்பட்ட பெயர்களைவெற்றிடத்தால் " "பிரித்து இங்கு சேர்க்கவும். ஒவ்வொரு இடைமுகமும் அதன் தனி வடிவமைப்பை பெற்று இருக்கலாம்" #. Type: string #. Description #: ../snort.templates:4001 #, fuzzy #| msgid "Please enter the address range that Snort will listen on." msgid "Address range for the local network:" msgstr "ஸ்னோர்ட் செவி சாய்க்க வேண்டிய முகவரி வீச்சை உள்ளிடவும்." #. Type: string #. Description #: ../snort.templates:4001 #, fuzzy #| msgid "" #| "You have to use CIDR form, i.e. 192.168.1.0/24 for a block of 256 IPs or " #| "192.168.1.42/32 for just one. Specify multiple addresses on a single line " #| "separated by ',' (comma characters), no spaces allowed!" msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "நீங்கள் CIDR பாங்கு அதாவது 256 ஐபி களுக்கு 192.168.1.0/24 ஐ அல்லது ஒன்றுக்கு மட்டும் " "192.168.1.42/32 ஐ குறிப்பிடவும். பல முகவரிகளை , (கமாவால்) பிரித்து குறிப்பிடவும். " "வெற்றிடத்துக்கு அனுமதியில்லை!" #. Type: string #. Description #: ../snort.templates:4001 #, fuzzy #| msgid "" #| "Notice that if you are using multiple interfaces this definition will be " #| "used as the HOME_NET definition of all of them." msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "நீங்கள் பல இடைமுகங்களை பயன் படுத்தினால் இந்த வரையரை அவை அனைத்தின் இல்லவலை (HOME_NET) " "வரையரையாக பயன் படுத்தப் படும்." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "ஸ்னோர்ட் இடைமுகத்தில் பாங்கை செயலிழக்கச் செய்ய வேண்டுமா?" #. Type: boolean #. Description #: ../snort.templates:5001 #, fuzzy #| msgid "" #| "Disabling promiscuous mode means that Snort will only see packets " #| "addressed to it's own interface. Enabling it allows Snort to check every " #| "packet that passes ethernet segment even if it's a connection between two " #| "other computers." msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "வரைமுறை இல்லா பாங்கை செயலிழக்கச் செய்வது என்பது ஸ்னோர்ட்டை அதன் இடைமுகத்தில் " "வரும்பொட்டலங்களை மட்டும் சோதிக்க அனுமதிக்கும். செயல் படுத்துவது ஈதர்நெட் வழியாக போகும் " "எல்லா பொட்டலங்களையும் சோதிக்க- இரண்டு கணினிகளிடையே கூட - அனுமதிக்கும்." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "செல்லுபடியாகாத இடைமுகம்" #. Type: error #. Description #: ../snort.templates:6001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "தினசரி சுருக்கத்தை மின்னஞ்சலில் அனுப்ப வேண்டுமா?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "" #. Type: string #. Description #: ../snort.templates:8001 #, fuzzy #| msgid "Who should receive the daily statistics mails?" msgid "Recipient of daily statistics mails:" msgstr "தினசரி புள்ளிவிவர அஞ்சலை யார் பெற வேண்டும்?" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "" #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "" #. Type: string #. Description #: ../snort.templates:10001 #, fuzzy #| msgid "" #| "An alert needs to appear more times than this number to be included in " #| "the daily statistics." msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "இந்த எண்ணைக் காட்டிலும் அதிக எச்சரிக்கைகள் தோன்றினால் மட்டும் அது தினசரி புள்ளி விவரத்தில் " "சேர்க்கப் படும்." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "" #. Type: note #. Description #: ../snort.templates:11001 msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" #. Type: error #. Description #: ../snort.templates:12001 #, fuzzy #| msgid "This system uses an obsolete configuration file" msgid "Obsolete configuration file" msgstr "இந்த கணினி வழக்கொழிந்த வடிவமைப்பு கோப்பை பயன் படுத்துகிறது." #. Type: error #. Description #: ../snort.templates:12001 #, fuzzy #| msgid "" #| "Your system has an obsolete configuration file (/etc/snort/snort.common." #| "parameters) which has been automatically converted into the new " #| "configuration file format (at /etc/default/snort). Please review the new " #| "configuration and remove the obsolete one. Until you do this, the init.d " #| "script will not use the new configuration and you will not take advantage " #| "of the benefits introduced in newer releases." msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "இந்த கணினி வழக்கொழிந்த வடிவமைப்பு கோப்பை பயன் படுத்துகிறது. (/etc/snort/snort." "common.parameters) இது தானியங்கியாக புதிய வடிவமைப்பு கோப்பாக மாற்றப் பட்டுவிட்டது. " "(/etc/default/snort இல்) தயை செய்து புதிய கோப்பை மறு ஆய்வு செய்து வழக்கொழிந்த " "கோப்பை நீக்கவும்.இதை நீங்கள் செய்யும் வரை init.d சிறுநிரல் புதிய வடிவமைப்பை " "பயன்படுத்தாது; நீங்களும் புதிய பதிப்பு தரும் வசதிகளை பயன் படுத்த இயலாது." #. Type: error #. Description #: ../snort.templates:12001 #, fuzzy #| msgid "" #| "Your system has an obsolete configuration file (/etc/snort/snort.common." #| "parameters) which has been automatically converted into the new " #| "configuration file format (at /etc/default/snort). Please review the new " #| "configuration and remove the obsolete one. Until you do this, the init.d " #| "script will not use the new configuration and you will not take advantage " #| "of the benefits introduced in newer releases." msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "இந்த கணினி வழக்கொழிந்த வடிவமைப்பு கோப்பை பயன் படுத்துகிறது. (/etc/snort/snort." "common.parameters) இது தானியங்கியாக புதிய வடிவமைப்பு கோப்பாக மாற்றப் பட்டுவிட்டது. " "(/etc/default/snort இல்) தயை செய்து புதிய கோப்பை மறு ஆய்வு செய்து வழக்கொழிந்த " "கோப்பை நீக்கவும்.இதை நீங்கள் செய்யும் வரை init.d சிறுநிரல் புதிய வடிவமைப்பை " "பயன்படுத்தாது; நீங்களும் புதிய பதிப்பு தரும் வசதிகளை பயன் படுத்த இயலாது." #. Type: note #. Description #: ../snort-common.templates:2001 #, fuzzy #| msgid "This system uses an obsolete configuration file" msgid "Deprecated options in configuration file" msgstr "இந்த கணினி வழக்கொழிந்த வடிவமைப்பு கோப்பை பயன் படுத்துகிறது." #. Type: note #. Description #: ../snort-common.templates:2001 #, fuzzy #| msgid "" #| "Your Snort configuration file (/etc/snort/snort.conf) uses deprecated " #| "options no longer available for this Snort release. Snort will not be " #| "able to start unless you provide a correct configuration file. You can " #| "substitute your configuration file with the one provided in this package " #| "or fix it manually by removing deprecated options." msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "உங்கள் ஸ்னோர்ட் வடிவமைப்பு கோப்பு (/etc/snort/snort.conf) இந்த பதிப்பு ஸ்னோர்ட் இல் " "கைவிடப்பட்ட இப்போது கிடைக்காத தேர்வுகளை பயன் படுத்துகிறது.நீங்கள் சரியான வடிவமைப்பு " "கோப்பை தரும் வரை ஸ்னோர்ட் துவங்க இயலாது. இந்த பொதியில் தரப் பட்டுள்ள ஒன்றால் உங்கள் " "வடிவமைப்பு கோப்பை நீக்கலாம். அல்லது கைமுறையாக கைவிடப்பட்ட தேர்வுகளை நீக்கி சரி செய்யலாம்." #. Type: note #. Description #: ../snort-common.templates:2001 #, fuzzy #| msgid "" #| "The following deprecated options were found in your configuration file: " #| "${DEP_CONFIG}" msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "உங்கள் வடிவமைப்பு கோப்பில் பின்வரும் கைவிடப்பட்ட தேர்வுகள் காணப் பட்டன:${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 #, fuzzy #| msgid "This system uses an obsolete configuration file" msgid "Deprecated configuration file" msgstr "இந்த கணினி வழக்கொழிந்த வடிவமைப்பு கோப்பை பயன் படுத்துகிறது." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 #, fuzzy #| msgid "" #| "The following deprecated options were found in your configuration file: " #| "${DEP_CONFIG}" msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "உங்கள் வடிவமைப்பு கோப்பில் பின்வரும் கைவிடப்பட்ட தேர்வுகள் காணப் பட்டன:${DEP_CONFIG}" #, fuzzy #~| msgid "Do you want to set up a database for snort-mysql to log to?" #~ msgid "Set up a database for snort-mysql to log to?" #~ msgstr "ஸ்னோர்ட்-மைஎஸ்க்யூஎல் உள்நுழைய ஒரு தரவுத்தளம் அமைக்க விரும்புகிறீர்களா?" #, fuzzy #~| msgid "" #~| "Make sure it has been set up correctly to allow incoming connections " #~| "from this host!" #~ msgid "" #~ "Please specify the host name of a database server that allows incoming " #~ "connections from this host." #~ msgstr "" #~ "அது உள் வரும் இணப்புகளை அனுமதிக்க சரியாக அமைக்கப்பட்டுள்ளதா என உறுதி செய்து " #~ "கொள்ளவும்!" #, fuzzy #~| msgid "" #~| "Make sure this database has been created and your database user has " #~| "write access to this database." #~ msgid "" #~ "Please specify a database server username with write access to the " #~ "database." #~ msgstr "" #~ "இந்த தரவுத்தளம் உருவாக்கப் பட்டுவிட்டது என்பதையும் பயனருக்கு இந்த தரவுத்தளத்தில் அணுக " #~ "எழுத அனுமதி உள்ளது என்பதையும் உறுதி செய்து கொள்ளவும்." #, fuzzy #~| msgid "Please enter the password for the database connection." #~ msgid "Password for the database connection:" #~ msgstr "தரவுத் தள இணப்புக்கு கடவுச்சொல் உள்ளிடுக." #, fuzzy #~| msgid "Please enter a password to connect to the Snort Alert database." #~ msgid "" #~ "Please enter the password to use to connect to the Snort Alert database." #~ msgstr "ஸ்னோர்ட் அலர்ட் தரவுத் தள இணப்புக்கு கடவுச்சொல் உள்ளிடுக." #, fuzzy #~| msgid "" #~| "Snort needs a configured database before it can successfully start up. " #~| "In order to create the structure you need to run the following commands " #~| "AFTER the package is installed:\n" #~| " cd /usr/share/doc/snort-mysql/\n" #~| " zcat create_mysql.gz | mysql -u -h -p \n" #~| "Fill in the correct values for the user, host, and database names. MySQL " #~| "will prompt you for the password." #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:" #~ msgstr "" #~ "ஸ்னோர்ட் வெற்றிகரமாக துவக்கப் பட வடிவமைக்கப் பட்ட தரவுத்தளம் தேவை. பொதி நிறுவப் பட்ட " #~ "*பின்* பின் வரும் கட்டளைகளை இயக்கி உங்களுக்கு தேவையான அமைப்பை உருவாக்கவும்:\n" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_postgresql.gz | myql -U -h -W \n" #~ "பயனர், புரவலன் மற்றும் தரவுத்தள பெயர்கள் ஆகியவற்றுக்கு சரியான மதிப்புகளை நிரப்புக. " #~ "MySQL கடவுச்சொல்லுக்காக உங்களை தூண்டும்." #, fuzzy #~| msgid "" #~| "After you created the database structure, you will need to start Snort " #~| "manually." #~ msgid "" #~ "After you have created the database structure, you will need to start " #~ "Snort manually." #~ msgstr "நீங்கள் தரவுத்தள அமைப்பை உருவாக்கிய பின் ஸ்னோர்ட்டை கைமுறையாக துவக்க வேண்டும்." #, fuzzy #~| msgid "Do you want to set up a database for snort-pgsql to log to?" #~ msgid "Set up a database for snort-pgsql to log to?" #~ msgstr "ஸ்னோர்ட்-பிஜிஎஸ்க்யூஎல் உள்நுழைய தரவுத்தளம் ஒன்றை உருவாக்க வேண்டுமா?" #, fuzzy #~| msgid "Should Snort's rules testing order be changed to Pass|Alert|Log?" #~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" #~ msgstr "" #~ "ஸ்னோர்டின் சோதிக்கும் வரிசை விதிகள் அனுப்பு| எச்சரி|லாக் பதிவு என மாற்றப் பட வேண்டுமா?" #, fuzzy #~| msgid "You are running Snort manually." #~ msgid "You are running Snort manually" #~ msgstr "நீங்கள் ஸ்னோர்டை கைமுறையாக இயக்குகிறீர்கள்." #~ msgid "There is an error in your configuration" #~ msgstr "உங்கள் வடிவமைப்பில் ஒரு பிழை உள்ளது." #~ msgid "Your configuration file is deprecated" #~ msgstr "உங்கள் வடிவமைப்பு கோப்பு கைவிடப்பட்டது." #~ msgid "boot, dialup, manual" #~ msgstr "துவக்கம், டயல் செய்த போது, கைமுறை" #~ msgid "When should Snort be started?" #~ msgstr "ஸ்னோர்ட் எப்போது துவக்கப் பட வேண்டும்?" #~ msgid "" #~ "If you want you can specify 'any', to not trust any side of the network." #~ msgstr "" #~ "வலைப்பின்னலின் எந்த பகுதியையும் நம்பாமல் இருக்க விரும்பினால் 'ஏதும்' எனக் குறிப்பிடலாம்." #~ msgid "" #~ "One of the interfaces you specified is not valid (it might not exist on " #~ "the system or be down). Please introduce a valid interface when answering " #~ "the question of which interface(s) should Snort listen on." #~ msgstr "" #~ "நீங்கள் குறிப்பிட்ட இடைமுகத்தில் ஒன்று செல்லுபடியாகாதது. (அது இல்லாமல் இருக்கலாம் " #~ "அல்லது செயலிழந்திருக்கலாம்.) எந்த இடை முகத்தில் ஸ்னோர்ட் செவி சாய்க்க வேண்டும்? என்ற " #~ "கேள்விக்கு பதில் தரும் போது ஒரு செல்லுபடியாகும் இடைமுகத்தை குறிப்பிடவும்." #~ msgid "" #~ "If you did not configure an interface then the package is trying to use " #~ "the default ('eth0') which does not seem to be valid in your system." #~ msgstr "" #~ "நீங்கள் ஒரு இடைமுகத்தை குறிப்பிடவில்லையானால் இந்த பொதி முன்னிருப்பான 'eth0'ஐ " #~ "பயன்படுத்த முயல்கிறது. அது உங்கள் கணினியில் செல்லுபடியாகாதது போல தெரிகிறது." #~ msgid "" #~ "If you change Snort's rules testing order to Pass|Alert|Log, they will be " #~ "applied in Pass->Alert->Log order, instead of standard Alert->Pass->Log. " #~ "This will prevent people from having to make huge Berky Packet Filter " #~ "command line arguments to filter their alert rules." #~ msgstr "" #~ "ஸ்னோர்டின் சோதிக்கும் வரிசை விதிகள் அனுப்பு| எச்சரி|லாக் பதிவு என மாற்றினால்அந்த " #~ "வரிசையில் அவை செயல்படுத்தப் படும். சாதாரணமாக இந்த வரிசை எச்சரி|அனுப்பு |லாக் " #~ "பதிவுஇது மக்களை அவர்களின் எச்சரிக்கை விதிகளை பெர்கி பொட்டல வடிப்பி கட்டளை வரி " #~ "தர்க்கத்துக்கு நீண்ட வரி எழுதுவதை தவிர்க்கும்." #~ msgid "" #~ "This Snort installation provides a cron job that runs daily and " #~ "summarises the information of Snort logs to a selected email address. If " #~ "you want to disable this feature say 'no' here." #~ msgstr "" #~ "இந்த ஸ்னோர்ட் நிறுவல் ஒரு க்ரான் வேலையை தினசரி இயக்குகிறது. அது ஸ்னோர்ட் பதிவேட்டில் " #~ "உள்ளவற்றை சுருக்கி ஒரு மின்னஞ்சலுக்கு அனுப்புகிறது. இதை வேண்டாம் என கருதினால் இங்கு " #~ "இல்லை என குறிப்பிடவும்." #~ msgid "" #~ "A cron job running daily will summarise the information of the logs " #~ "generated by Snort using a script called 'snort-stat'. Introduce here the " #~ "recipient of these mails. The default value is the system administrator. " #~ "If you keep this value, make sure that the mail of the administrator is " #~ "redirected to a user that actually reads those mails." #~ msgstr "" #~ "தினசரி இயங்கும் ஒரு க்ரான் வேலை 'snort-stat' என்ற ஒரு சிறுநிரலால் அது ஸ்னோர்ட் " #~ "பதிவேட்டில் உள்ள தகவலை சுருக்குகிறது. இங்கு அதை பெற வேண்டிய நபரை குறிப்பிடவும். " #~ "முன்னிருப்பு கணினி மேலாளர். நீங்கள் இதையே வைத்துக் கொள்வதாக இருந்தால் " #~ "மேலாளரிடமிருந்து நிச்சயமாக படிக்கும் ஒரு பயனருக்கு அது மேல் அனுப்பப் படுவதை உறுதி " #~ "செய்து கொள்ளவும்." #, fuzzy #~| msgid "" #~| "If you want to specify custom options to Snort, please specify them here." #~ msgid "" #~ "If you want to specify custom options to Snort, please specify them here." #~ msgstr "" #~ "நீங்கள் ஸ்னோர்டுக்கு தனிப்பயன் தேர்வுகளை குறிப்பிட விரும்பினால் இங்கு குறிப்பிடவும். " #~ msgid "" #~ "Please restart Snort using:\n" #~ " /etc/init.d/snort start\n" #~ "to let the settings take effect." #~ msgstr "" #~ "அமைப்பு செயல்பட தயை செய்து ஸ்னோர்டை\n" #~ "இதை பயன் படுத்தி மீள்துவக்கவும்:\n" #~ " /etc/init.d/snort start" #~ msgid "" #~ "Your Snort configuration is not correct and Snort will not be able to " #~ "start up normally. Please review your configuration and fix it. If you do " #~ "not do this, Snort package upgrades will probably break. To check which " #~ "error is being generated run '/usr/sbin/snort -T -c /etc/snort/snort." #~ "conf' (or point to an alternate configuration file if you are using " #~ "different files for different interfaces)" #~ msgstr "" #~ "உங்கள் ஸ்னோர்ட் வடிவமைப்பு சரியாக இல்லை. ஆகவே ஸ்னோர்ட் சரியாக துவக்கப் பட முடியாது. " #~ "உங்கள் வடிவமைப்பை பார்த்து சரி செய்யவும். இதை செய்யாவிட்டால் மேம் படுத்தல்கள் சிதையும். " #~ "என்ன பிழை நிகழுகிறது என அறிய '/usr/sbin/snort -T -c /etc/snort/snort." #~ "conf' ஐ இயக்குங்கள்.அல்லது பல்வேறு இடைமுகங்களுக்கு பல்வேறு கோப்புகளைப் பயன் " #~ "படுத்தினால் மாற்று வடிவமைப்பு கோப்பு ஒன்றை சுட்டிக் காட்டுங்கள்." #~ msgid "" #~ "You only need to do this the first time you install snort-mysql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "mysql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-mysql " #~ "package with 'dpkg-reconfigure -plow snort-mysql'" #~ msgstr "" #~ "முதல் முறை நீங்கள் ஸ்னோர்ட்-மைஎஸ்க்யூஎல் நிறுவும்போது மட்டும் இதை செய்தால் போதும். மேலே " #~ "தொடருமுன் கீழ் கண்டவை உங்களிடம் இருப்பதை உறுதி படுத்திக் கொள்ளுங்கள். (1) இந்த " #~ "புரவலனினிருந்து டிசிபி இணப்புகளை அனுமதிக்கும் மைஎஸ்க்யூஎல் சேவையகத்தை இயக்கும் " #~ "கணினியின் புரவலன் பெயர். (2) அந்த சேவயகத்தில் ஒரு தரவுத்தளம்.(3) அந்த தரவுத் தளத்தை " #~ "அணுக பயனர் பெயரும் கடவுச் சொல்லும். இதெல்லாம் இல்லை எனில் 'இல்லை' ஐ தேர்ந்தெடுத்து " #~ "வழக்கமான கோப்பு பதியும் ஆதரவுடன் இயக்குக. அல்லது இதை முதலில் சரி செய்க. நீங்கள் " #~ "எப்போது வேண்டுமானாலும் உள்நுழைந்து தரவுத்தள வடிவமைப்பை மாற்றிக் கொள்ளலாம். இதற்கு " #~ "ஸ்னோர்ட்-மைஎஸ்க்யூஎல் பணித் தொகுப்பை 'dpkg-reconfigure -plow snort-mysql' கட்டளை " #~ "மூலம் செய்யலாம்." #~ msgid "Make sure this user has been created and has write access." #~ msgstr "" #~ "இந்த பயனருக்கு இந்த தரவுத்தளத்தில் அணுக எழுத அனுமதி உள்ளது என்பதை உறுதி செய்து " #~ "கொள்ளவும்." #, fuzzy #~| msgid "Snort needs a configured database to log to before it starts." #~ msgid "Snort needs a configured database to log to before it starts" #~ msgstr "ஸ்னோர்ட் துவங்கும் முன் அது உள்நுழைய ஒரு வடிவமைத்த தரவுத்தளம் தேவை." #~ msgid "" #~ "You only need to do this the first time you install snort-pgsql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "pgsql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-pgsql " #~ "package with 'dpkg-reconfigure -plow snort-pgsql'" #~ msgstr "" #~ "முதல் முறை நீங்கள் ஸ்னோர்ட்-பிஜிஎஸ்க்யூஎல் நிறுவும்போது மட்டும் இதை செய்தால் போதும். மேலே " #~ "தொடருமுன் கீழ் கண்டவை உங்களிடம் இருப்பதை உறுதி படுத்திக் கொள்ளுங்கள். (1) இந்த " #~ "புரவலனினிருந்து டிசிபி இணப்புகளை அனுமதிக்கும் பிஜிஎஸ்க்யூஎல் சேவையகத்தை இயக்கும் " #~ "கணினியின் புரவலன் பெயர். (2) அந்த சேவயகத்தில் ஒரு தரவுத்தளம்.(3) அந்த தரவுத் தளத்தை " #~ "அணுக பயனர் பெயரும் கடவுச் சொல்லும். இதெல்லாம் இல்லை எனில் 'இல்லை' ஐ தேர்ந்தெடுத்து " #~ "வழக்கமான கோப்பு பதியும் ஆதரவுடன் இயக்குக. அல்லது இதை முதலில் சரி செய்க. நீங்கள் " #~ "எப்போது வேண்டுமானாலும் உள்நுழைந்து தரவுத்தள வடிவமைப்பை மாற்றிக் கொள்ளலாம். இதற்கு " #~ "ஸ்னோர்ட்-பிஜிஎஸ்க்யூஎல் பணித் தொகுப்பை 'dpkg-reconfigure -plow snort-pgsql' " #~ "கட்டளை மூலம் செய்யலாம்." #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W \n" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "ஸ்னோர்ட் வெற்றிகரமாக துவக்கப் பட வடிவமைக்கப் பட்ட தரவுத்தளம் தேவை. பொதி நிறுவப் பட்ட " #~ "*பின்* பின் வரும் கட்டளைகளை இயக்கி உங்களுக்கு தேவையான அமைப்பை உருவாக்கவும்:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W \n" #~ "பயனர், புரவலன் மற்றும் தரவுத்தள பெயர்கள் ஆகியவற்றுக்கு சரியான மதிப்புகளை நிரப்புக. " #~ "PostgreSQL கடவுச்சொல்லுக்காக உங்களை தூண்டும்." #~ msgid "" #~ "Please enter the name(s) of the interface(s) which Snort should listen " #~ "on. The names of the available interfaces are provided by either " #~ "running 'ip link show' of 'ifconfig'. This value usually is 'eth0', but " #~ "you might want to vary this depending on your environment, if you are " #~ "using a dialup connection 'ppp0' might be more appropiate." #~ msgstr "" #~ "எந்த இடை முகத்தில் ஸ்னோர்ட் செவி சாய்க்க வேண்டும் என உள்ளீடு செய்யுங்கள். கிடைக்கக் கூடிய " #~ "இடைமுகங்கள் 'ifconfig'இன் 'iplink show'கட்டளையை இயக்குவதால்கிடைக்கப் பெறும். இந்த " #~ "மதிப்பு சாதாரணமாக 'eth0'ஆனால் நீங்கள் உங்கள் சூழ்நிலையை பொறுத்துஇதை மாற்ற " #~ "விரும்பலாம். நீங்கள் டயல் அப் இணைப்பை பயன்படுத்தினால் 'ppp0' பொருத்தமானதாக இருக்கும். " #~ msgid "Please enter the address range that Snort will listen on." #~ msgstr "ஸ்னோர்ட் செவி சாய்க்க வேண்டிய முகவரி வீச்சை உள்ளிடவும்." #~ msgid "" #~ "Disable promiscuous mode if you are configuring Snort on an interface " #~ "without a configured IP address." #~ msgstr "" #~ "வடிவமைத்த ஐபி முகவரி இல்லாத இடைமுகத்தில் ஸ்னோர்ட்டை நிறுவுவதானால் வரைமுறையற்ற " #~ "பாங்கைசெயல் நீக்குங்கள்" #~ msgid "Please enter the hostname of the mysql database server to use." #~ msgstr "பயன்படுத்த வேண்டிய மைஎஸ்க்யூஎல் தரவுத்தள சேவையகத்தின் புரவலன் பெயரை உள்ளிடுக." #~ msgid "Please enter the name of the database to use." #~ msgstr "பயன்படுத்த வேண்டிய தரவுத் தளத்தின் பெயரை உள்ளிடுக. " #~ msgid "Please enter the name of the database user you want to use." #~ msgstr "தரவுத் தளத்தை பயன்படுத்த பயனர் பெயரை உள்ளிடுக. " #~ msgid "Please enter the hostname of the pgsql database server to use." #~ msgstr "" #~ "பயன்படுத்த வேண்டிய பிஜிஎஸ்க்யூஎல் தரவுத்தள சேவையகத்தின் புரவலன் பெயரை உள்ளிடுக." debian/po/de.po0000664000000000000000000003240012317374526010547 0ustar # German debconf translation of snort. # This file is distributed under the same license as the snort package. # Copyright (C) 1998-2002 Martin Roesch. # Copyright (C) of this file 2004-2008 Erik Schanze, # 2013 Chris Leick . # msgid "" msgstr "" "Project-Id-Version: snort 2.9.5.3-2\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-13 08:03+0200\n" "PO-Revision-Date: 2013-09-14 17:57+0100\n" "Last-Translator: Chris Leick \n" "Language-Team: German \n" "Language: de\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "Systemstart" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "Einwahl" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "manuell" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Startmethode für Snort:" #. Type: select #. Description #: ../snort.templates:2002 msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Bitte wählen Sie, wie Snort gestartet werden soll: automatisch beim " "Systemstart, automatisch, wenn die Verbindung zum Netz mit PPPD hergestellt " "wird oder mit dem Befehl /usr/sbin/snort." #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Schnittstelle(n) an der/denen Snort auf Verbindungen warten soll:" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Dieser Wert ist normalerweise »eth0«, aber das kann in einigen " "Netzwerkumgebungen anders sein; bei einer Einwahlverbindung könnte »ppp0« " "besser passen (sehen Sie sich die Ausgabe des Befehls »/sbin/ifconfig« an)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Normalerweise ist das dieselbe Schnittstelle, auf die die »Standard-Route« " "zeigt. Sie können die verwendete Schnittstelle mit dem Befehl »/sbin/route " "-n« herausfinden (suchen Sie nach »0.0.0.0«)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Es ist auch üblich, Snort an einer Schnittstelle ohne IP-Adresse im Modus " "»promiscuous« zu betreiben. In diesem Fall wählen Sie die Schnittstelle aus, " "die physisch mit dem Netzwerk verbunden ist, das Sie überwachen wollen und " "schalten später den Modus »promiscuous« ein. Stellen Sie sicher, dass der " "Netzwerkverkehr die Schnittstelle erreicht (entweder ist sie mit einem " "Anschluss für »Port-Mirroring/Spanning« eines Switches, mit einem Hub " "oder Tap verbunden)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Sie können mehrere Schnittstellennamen durch Leerzeichen getrennt eingeben. " "Jede Schnittstelle kann eigene Einstellungen haben." #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Adressbereich des lokalen Netzwerks:" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Bitte benutzen Sie das CIDR-Format, z. B. 192.168.1.0/24 für einen Block von " "256 IP-Adressen oder 192.168.1.42/32 für nur eine. Mehrere IP-Adressen " "sollten durch Kommas getrennt werden (ohne Leerzeichen)." #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Bitte beachten Sie: Wenn für Snort mehrere Schnittstellen eingerichtet sind, " "wird es diese Festlegung als HOME_NET-Definition für alle gemeinsam verwenden." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Soll Snort den Modus »promiscuous« an der Schnittstelle ausschalten?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Das Ausschalten des Modus »promiscuous« bedeutet, dass Snort nur die Pakete " "sehen wird, die an die Schnittstelle adressiert sind, die es überwacht. Das " "Einschalten ermöglicht es Snort, alle Pakete zu überprüfen, die das " "Netzwerksegment durchlaufen, selbst wenn dies eine Verbindung zwischen zwei " "anderen Rechnern ist." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Ungültige Schnittstelle" #. Type: error #. Description #: ../snort.templates:6001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort versucht, eine Schnittstelle zu nutzen, die es nicht gibt oder die " "nicht aktiv ist. Entweder ist die Vorgabe »eth0« hier unpassend, oder Sie " "haben eine ungültige Schnittstelle eingegeben." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Sollen tägliche Zusammenfassungen per E-Mail verschickt werden?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Es kann ein Cronjob eingerichtet werden, der täglich Zusammenfassungen der " "Protokolle von Snort an eine bestimmte E-Mail-Adresse schickt." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Bitte stimmen Sie zu, wenn Sie diese Funktionalität aktivieren möchten." #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Empfänger der täglichen Statistik-E-Mails:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Bitte geben Sie die E-Mail-Adresse ein, an die täglich Zusammenfassungen der " "Protokolle von Snort geschickt werden sollen." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Zusätzliche benutzerspezifische Optionen:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Bitte geben Sie alle weiteren Optionen ein, die Snort benutzen soll." #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "Minimale Ereignisanzahl, ab der Alarme gemeldet werden:" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Bitte geben Sie die minimale Anzahl von Alarmen ein, ab der dieser Alarm in " "die tägliche Statistik aufgenommen wird." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Neustart von Snort erforderlich" #. Type: note #. Description #: ../snort.templates:11001 msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "Da Snort manuell gestartet wurde, müssen Sie den Befehl »service snort " "restart« aufrufen, damit die Änderungen wirksam werden." #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "Veraltete Konfigurationsdatei" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Dieses System nutzt eine veraltete Konfigurationsdatei (/etc/snort/snort." "common.parameters), die automatisch in das neue Format (/etc/default/snort) " "umgewandelt wurde." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Bitte überprüfen Sie die neue Konfigurationsdatei und löschen Sie die " "veraltete. Bis dahin wird das Startskript die neuen Einstellungen nicht " "verwenden und Sie können die Vorteile der neuen Versionen nicht nutzen." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "Deprecated options in configuration file" msgstr "Missbilligte Optionen in der Konfigurationsdatei" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "Die Snort-Konfigurationsdatei (/etc/snort/snort.conf) benutzt missbilligte " "Optionen, die ab dieser Version von Snort nicht mehr gültig sind. Snort kann " "solange nicht starten, bis Sie eine korrekte Konfigurationsdatei " "bereitstellen. Sie können entweder Ihre Konfigurationsdatei durch die disees " "Pakets ersetzen oder Sie entfernen die missbilligten Optionen selbst." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "Folgende missbilligte Optionen wurden in der Konfigurationsdatei gefunden: " "${DEP_CONFIG}." #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Konfigurationsfehler" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "Die aktuelle Konfiguration von Snort ist ungültig und verhindert dessen " "normalen Start. Bitte kontrollieren und berichtigen Sie diese." #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "Führen Sie (als Root) den Befehl »/usr/sbin/snort -T -c " "/etc/snort/snort.conf« aus, um Fehler in Ihrer Konfiguration von Snort zu " "finden." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "Missbilligte Konfigurationsdatei" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" "Ihr System hat missbilligte Konfigurationsdateien, die nicht länger benutzt " "werden sollten. Diese könnten missbilligte Optionen enthalten. Falls sie über " "die Standardkonfigurationsdatei (/etc/snort/snort.conf) eingefügt wurden, " "können sie verhindern, dass Snort korrekt startet." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" "Bitte entfernen Sie diese Dateien ebenso wie bestehende Verweise darauf in " "der Konfigurationsdatei /etc/snort/snort.conf." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "Die folgenden missbilligten Konfigurationsdateien wurden gefunden: ${DEP_FILE}" debian/po/vi.po0000664000000000000000000005431512317374526010606 0ustar # Vietnamese translation for Snort. # Copyright © 2008 Free Software Foundation, Inc. # Clytie Siddall , 2005-2008. # msgid "" msgstr "" "Project-Id-Version: snort 2.7.0-15\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-29 00:16+0200\n" "PO-Revision-Date: 2008-04-28 16:20+0930\n" "Last-Translator: Clytie Siddall \n" "Language-Team: Vietnamese \n" "Language: vi\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=1; plural=0;\n" "X-Generator: LocFactoryEditor 1.7b3\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "khởi động" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "quay số" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "bằng tay" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Phương pháp khởi chạy Snort:" #. Type: select #. Description #: ../snort.templates:2002 #, fuzzy #| msgid "" #| "Snort can be started during boot, when connecting to the net with pppd or " #| "only manually with the /usr/sbin/snort command." msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Có thể khởi chạy Snort trong khi khởi động máy, khi kết nối đến Internet " "bằng pppd, hoặc chỉ khi bạn tự khởi chạy nó thông qua « /usr/sbin/snort »." #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Các giao diện trên chúng Snort nên lắng nghe:" #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "This value is usually 'eth0', but this may be inappropriate in some " #| "network environments; for a dialup connection 'ppp0' might be more " #| "appropriate (see the output of '/sbin/ifconfig')." msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Giá trị này thường là « eth0 », nhưng nó có thể không thích hợp trong một số " "môi trường mạng; đối với kết nối quay số thì « ppp0 » có thể thích hợp hơn " "(xem kết xuất của « /sbin/ifconfig »)." # Notice that Snort is usually configured to inspect all traffic coming # from the Internet, so the interface you add here is usually the same the # 'default route' is on. You can determine which interface is used for # this running either '/sbin/ip ro sh' or '/sbin/route -n' (look for # 'default' or '0.0.0.0'). #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "Typically, this is the same interface as the 'default route' is on. You " #| "can determine which interface is used for this by running '/sbin/route -" #| "n' (look for '0.0.0.0')." msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Bình thường, đây là cùng một giao diện với cái chứa « tuyến mặc định ». Bạn " "có thể quyết định giao diện nào được dùng cho tuyến đường này, bằng cách " "chạy « sbin/route -n » (tìm địa chỉ « 0.0.0.0 »)." # It is also not uncommon to run Snort on an interface with no IP and # configured in promiscuous mode, if this is your case, select the # interface in this system that is physically connected to the network you # want to inspect, enable promiscuous mode later on and make sure that the # network traffic is sent to this interface (either connected to a 'port # mirroring/spanning' port in a switch, to a hub or to a tap) #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "It is also not uncommon to use an interface with no IP address configured " #| "in promiscuous mode. For such cases, select the interface in this system " #| "that is physically connected to the network that should be inspected, " #| "enable promiscuous mode later on and make sure that the network traffic " #| "is sent to this interface (either connected to a 'port mirroring/" #| "spanning' port in a switch, to a hub or to a tap)." msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Một số người nào đó cũng dùng một giao diện không có địa chỉ IP được cấu " "hình trong chế độ không phân biệt (promiscuous mode). Trong trường hợp như " "vậy, hãy chọn giao diện trên hệ thống này mà kết nối vật chất đến mạng cần " "kiểm tra, hiệu lực chế độ không phân biệt về sau, và kiểm tra xem trọng tải " "trên mạng được gửi cho giao diện này (hoặc kết nối đến một cổng kiểu « phản " "chiếu/xuyện qua » trong cái chuyển, đến một cái nối hay một dây rẽ)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Cũng có thể cấu hình nhiều giao diện: liệt kê các tên giao diện định giới " "bằng dấu cách. Mỗi giao diện có thể đặt cấu hình riêng." #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Phạm vi địa chỉ cho mạng cục bộ :" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Bạn cần phải sử dụng dạng CIDR, tức là « 192.168.1.0/24 » cho một khối 256 " "địa chỉ IP, hay « 192.168.1.42/32 » cho chỉ một điều. Ghi rõ nhiều địa chỉ " "trong cùng một dòng riêng lẻ, định giới bằng dấu phẩy « , » (không có dấu " "cách)." #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Ghi chú rằng nếu Snort được cấu hình để dùng nhiều giao diện, nó sẽ dùng giá " "trị này làm lời định nghĩa « HOME_NET » cho tất cả." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Snort nên tắt chế độ không phân biệt trên giao diện này không?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Vô hiệu hóa chế độ không phân biệt có nghĩa là trình Snort sẽ chỉ thấy những " "gói tin được gửi cho giao diện nó đang theo dõi. Việc hiệu lực chế độ này " "thì cho phép trình Snort kiểm tra mọi gói tin đi qua đoạn Ethernet, thậm chí " "nếu nó là kết nối giữa hai máy tính khác." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Giao diện không hợp lệ" #. Type: error #. Description #: ../snort.templates:6001 #, fuzzy #| msgid "" #| "Snort is trying to use an interface which does not exist or is down. " #| "Either it is defaulting inappropriately to 'eth0', or you specified one " #| "which is invalid." msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort đang thử dùng một giao diện không tồn tại hoặc bị tắt. Hoặc nó đang " "trở về giá trị mặc định sai « eth0 », hoặc bạn đã ghi rõ một giao diện không " "hợp lệ." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Có nên gửi hàng ngày thư đính kèm bản tóm tắt không?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Có thể thiết lập một công việc định thời để gửi hàng ngày bản tóm tắt của " "các bản ghi Snort cho một địa chỉ thư điện tử đã chọn." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Hãy chọn có nên kích hoạt tính năng này hay không." #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Người nhận thư thống kê hàng ngày:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Hãy ghi rõ địa chỉ thư điện tử nên nhận bản tóm tắt của các bản ghi Snort." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Tùy chọn riêng thêm:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Hãy ghi rõ bất cứ tùy chọn khác nào Snort nên dùng." #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "Số lần xảy ra tối thiểu trước khi báo động:" # An alert needs to appear more times than this number to be included in # the daily statistics. #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Hãy nhập số tối thiểu các lần xảy ra báo động trước khi một báo động đã cho " "được chèn vào thống kê hàng ngày." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Cần thiết khởi chạy lại Snort" #. Type: note #. Description #: ../snort.templates:11001 #, fuzzy #| msgid "" #| "As Snort is manually launched, you need to run '/etc/init.d/snort' for " #| "the changes to take place." msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "Vì Snort được khởi chạy bằng tay, bạn cần phải chạy « /etc/init.d/snort » để " "các thay đổi có tác động." #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "Tập tin cấu hình quá cũ" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Hệ thống này dùng một tập tin cấu hình quá cũ (/etc/snort/snort.common." "parameters) mà ta đã được chuyển đổi sang định dạng tập tin cấu hình mới (ở " "« /etc/default/snort »). Hãy xem lại cấu hình mới, rồi gỡ bỏ tập tin cũ. " "Trước khi bạn làm như thế, văn lệnh « init.d » sẽ không dùng cấu hình mới và " "bạn sẽ không lợi dựng các phiên bản mới." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Hãy xem lại cấu hình mới, rồi gỡ bỏ tập tin cũ. Trước khi bạn làm như thế, " "văn lệnh « init.d » sẽ không dùng cấu hình mới và bạn sẽ không lợi dựng các " "phiên bản mới." #. Type: note #. Description #: ../snort-common.templates:2001 #, fuzzy #| msgid "Deprecated configuration file" msgid "Deprecated options in configuration file" msgstr "Tập tin cấu hình bị phản đối" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "Tập tin cấu hình Snort (/etc/snort/snort.conf) có dùng các tùy chọn bị phản " "đối không còn sẵn sàng lại cho phiên bản Snort này. Trình Snort sẽ không thể " "khởi chạy nếu bạn không cung cấp một tập tin cấu hình đúng. Bạn nên hoặc cho " "phép tập tin được thay thế bằng tập tin trong gói này, hoặc tự sửa chữa nó " "bằng cách gỡ bỏ các tùy chọn bị phản đối." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "Trong tập tin cấu hình, tìm thấy những tùy chọn bị phản đối này:\n" "${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Lỗi cấu hình" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "Cấu hình Snort hiện thời không phải là hợp lệ thì ngăn cản Snort khởi chạy " "bình thường. Hãy xem lại và sửa chữa." #. Type: error #. Description #: ../snort-common.templates:3001 #, fuzzy #| msgid "" #| "To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -" #| "T -c '." msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "Để chẩn đoán lỗi trong tập tin cấu hình Snort, dùng « /usr/sbin/snort -T -c " " »." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "Tập tin cấu hình bị phản đối" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 #, fuzzy #| msgid "" #| "The following deprecated options were found in the configuration file: " #| "${DEP_CONFIG}" msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "Trong tập tin cấu hình, tìm thấy những tùy chọn bị phản đối này:\n" "${DEP_CONFIG}" #~ msgid "Set up a database for snort-mysql to log to?" #~ msgstr "Thiết lập một cơ sở dữ liệu cho snort-mysql đăng nhập vào không?" #~ msgid "" #~ "No database has been set up for Snort to log to. Before continuing, you " #~ "should make sure you have:" #~ msgstr "" #~ "Chưa thiết lập cơ sở dữ liệu vào đó Snort có thể đăng nhập. Trước khi " #~ "tiếp tục, bạn nên kiểm tra xem có :" #~ msgid "" #~ " - the server host name (that server must allow TCP connections\n" #~ " from this machine);\n" #~ " - a database on that server;\n" #~ " - a username and password to access the database." #~ msgstr "" #~ " • tên máy của máy phục vụ\n" #~ "\tmáy phục vụ đó phải cho phép kết nối TCP từ máy này)\n" #~ " • một cơ sở dữ liệu trên máy phục vụ đó\n" #~ " • một tên người dùng và mật khẩu để truy cập đến cơ sở dữ liệu." #~ msgid "" #~ "If some of these requirements are missing, reject this option and run " #~ "with regular file logging support." #~ msgstr "" #~ "Thiếu tùy chọn trên thì từ chối mục này và chạy với hỗ trợ ghi lưu vào " #~ "tập tin tiêu chuẩn." #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-mysql'." #~ msgstr "" #~ "Chức năng ghi lưu cơ sở dữ liệu có thể được cấu hình lại về sau bằng cách " #~ "chạy câu lệnh « dpkg-reconfigure -plow snort-mysql »." #~ msgid "Database server hostname:" #~ msgstr "Tên máy của máy phục vụ cơ sở dữ liệu :" #~ msgid "" #~ "Please specify the host name of a database server that allows incoming " #~ "connections from this host." #~ msgstr "" #~ "Hãy ghi rõ tên máy của một máy phục vụ cơ sở dữ liệu cho phép kết nối gửi " #~ "đến từ máy này." #~ msgid "Database name:" #~ msgstr "Tên cơ sở dữ liệu :" #~ msgid "" #~ "Please specify the name of an existing database to which the database " #~ "user has write access." #~ msgstr "" #~ "Hãy ghi rõ tên của một cơ sở dữ liệu đã tồn tại vào đó người dùng cơ sở " #~ "dữ liệu có quyền ghi." #~ msgid "Username for database access:" #~ msgstr "Tên người dùng để truy cập đến cơ sở dữ liệu :" #~ msgid "" #~ "Please specify a database server username with write access to the " #~ "database." #~ msgstr "" #~ "Hãy ghi rõ một tên người dùng máy phục vụ cơ sở dữ liệu có quyền ghi vào " #~ "cơ sở dữ liệu." #~ msgid "Password for the database connection:" #~ msgstr "Mật khẩu để kết nối đến cơ sở dữ liệu :" #~ msgid "" #~ "Please enter the password to use to connect to the Snort Alert database." #~ msgstr "" #~ "Hãy nhập mật khẩu cần dùng để kết nối đến cơ sở dữ liệu Báo Động Snort." #~ msgid "Configured database mandatory for Snort" #~ msgstr "Cơ sở dữ liệu đã cấu hình cần thiết cho Snort" #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:" #~ msgstr "" #~ "Trình Snort cần thiết một cơ sở dữ liệu đã cấu hình, để khởi chạy được. " #~ "Để tạo cấu trúc này, hãy chạy những câu lệnh theo đây SAU KHI cài đặt gói:" #~ msgid "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ msgstr "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ "" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. MySQL " #~ "will prompt you for the password." #~ msgstr "" #~ "Hãy điền vào các giá trị đúng cho tên người dùng, tên máy và tên cơ sở dữ " #~ "liệu. Trình MySQL sẽ nhắc bạn nhập mật khẩu." #~ msgid "" #~ "After you have created the database structure, you will need to start " #~ "Snort manually." #~ msgstr "" #~ "Sau khi tạo cấu trúc cơ sở dữ liệu, bạn cần phải tự khởi chạy trình Snort." #~ msgid "Set up a database for snort-pgsql to log to?" #~ msgstr "Thiết lập một cơ sở dữ liệu cho snort-pgsql ghi lưu vào không?" #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-pgsql'." #~ msgstr "" #~ "Chức năng ghi lưu cơ sở dữ liệu có thể được cấu hình lại về sau bằng cách " #~ "chạy câu lệnh « dpkg-reconfigure -plow snort-pgsql »." #~ msgid "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ msgstr "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ "" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Hãy điền vào các giá trị đúng cho tên người dùng, tên máy và tên cơ sở dữ " #~ "liệu. Trình PostgreSQL sẽ nhắc bạn nhập mật khẩu." #~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" #~ msgstr "" #~ "Thứ tự kiểm tra của Snort nên thay đổi thành « Pass|Alert|Log » không?" #~ msgid "" #~ "Snort's default testing order is Alert|Pass|Log; if you accept this " #~ "option, the order will be changed to Pass|Alert|Log, which can make it " #~ "simpler to use Snort with some packet-filtering tools." #~ msgstr "" #~ "Thứ tự kiểm tra mặc định của Snort là « Alert|Pass|Log » (Báo động|Đi qua|" #~ "Ghi lưu). Bật tùy chọn này thì thứ tự sẽ được thay đổi thành « Pass|Alert|" #~ "Log », mà có thể làm cho đơn giản hơn khi dùng Snort với một số công cụ " #~ "nào đó để lọc gói tin." #~ msgid "You are running Snort manually" #~ msgstr "Bạn đang tự chạy Snort" #~ msgid "There is an error in your configuration" #~ msgstr "Gặp lỗi trong cấu hình" debian/po/sv.po0000664000000000000000000004735712317374526010630 0ustar # Translation of snort debconf template to Swedish # Copyright (C) 2013 Martin Bagge # This file is distributed under the same license as the snort package. # # Martin Bagge , 2008, 2013 msgid "" msgstr "" "Project-Id-Version: snort 2.3.3-1\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-13 08:03+0200\n" "PO-Revision-Date: 2013-10-01 15:41+0100\n" "Last-Translator: Martin Bagge / brother \n" "Language-Team: Swedish \n" "Language: Swedish\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Poedit 1.5.4\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "uppstart" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "uppringt" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "manuell" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Hur ska Snort starta:" #. Type: select #. Description #: ../snort.templates:2002 #| msgid "" #| "Snort can be started during boot, when connecting to the net with pppd or " #| "only manually with the /usr/sbin/snort command." msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Snort kan startas vid uppstart, när uppkoppling mot nätverk sker med pppd " "eller manuellt med kommandot /usr/sbin/snort." #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "På vilket/vilka gränssnitt ska Snort lyssna?" #. Type: string #. Description #: ../snort.templates:3001 #| msgid "" #| "This value is usually 'eth0', but this may be inappropriate in some " #| "network environments; for a dialup connection 'ppp0' might be more " #| "appropriate (see the output of '/sbin/ifconfig')." msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Detta värde är oftast \"eth0\" men det kan vara fel i en del " "nätverksmiljöer. För uppringd anslutning bör \"ppp0\" vara mer korrekt (se " "vidare utdatat från \"/sbin/ifconfig\")." #. Type: string #. Description #: ../snort.templates:3001 #| msgid "" #| "Typically, this is the same interface as the 'default route' is on. You " #| "can determine which interface is used for this by running '/sbin/route -" #| "n' (look for '0.0.0.0')." msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Vanligen är detta samma gränssnitt som standardrutten är inställd på. Du kan " "ta fram vilket gränssnitt som används för detta med kommandot \"/sbin/route -" "n\" (leta efter \"0.0.0.0\")." #. Type: string #. Description #: ../snort.templates:3001 #| msgid "" #| "It is also not uncommon to use an interface with no IP address configured " #| "in promiscuous mode. For such cases, select the interface in this system " #| "that is physically connected to the network that should be inspected, " #| "enable promiscuous mode later on and make sure that the network traffic " #| "is sent to this interface (either connected to a 'port mirroring/" #| "spanning' port in a switch, to a hub or to a tap)." msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Det är inte helt ovanligt att köra Snort på ett gränssnitt utan IP-adress i " "läget \"promiscuous\". Om det är det du vill, välj gränssnittet på detta " "system som är fysiskt kopplad till nätverket du vill inspektera. Aktivera " "promiscuousläget efter det och kontrollera att nätverkstrafiken skickas till " "detta gränssnitt (antingen kopplade till en \"port mirror/spanning\"-port i " "en switch, en hubb eller en nätverkstapp)" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Du kan konfigurera flera gränssnitt här, bara att lägga till fler än ett " "gränssnittsnamn separerade med blanksteg. Varje gränssnitt kan ha sin egen " "specifika konfiguration." #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Ange adressintervallet som Snort ska lyssna på." #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Du ska använda CIDR-formatet, till exempel 192.168.1.0/24 för ett block av " "256 IP-adresser eller 192.168.1.42/32 för bara en av dem. Ange flera " "adresser på samma rad separerade med \",\" (kommatecken), blanksteg är inte " "tillåtna!" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Observera att om du använder flera gränssnitt kommer denna definition att " "användas som HOME_NET-definition på alla." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Ska Snort inaktivera promiscuousläget på gränssnittet?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Inaktivering av promiscuousläget betyder att Snort bara kommer att se paket " "adresserade till sitt eget gränssnitt. Aktivering av det tillåter Snort att " "undersöka varje paket som passerar Ethernet-segmentet även om det är " "anslutning mellan två andra datorer." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Ogiltigt gränssnitt" #. Type: error #. Description #: ../snort.templates:6001 #| msgid "" #| "Snort is trying to use an interface which does not exist or is down. " #| "Either it is defaulting inappropriately to 'eth0', or you specified one " #| "which is invalid." msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort försöker använda en nätverksanslutning som inte existerar eller som " "inte är uppkopplad. Antingen så har standardvärdet \"eth0\" smugit sig in " "eller så har du angivit ett felaktigt gränssnitt." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Ska dagliga sammandrag skickas via e-post?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Ett cron-jobb kan ställas in för att sända dagliga summeringar av Snorts " "logfiler till en förvald e-post-adress." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Vänligen ange om du vill aktivera denna funktionen." #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Vem ska ta emot de dagliga e-postrapporterna?" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Vänligen ange e-post-adressen som ska få dagliga summeringar av Snorts " "logfiler." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Ytterligare alternativ" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Ange ytterligare inställningar som Snort ska använda." #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "Minsta antalet förekomster innan varningar skickas:" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Ett larm behöver dyka upp fler gånger än denna siffra för att bli " "inkluderade i den dagliga rapporten." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Snort måste startas om" #. Type: note #. Description #: ../snort.templates:11001 #| msgid "" #| "As Snort is manually launched, you need to run '/etc/init.d/snort' for " #| "the changes to take place." msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "I och med att Snort körs manuellt så måste du köra \"service snort restart\" " "för att ändringarna ska aktiveras." #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "Detta system använder en gammal konfigurationsfil" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Ditt system har en gammal konfigurationsfil (/etc/snort/snort.common." "parameters) vilken har blivit automatiskt konverterad till en ny " "konfigurationsfil med nytt format (i /etc/default/snort)." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Kontrollera den nya konfiguration och ta bort den gamla. Fram till att du " "gör detta kommer init.d-skriptet inte använda den nya konfigurationen och du " "kan inte använda de nya fördelarna i den nya versionen." #. Type: note #. Description #: ../snort-common.templates:2001 #| msgid "Deprecated configuration file" msgid "Deprecated options in configuration file" msgstr "Utdaterade inställningar i inställningsfil" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "Din Snort-konfigurationsfil (/etc/snort/snort.conf) använder gamla " "inställningar som inte längre används i denna Snort-utgåva. Snort kan inte " "starta om du har felaktigheter i konfigurationsfilen. Du kan byta ut din " "konfigurationsfil mot den som följer med detta paket eller lösa problemet " "manuellt genom att ta bort de felaktiga inställningarna." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "De följande inställningarna som hittades i din konfigurationsfil är inte " "längre giltiga: ${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Fel i inställningar" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "Nuvarande inställningar för Snort är felaktiga och kommer att förhindra " "Snort från att starta på ett korrekt sätt. Vänligen kontrollera " "inställningarna och rätta felen." #. Type: error #. Description #: ../snort-common.templates:3001 #| msgid "" #| "To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -" #| "T -c '." msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "För att hitta fel i Snorts inställningar kan du (som root) använda kommandot " "\"/usr/sbin/snort -T -c /etc/snort/snort.conf\"." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "Detta system använder en gammal konfigurationsfil" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" "Ditt system har utdaterade inställningsfiler som inte ska användas mer och " "dessa kan innehålla utdaterade inställningar. Om dessa inkluderas via " "standardinställningarna (/etc/snort/snort.conf) kan det innebära att Snort " "inte kan starta korrekt." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" "Vänligen radera dessa inställningsfiler liksom eventuella referenser till de " "i inställningsfilen /etc/snort/snort.conf." #. Type: note #. Description #: ../snort-common.templates:4001 #| msgid "" #| "The following deprecated options were found in the configuration file: " #| "${DEP_CONFIG}" msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "Följande inställningsfiler hittades och bedömdes utdaterade: ${DEP_FILE}" #~ msgid "Set up a database for snort-mysql to log to?" #~ msgstr "Vill du konfigurera en databas för snort-mysql att logga till?" #~ msgid "" #~ "No database has been set up for Snort to log to. Before continuing, you " #~ "should make sure you have:" #~ msgstr "" #~ "Ingen databas har ställts in för Snorts loggningsfunktioner. Du måste ha " #~ "följande innan du fortsätter:" #~ msgid "" #~ " - the server host name (that server must allow TCP connections\n" #~ " from this machine);\n" #~ " - a database on that server;\n" #~ " - a username and password to access the database." #~ msgstr "" #~ " - serverns värdnamn (servern måste tillåta TCP-anslutningar\n" #~ " från denna maskinen.\n" #~ " - en databas på den servern.\n" #~ " - ett användarnamn och ett lösenord för att komma åt databasen." #~ msgid "" #~ "If some of these requirements are missing, reject this option and run " #~ "with regular file logging support." #~ msgstr "" #~ "Om du inte har alla uppgifter ännu kan du hoppa över att ställa in detta " #~ "nu och använda dig av vanlig loggning till fil." #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-mysql'." #~ msgstr "" #~ "Loggning till databas kan aktiveras vid ett senare tillfälle genom att " #~ "köra 'dpkg-reconfigure -plow snort-mysql'." #~ msgid "Database server hostname:" #~ msgstr "Värdnamn för databas:" #~ msgid "" #~ "Please specify the host name of a database server that allows incoming " #~ "connections from this host." #~ msgstr "" #~ "Ange värdnan på databasservern och att den tillåter inkommande " #~ "uppkopplingar från denna värd." #~ msgid "Database name:" #~ msgstr "Databasnamn:" #~ msgid "" #~ "Please specify the name of an existing database to which the database " #~ "user has write access." #~ msgstr "" #~ "Ange ett namn på en existerande databas som den här användaren har " #~ "skrivrättigheter till." #~ msgid "Username for database access:" #~ msgstr "Användarnamn för databas:" #~ msgid "" #~ "Please specify a database server username with write access to the " #~ "database." #~ msgstr "" #~ "Kontrollera att din databasanvändare har skrivrättigheter till denna " #~ "databas." #~ msgid "Password for the database connection:" #~ msgstr "Ange lösenordet för databasuppkopplingen." #~ msgid "" #~ "Please enter the password to use to connect to the Snort Alert database." #~ msgstr "Ange ett lösenord för uppkoppling mot Snorts larmdatabas." #~ msgid "Configured database mandatory for Snort" #~ msgstr "Databasen måste förberedas för Snort före användning." #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:" #~ msgstr "" #~ "Snort behöver en konfigurerad databas innan den kan starta korrekt. För " #~ "att skapa databasstrukturen behöver du köra följande kommandon EFTER att " #~ "paketet har installerats:" #~ msgid "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ msgstr "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ "" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. MySQL " #~ "will prompt you for the password." #~ msgstr "" #~ "Ange de korrekta värdena för användare, värd och databasens namn. MySQL " #~ "kommer att fråga efter lösenordet." #~ msgid "" #~ "After you have created the database structure, you will need to start " #~ "Snort manually." #~ msgstr "" #~ "Efter att du skapat databasstrukturen behöver du starta Snort manuellt." #~ msgid "Set up a database for snort-pgsql to log to?" #~ msgstr "Vill du konfigurera en databas för snort-pgsql att logga till?" #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-pgsql'." #~ msgstr "" #~ "Loggning till databas kan aktiveras vid ett senare tillfälle genom att " #~ "köra 'dpkg-reconfigure -plow snort-pgsql'." #~ msgid "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ msgstr "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ "" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Ange de korrekta värdena för användare, värd och databasens namn. " #~ "PostgreSQL kommer att fråga efter lösenordet." #~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" #~ msgstr "Ska testordningen för reglerna i Snort ändras til Pass|Alert|Log?" #~ msgid "" #~ "Snort's default testing order is Alert|Pass|Log; if you accept this " #~ "option, the order will be changed to Pass|Alert|Log, which can make it " #~ "simpler to use Snort with some packet-filtering tools." #~ msgstr "" #~ "Standardvärdet för Snorts tester är Alert|Pass|Log. Om du väljer detta " #~ "alternativ så kommer ordningen att ändras till Pass|Alert|Log, vilket kan " #~ "underlätta användadet av Snort tillsammans med en del " #~ "paketfiltreringsverktyg." debian/po/templates.pot0000664000000000000000000002017612317374526012350 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-29 00:16+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "" #. Type: select #. Description #: ../snort.templates:2002 msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "" #. Type: error #. Description #: ../snort.templates:6001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "" #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "" #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "" #. Type: note #. Description #: ../snort.templates:11001 msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "Deprecated options in configuration file" msgstr "" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" debian/po/gl.po0000664000000000000000000007225412317374526010574 0ustar # Galician translation of snort's debconf templates # This file is distributed under the same license as the snort package. # Jacobo Tarrio , 2007, 2008. # msgid "" msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-29 00:16+0200\n" "PO-Revision-Date: 2008-04-06 20:22+0100\n" "Last-Translator: Jacobo Tarrio \n" "Language-Team: Galician \n" "Language: gl\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "inicio" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "conexión" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "manual" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Modo de inicio de Snort:" #. Type: select #. Description #: ../snort.templates:2002 #, fuzzy #| msgid "" #| "Snort can be started during boot, when connecting to the net with pppd or " #| "only manually with the /usr/sbin/snort command." msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Snort pode arrincarse no inicio do sistema, ao se conectar á rede mediante " "pppd ou só manualmente mediante a orde /usr/sbin/snort." #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Interfaces nas que Snort debe escoitar:" #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "This value is usually 'eth0', but this may be inappropriate in some " #| "network environments; for a dialup connection 'ppp0' might be more " #| "appropriate (see the output of '/sbin/ifconfig')." msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Este valor adoita ser \"eth0\", pero pode non ser axeitado nalgunhas redes; " "para unha conexión por módem, \"ppp0\" pode ser a opción axeitada (consulte " "a saída da orde \"/sbin/ifconfig\")." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "Typically, this is the same interface as the 'default route' is on. You " #| "can determine which interface is used for this by running '/sbin/route -" #| "n' (look for '0.0.0.0')." msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Normalmente esta é a mesma interface na que está a \"ruta por defecto\". " "Pode determinar a interface que se emprega executando a orde \"/sbin/route -n" "\" (busque \"0.0.0.0\")." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "It is also not uncommon to use an interface with no IP address configured " #| "in promiscuous mode. For such cases, select the interface in this system " #| "that is physically connected to the network that should be inspected, " #| "enable promiscuous mode later on and make sure that the network traffic " #| "is sent to this interface (either connected to a 'port mirroring/" #| "spanning' port in a switch, to a hub or to a tap)." msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Tampouco é pouco habitual empregar unha interface sen IP e configurada en " "modo promiscuo. Nestes casos, escolla a interface deste sistema que estea " "conectada fisicamente á rede que se debe inspeccionar, active despois o modo " "propiscuo e asegúrese de que o tráfico da rede se envíe a esta interface " "(conectada a un porto \"espello/árbore\" dun switch, a un concentrador de " "rede ou a unha toma)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Pode configurar varias interfaces engadindo varios nomes de interfaces " "separados mediante espazos. Cada interface pode ter a súa propia " "configuración específica." #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Rango de enderezos da rede local:" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Empregue a forma CIDR - por exemplo, 192.168.1.0/24 para un bloque de 256 " "enderezos ou 192.168.1.42/32 para só un. Para fornecer unha lista, dea " "varios valores separados por comas (sen espazos)." #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Teña en conta que se Snort está configurado para empregar varias interfaces, " "ha empregar este valor coma a definición HOME_NET de todas elas." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "¿Debería desactivar Snort o modo promíscuo na interface?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Desactivar o modo promiscui significa que Snort só ha ver os paquetes " "dirixidos á interface que está a monitorizar. Activalo permite a Snort " "comprobar cada paquete que pase polo segmento Ethernet, incluso se é unha " "conexión entre outros dous ordenadores." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Interface non válida" #. Type: error #. Description #: ../snort.templates:6001 #, fuzzy #| msgid "" #| "Snort is trying to use an interface which does not exist or is down. " #| "Either it is defaulting inappropriately to 'eth0', or you specified one " #| "which is invalid." msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort tenta empregar unha interface que non existe ou está desconectada. É " "posible que o valor por defecto \"eth0\" non sexa axeitado, ou que indicara " "unha interface non válida." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "¿Débense enviar os resumos diarios por email?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Pódese establecer unha tarefa de cron para enviar resumos diarios dos " "rexistros de Snort ao enderezo de email que se indique." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Indique se quere activar esta característica." #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Destinatario dos emails diarios de estatísticas:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Indique o enderezo que debería recibir os resumos diarios dos rexistros de " "Snort." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Opcións personalizadas adicionais:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Indique as opcións adicionais que quere que empregue Snort." #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "Número mínimo de aparicións antes de informar das alertas:" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Introduza o número mínimo de aparicións das alertas antes de incluír unha " "delas nas estatísticas diarias." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Precísase de reiniciar Snort" #. Type: note #. Description #: ../snort.templates:11001 #, fuzzy #| msgid "" #| "As Snort is manually launched, you need to run '/etc/init.d/snort' for " #| "the changes to take place." msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "Como se inicia Snort manualmente, ha ter que executar \"/etc/init.d/snort\" " "para que os cambios tomen efecto." #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "Ficheiro de configuración obsoleto" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Este sistema emprega un ficheiro de configuración obsoleto (/etc/snort/snort." "common.parameters) que se convertiu automáticamente ao novo formato de " "ficheiros de configuración (en /etc/default/snort)." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Revise a nova configuración e elimine a obsoleta. Ata que o faga, o script " "de inicialización non ha empregar a nova configuración e non ha poder " "aproveitar as avantaxes introducidas nas novas versións." #. Type: note #. Description #: ../snort-common.templates:2001 #, fuzzy #| msgid "Deprecated configuration file" msgid "Deprecated options in configuration file" msgstr "Ficheiro de configuración obsoleto" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "O ficheiro de configuración de Snort (/etc/snort/snort.conf) emprega opcións " "obsoletas xa non dispoñibles nesta versión de Snort. Snort non ha poderse " "iniciar a menos que forneza un ficheiro de configuración correcto. Permita " "substituír o ficheiro de configuración co que se fornece neste paquete ou " "arránxeo manualmente eliminando as opcións obsoletas." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "Atopáronse as seguintes opcións obsoletas no ficheiro de configuración: " "${DEP_CONFIG}." #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Erro na configuración" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "A configuración actual de Snort non é valida e ha impedir que Snort se " "inicie normalmente. Revísea e corríxaa." #. Type: error #. Description #: ../snort-common.templates:3001 #, fuzzy #| msgid "" #| "To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -" #| "T -c '." msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "Para diagnosticar un erro nun ficheiro de configuración de Snort, empregue " "\"/usr/sbin/snort -T -c \"." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "Ficheiro de configuración obsoleto" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 #, fuzzy #| msgid "" #| "The following deprecated options were found in the configuration file: " #| "${DEP_CONFIG}" msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "Atopáronse as seguintes opcións obsoletas no ficheiro de configuración: " "${DEP_CONFIG}." #~ msgid "Set up a database for snort-mysql to log to?" #~ msgstr "¿Configurar unha base de datos para os rexistros de snort-mysql?" #~ msgid "" #~ "No database has been set up for Snort to log to. Before continuing, you " #~ "should make sure you have:" #~ msgstr "" #~ "Non se configurou unha base de datos para que Snort rexistre nela. Antes " #~ "de continuar debería asegurarse de ter:" #~ msgid "" #~ " - the server host name (that server must allow TCP connections\n" #~ " from this machine);\n" #~ " - a database on that server;\n" #~ " - a username and password to access the database." #~ msgstr "" #~ " - o nome do servidor (o servidor debe admitir conexións TCP\n" #~ " desde esta máquina);\n" #~ " - unha base de datos nese servidor;\n" #~ " - un nome de usuario e contrasinal para acceder á base de datos." #~ msgid "" #~ "If some of these requirements are missing, reject this option and run " #~ "with regular file logging support." #~ msgstr "" #~ "Se non ten algúns destes datos, decline esta opción e execute Snort co " #~ "soporte de rexistro en ficheiros normal." #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-mysql'." #~ msgstr "" #~ "Pódese reconfigurar o rexistro na base de datos a posteriori executando " #~ "\"dpkg-reconfigure -plow snort-mysql\"." #~ msgid "Database server hostname:" #~ msgstr "Nome do servidor de bases de datos:" #~ msgid "" #~ "Please specify the host name of a database server that allows incoming " #~ "connections from this host." #~ msgstr "" #~ "Indique o nome dun servidor de bases de datos que admita conexións " #~ "entrantes desta máquina." #~ msgid "Database name:" #~ msgstr "Nome da base de datos:" #~ msgid "" #~ "Please specify the name of an existing database to which the database " #~ "user has write access." #~ msgstr "" #~ "Introduza o nome dunha base de datos que xa exista para o que o usuario " #~ "da base de datos teña acceso de escritura." #~ msgid "Username for database access:" #~ msgstr "Nome de usuario para acceder á base de datos:" #~ msgid "" #~ "Please specify a database server username with write access to the " #~ "database." #~ msgstr "" #~ "Indique un nome de usuario do servidor de bases de datos que teña acceso " #~ "de escritura á base de datos." #~ msgid "Password for the database connection:" #~ msgstr "Contrasinal para a conexión á base de datos:" #~ msgid "" #~ "Please enter the password to use to connect to the Snort Alert database." #~ msgstr "" #~ "Introduza o contrasinal a empregar para se conectar á base de datos de " #~ "alertas de Snort." #~ msgid "Configured database mandatory for Snort" #~ msgstr "Snort precisa dunha base de datos configurada" #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:" #~ msgstr "" #~ "Snort precisa dunha base de datos configurada antes de se poder iniciar " #~ "con éxito. Para crear a estructura ten que executar as seguintes ordes " #~ "DESPOIS de instalar o paquete:" #~ msgid "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ msgstr "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ "" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. MySQL " #~ "will prompt you for the password." #~ msgstr "" #~ "Introduza os valores correctos para os nomes do usuario, servidor e base " #~ "de datos. MySQL halle pedir o contrasinal." #~ msgid "" #~ "After you have created the database structure, you will need to start " #~ "Snort manually." #~ msgstr "" #~ "Despois de crear a estructura da base de datos ha ter que iniciar Snort " #~ "manualmente." #~ msgid "Set up a database for snort-pgsql to log to?" #~ msgstr "¿Configurar unha base de datos para os rexistros de snort-pgsql?" #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-pgsql'." #~ msgstr "" #~ "Pódese reconfigurar o rexistro na base de datos a posteriori executando " #~ "\"dpkg-reconfigure -plow snort-pgsql\"." #~ msgid "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ msgstr "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ "" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Introduza os valores correctos para os nomes do usuario, servidor e base " #~ "de datos. PostgreSQL halle pedir o contrasinal." #~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" #~ msgstr "¿Débese cambiar a orde de comprobación de Snort a Pass|Alert|Log?" #~ msgid "" #~ "Snort's default testing order is Alert|Pass|Log; if you accept this " #~ "option, the order will be changed to Pass|Alert|Log, which can make it " #~ "simpler to use Snort with some packet-filtering tools." #~ msgstr "" #~ "A orde de comprobación por defecto de Snort é Alert|Pass|Log; se acepta " #~ "esta opción, a orde hase cambiar a Pass|Alert|Log, o que pode simplificar " #~ "o uso de Snort con algunhas ferramentas de filtrado de paquetes." #~ msgid "You are running Snort manually" #~ msgstr "Está a executar Snort manualmente" #~ msgid "There is an error in your configuration" #~ msgstr "Hai un erro na súa configuración" #~ msgid "boot, dialup, manual" #~ msgstr "inicio, conexión, manual" #~ msgid "When should Snort be started?" #~ msgstr "¿Cando se debe iniciar Snort?" #~ msgid "" #~ "If you want you can specify 'any', to not trust any side of the network." #~ msgstr "" #~ "Se quere pode especificar \"any\", para non confiar en ningún lado da " #~ "rede." #~ msgid "" #~ "One of the interfaces you specified is not valid (it might not exist on " #~ "the system or be down). Please introduce a valid interface when answering " #~ "the question of which interface(s) should Snort listen on." #~ msgstr "" #~ "Unha das interfaces que especificou non é válida (pode non existir no " #~ "sistema ou estar desactivada). Introduza unha interface válida ao " #~ "respostar á pregunta sobre as interfaces nas que ten que escoitar Snort." #~ msgid "" #~ "If you did not configure an interface then the package is trying to use " #~ "the default ('eth0') which does not seem to be valid in your system." #~ msgstr "" #~ "Se non configurou unha interface, o paquete tenta empregar a interface " #~ "por defecto (\"eth0\"), que non semella válida no seu sistema." #~ msgid "" #~ "If you change Snort's rules testing order to Pass|Alert|Log, they will be " #~ "applied in Pass->Alert->Log order, instead of standard Alert->Pass->Log. " #~ "This will prevent people from having to make huge Berky Packet Filter " #~ "command line arguments to filter their alert rules." #~ msgstr "" #~ "Se cambia a orde de comprobación de regras de Snort a Pass|Alert|Log, " #~ "hanse aplicar na orde Aceptar->Avisar->Rexistrar, no canto da orde " #~ "estándar Avisar->Aceptar->Rexistrar. Isto ha evitar que a xente teña que " #~ "crear argumentos de liña de ordes xigantes para filtrar as súas regras de " #~ "aviso." #~ msgid "" #~ "This Snort installation provides a cron job that runs daily and " #~ "summarises the information of Snort logs to a selected email address. If " #~ "you want to disable this feature say 'no' here." #~ msgstr "" #~ "Esta instalación de Snort fornece unha tarefa de cron que se executa cada " #~ "día e envía un resume da información dos rexistros de Snort a un enderezo " #~ "de email seleccionado. Se quere desactivar esta característica conteste " #~ "\"non\" aquí." #~ msgid "" #~ "A cron job running daily will summarise the information of the logs " #~ "generated by Snort using a script called 'snort-stat'. Introduce here the " #~ "recipient of these mails. The default value is the system administrator. " #~ "If you keep this value, make sure that the mail of the administrator is " #~ "redirected to a user that actually reads those mails." #~ msgstr "" #~ "Unha tarefa de cron que se executa diariamente ha resumir a información " #~ "dos rexistros xerados por Snort empregando un script chamado \"snort-stat" #~ "\". Introduza aquí o destinatario deses emails. O valor por defecto é o " #~ "administrador do sistema. Se conserva este valor, asegúrese de que o " #~ "email do administrador se redirixa a un usuario que realmente lea esas " #~ "mensaxes." #~ msgid "" #~ "If you want to specify custom options to Snort, please specify them here." #~ msgstr "" #~ "Se quere especificar opcións personalizadas para Snort, indíqueas aquí." #~ msgid "" #~ "Please restart Snort using:\n" #~ " /etc/init.d/snort start\n" #~ "to let the settings take effect." #~ msgstr "" #~ "Reinicie Snort empregando:\n" #~ " /etc/init.d/snort start\n" #~ "para que a configuración tome efecto." #~ msgid "" #~ "Your Snort configuration is not correct and Snort will not be able to " #~ "start up normally. Please review your configuration and fix it. If you do " #~ "not do this, Snort package upgrades will probably break. To check which " #~ "error is being generated run '/usr/sbin/snort -T -c /etc/snort/snort." #~ "conf' (or point to an alternate configuration file if you are using " #~ "different files for different interfaces)" #~ msgstr "" #~ "A súa configuración de Snort non é correcta e Snort non ha poderse " #~ "iniciar de xeito normal. Revise a súa configuración e arránxea. Se non o " #~ "fai, as actualizacións do paquete Snort han fallar. Para ver o erro que " #~ "se xera, execute \"/usr/sbin/snort -T -c /etc/snort/snort.conf\" (ou " #~ "apunte a un ficheiro de configuración alternativo se emprega ficheiros " #~ "diferentes para interfaces diferentes)." #~ msgid "" #~ "You only need to do this the first time you install snort-mysql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "mysql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-mysql " #~ "package with 'dpkg-reconfigure -plow snort-mysql'" #~ msgstr "" #~ "Só ten que o facer a primeira vez que instale snort-mysql. Antes de " #~ "continuar, asegúrese de ter (1) o nome dunha máquina que execute un " #~ "servidor mysql configurado para aceptar conexións tcp desta máquina, (2) " #~ "unha base de datos nese servidor, (3) un nome de usuario e contrasinal " #~ "para acceder á base de datos. Se non ten _todo_ iso, escolla \"non\" e " #~ "execute Snort co soporte normal de rexistro en ficheiros ou arranxe a " #~ "situación antes de nada. Sempre pode configurar despois o rexistro en " #~ "bases de datos, reconfigurando o paquete snort-mysql con \"dpkg-" #~ "reconfigure -plow snort-mysql\"." #~ msgid "Make sure this user has been created and has write access." #~ msgstr "" #~ "Asegúrese de que este usuario estea creado e teña acceso de escritura." #~ msgid "Snort needs a configured database to log to before it starts" #~ msgstr "" #~ "Snort precisa dunha base de datos configurada para gardar nela os " #~ "rexistros antes de se iniciar" #~ msgid "" #~ "You only need to do this the first time you install snort-pgsql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "pgsql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-pgsql " #~ "package with 'dpkg-reconfigure -plow snort-pgsql'" #~ msgstr "" #~ "Só ten que o facer a primeira vez que instale snort-pgsql. Antes de " #~ "continuar, asegúrese de ter (1) o nome dunha máquina que execute un " #~ "servidor pgsql configurado para aceptar conexións tcp desta máquina, (2) " #~ "unha base de datos nese servidor, (3) un nome de usuario e contrasinal " #~ "para acceder á base de datos. Se non ten _todo_ iso, escolla \"non\" e " #~ "execute Snort co soporte normal de rexistro en ficheiros ou arranxe a " #~ "situación antes de nada. Sempre pode configurar despois o rexistro en " #~ "bases de datos, reconfigurando o paquete snort-pgsql con \"dpkg-" #~ "reconfigure -plow snort-pgsql\"." #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W \n" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Snort precisa dunha base de datos configurada antes de se poder iniciar " #~ "con éxito. Para crear a estructura ten que executar as seguintes ordes " #~ "DESPOIS de instalar o paquete:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -u -h -p " #~ "\n" #~ "Encha os valores corectos para o usuario, servidor e nome da base de " #~ "datos. PostgreSQL halle pedir o contrasinal." #~ msgid "Your configuration file is deprecated" #~ msgstr "O seu ficheiro de configuración está obsoleto" #~ msgid "" #~ "Please enter the name(s) of the interface(s) which Snort should listen " #~ "on. The names of the available interfaces are provided by either " #~ "running 'ip link show' of 'ifconfig'. This value usually is 'eth0', but " #~ "you might want to vary this depending on your environment, if you are " #~ "using a dialup connection 'ppp0' might be more appropiate." #~ msgstr "" #~ "Introduza os nomes das interfaces nas que debería escoitar Snort. Os " #~ "nomes das interfaces dispoñibles pódense consultar executando \"ip link " #~ "show\" ou \"ifconfig\". Este valor adoita ser \"eth0\", pero pode " #~ "cambialo dependendo do seu ambiente. Se emprega unha conexión por módem, " #~ "\"ppp0\" pode ser máis axeitado." #~ msgid "Please enter the address range that Snort will listen on." #~ msgstr "Escolla o rango de enderezos nos que ha escoitar Snort." #~ msgid "" #~ "Disable promiscuous mode if you are configuring Snort on an interface " #~ "without a configured IP address." #~ msgstr "" #~ "Desactive o modo promiscuo se configura Snort nunha interface sen un " #~ "enderezo IP configurado." #~ msgid "Please enter the hostname of the mysql database server to use." #~ msgstr "Introduza o nome do servidor da base de datos mysql a empregar." #~ msgid "Please enter the name of the database to use." #~ msgstr "Introduza o nome da base de datos a empregar." #~ msgid "Please enter the name of the database user you want to use." #~ msgstr "Introduza o nome do usuario da base de datos a empregar." #~ msgid "Please enter the hostname of the pgsql database server to use." #~ msgstr "Introduza o nome do servidor da base de datos pgsql a empregar." debian/po/zh_CN.po0000664000000000000000000002641112317374526011165 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # msgid "" msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-13 08:03+0200\n" "PO-Revision-Date: 2013-09-16 17:49+0800\n" "Last-Translator: Yi Mingjing \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Chinese\n" "X-Poedit-Country: CHINA\n" "X-Poedit-SourceCharset: utf-8\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "引导" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "拨号" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "手册" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "启动Snort" #. Type: select #. Description #: ../snort.templates:2002 msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "请选择Snort运行方式:在系统引导时自动运行,当系统联网时自动运行,或者在/usr/" "sbin/snort路径下手动启动。" #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Snort监听端口:" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "通常情况下为\"eth0\",但是在某些网络环境下不适用。例如,在拨号连接" "时,\"ppp0\"或许更为合适。网络连接状态请见\"/sbin/ifconfig\"。" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "通常,当开启\"defalt route\"(\"默认路由\")后为同一网段。您可以使用\"/sbin/" "route -n\"来选择运行在那个网段下。" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "在混杂模式中,不使用IP地址来配置Snort也是可行的。例如,当系统通过物理连接到网" "络后选择一个网段,然后开启混杂模式,进而确定在此网段中(或交换机到集线器中的" "映射端口)的网络流量。" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "您可以通过在各网段间用空格隔开的方式配置多个网段。每个网络都可以单独配置。" #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "本机地址范围:" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "请使用CIDR的格式。例如, 形如192.168.1.0/24或192.168.1.42/32。请用逗号\",\"隔" "开。" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "请注意,如果将Snort配置了多个网段,那么这个将作为定义HOME_NET的默认值。" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "禁用混杂模式吗?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "禁用混杂模式,意味着Snort将只能看到被监控网段的数据包。开启混杂模式后,Snort" "将监控两台机器之间的任何数据包。" #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "非法网段" #. Type: error #. Description #: ../snort.templates:6001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort监控的网络不存在或未被启用。或许它不是默认的\"eth0\",也可能您指定的网络" "名称错误。" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "需要邮件发送每日概况吗?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "可以使用计划任务将每天的Snort日志概要发送至指定的邮箱。" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "请选择是否开启此功能" #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "接收每日数据分析的邮箱地址:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "请指定接收每天Snort日志概要的邮箱。" #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "自定义可选项:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "请指定Snort启用的可选项:" #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "最小报警间隔时间:" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "请输入分析日志中的最小报警时间。" #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "请重启Snort" #. Type: note #. Description #: ../snort.templates:11001 msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "手动启动Snort,请运行\"service snort restart\"使变更生效。" #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "旧配置文件" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "系统使用旧配置文件(路径:/etc/snort/snort.common.parameters),该文件被自动" "加载到新的配置文件中(路径:/etc/default/snort)。" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "请检查新版本配置,并去掉老的配置。完成后,初始化脚本将使用新的配置,并且系统" "将拥有新版本中的特性。" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "Deprecated options in configuration file" msgstr "配置文件中存在不合法的配置信息" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "Snort配置文件(路径:/etc/snort/snort.conf)存在当前版本无法使用的配置信息。" "您需要更正Snort配置以启动Snort。您可以用本软件包提供的配置文件替换掉旧的配置" "文件,或者手工修改配置文件。" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "下列配置文件错误:${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "配置错误" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "当前Snort配置错误以致Snort无法正常启动。请重新查看。" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "您可以在命令行中使用(需root权限):/usr/sbin/snort -T -c /etc/snort/snort." "conf来检查配置文件是否存在错误。" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "错误的配置文件" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" "您的系统使用了不正确的配置文件。在/etc/snort/snort.conf配置文件中存在不正确的" "配置,会使Snort无法正常启动。" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "请在Snort配置文件中删除这些不正确的配置信息。" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "不正确的配置文件:${DEP_FILE}" debian/po/it.po0000664000000000000000000003205112317374526010575 0ustar # Italian translation for snort's debconf messages # Copyright (C) 2008 Software in the Public Interest # This file is distributed under the same license as the snort package. # Gianluca Cotrino , 2008. # Daniele Forsi , 2013. msgid "" msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-29 00:16+0200\n" "PO-Revision-Date: 2013-09-26 23:54+0200\n" "Last-Translator: Daniele Forsi \n" "Language-Team: Italian \n" "Language: it\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" "X-Generator: Virtaal 0.7.1\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "avvio" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "dialup" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "manuale" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Metodo di avvio di Snort:" #. Type: select #. Description #: ../snort.templates:2002 msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Scegliere come avviare Snort: automaticamente all'avvio, automaticamente " "quando pppd si connette alla rete, oppure manualmente con il comando /usr/" "sbin/snort." #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Interfacce su cui Snort deve restare in ascolto:" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Questo valore di solito è «eth0», ma potrebbe essere inappropriato in alcuni " "ambienti di rete; «ppp0» potrebbe essere più appropriato per una connessione " "dialup (vedere l'output di «/sbin/ifconfig»)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Solitamente, questa è la stessa interfaccia sulla quale si trova la «default " "route». Si può stabilire quale interfaccia è usata eseguendo «/sbin/route -" "n» (cercare «0.0.0.0»)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Non è anche insolito usare un'interfaccia senza indirizzo IP configurata in " "modo promiscuo. In tal caso, selezionare l'interfaccia del sistema che è " "fisicamente connessa alla rete da ispezionare, abilitare la modalità " "promiscua successivamente ed assicurarsi che il traffico di rete sia inviato " "verso questa interfaccia (connessa ad una porta «port mirroring/spanning» in " "uno switch, ad un hub o ad un tap)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Si possono configurare più interfacce aggiungendo più nomi di interfaccia " "separati da spazi. Ciascuna interfaccia può avere la propria configurazione " "specifica." #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Intervallo di indirizzi per la rete locale:" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Usare un formato CIDR, per esempio 192.168.1.0/24 per un blocco di 256 " "indirizzi o 192.168.1.42/32 per uno solo. Più valori devono essere separati " "da una virgola (senza spazi)." #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Notare che se Snort è configurato per usare più interfacce, questo valore " "sarà usato come definizione di HOME_NET per tutte." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Snort deve disabilitare la modalità promiscua sull'interfaccia?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Disabilitare la modalità promiscua significa che Snort vedrà solo i " "pacchetti indirizzati all'interfaccia che sta monitorando. Abilitandola, si " "permette a Snort di controllare ogni pacchetto che passa nel segmento " "Ethernet anche se si tratta di una connessione fra altri due computer." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Interfaccia non valida" #. Type: error #. Description #: ../snort.templates:6001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort sta cercando di usare un'interfaccia che non esiste o che non è " "attiva. Snort sta usando l'impostazione predefinita «eth0» che è " "inappropriata, oppure è stata specificata un'interfaccia non valida." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Trasmettere via e-mail i riepiloghi giornalieri?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Un lavoro cron può essere impostato per inviare giornalmente riepiloghi dei " "registri di Snort ad un indirizzo e-mail selezionato." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Scegliere se si desidera attivare questa funzione." #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Destinatario delle mail quotidiane con le statistiche:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Specificare l'indirizzo e-mail che deve ricevere i riepiloghi giornalieri " "dei registri di Snort." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Opzioni personalizzate aggiuntive:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Specificare ogni altra eventuale opzione che Snort deve usare." #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "Numero minimo di occorrenze prima che gli allarmi siano riportati:" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Inserire il numero minimo di occorrenze di un allarme che sono necessarie " "prima che sia incluso nelle statistiche giornaliere." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Riavvio di Snort necessario" #. Type: note #. Description #: ../snort.templates:11001 msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "Siccome Snort è lanciato manualmente, è necessario eseguire «service snort " "restart» perché i cambiamenti abbiano effetto." #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "File di configurazione obsoleto" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Questo sistema usa un file di configurazione obsoleto (/etc/snort/snort." "common.parameters) che è stato automaticamente convertito nel nuovo formato " "del file di configurazione (/etc/default/snort)." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Rivedere la nuova configurazione e rimuovere quella obsoleta. Nel frattempo, " "lo script di inizializzazione non utilizzerà la nuova configurazione e non " "si trarrà vantaggio dai benefici introdotti nelle nuove versioni." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "Deprecated options in configuration file" msgstr "Opzioni deprecate nel file di configurazione" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "Il file di configurazione di Snort (/etc/snort/snort.conf) utilizza opzioni " "deprecate non più disponibili per questa versione di Snort. Snort non si " "potrà avviare finché non si fornisce un file di configurazione corretto. Si " "può sostituire il file di configurazione con quello incluso in questo " "pacchetto oppure correggerlo manualmente rimuovendo le opzioni deprecate." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "Le seguenti opzioni deprecate sono state trovate nel file di configurazione: " "${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Errore di configurazione" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "La configurazione corrente di Snort non è valida ed impedirà a Snort di " "avviarsi normalmente. Rivederla e correggerla." #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "Per la diagnosi degli errori nella configurazione di Snort, si può eseguire " "(come root): «/usr/sbin/snort -T -c /etc/snort/snort.conf»" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "File di configurazione deprecato" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" "Questo sistema ha dei file di configurazione deprecati che non dovrebbero " "più essere usati e che potrebbero contenere opzioni deprecate. Se vengono " "inclusi tramite il file di configurazione standard (/etc/snort/snort.conf), " "potrebbero impedire il regolare avvio di Snort." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" "Rimuovere tali file ed eventuali riferimenti ad essi dal file di " "configurazione /etc/snort/snort.conf." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "I seguenti file di configurazione deprecati sono stati trovati: ${DEP_FILE}" debian/po/da.po0000664000000000000000000003147212317374526010553 0ustar # Danish translation snort. # Copyright (C) 2013 snort og nedenstående oversættere. # This file is distributed under the same license as the snort package. # Joe Hansen (joedalton2@yahoo.dk), 2011, 2013. # msgid "" msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-13 08:03+0200\n" "PO-Revision-Date: 2013-09-29 19:25+0200\n" "Last-Translator: Joe Hansen \n" "Language-Team: Danish \n" "Language: da\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "opstart" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "ring op" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "manuelt" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Startmetode for snort:" #. Type: select #. Description #: ../snort.templates:2002 msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Vælg venligst hvordan Snort skal startes: Automatisk ved opstart, " "automatisk når der forbindes til nettet med pppd, eller manuelt med " "kommandoen /usr/sbin/snort." #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Grænseflader som Snort skal lytte på:" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Værdien er normalt »eth0«, men dette kan være upassende i nogle " "netværksmiljøer; for en opkaldsforbindelse kan »ppp0« være mere passende (se " "uddata for »/sbin/ifconfig«)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Typisk er dette den samme grænseflade som »standardruten« er på. Du kan " "bestemme hvilken grænseflade, der bruges, ved at køre »/sbin/route -n« (se " "efter »0.0.0.0«)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Det er heller ikke unormalt at bruge en grænseflade uden IP-adresse " "konfigureret i fuldstændig åben tilstand. I sådanne tilfælde så vælg " "grænsefladen i dette system som er fysisk forbundet med netværket, som skal " "inspiceres, aktiver fuldstændig åben (promiscuous) tilstand senere og sikr " "dig at netværkstrafikken sendes til denne grænseflade (enten forbundet til " "en »port mirroring/spanning« port i en netværksveksler (switch), en hub " "eller en tap)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Du kan konfigurere flere grænseflader, bare ved at tilføje mere end et " "grænsefladenavn adskilt af mellemrum. Hver grænseflade kan have sin egen " "specifikke konfiguration." #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Adresseinterval for det lokale netværk:" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Brug venligst CIDR-formen - for eksempel 192.168.1.0/24 - for en blok af 256 " "adresser eller 192.168.1.42/32 for bare en. Flere værdier skal være " "kommaadskilt (uden mellemrum)." #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Bemærk venligst at hvis Snort er konfigureret til at bruge flere " "grænseflader vil den bruge denne værdi som HOME_NET-definitionen for dem " "alle." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "" "Skal Snort deaktivere fuldstændig åben (promiscuous) tilstand på " "grænsefladen?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Deaktivering af fuldstændig åben tilstand betyder at Snort kun vil se pakker " "adresseret til grænsefladen den overvåger. Aktivering af den tillader Snort " "at kontrollere hver pakke som passerer Ethernetsegmentet selv hvis det er en " "forbindelse mellem to andre computere." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Ugyldig grænseflade" #. Type: error #. Description #: ../snort.templates:6001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort forsøger at bruge en grænseflade, som ikke findes eller er nede. Enten " "er standarden upassende for »eth0« eller du angav en som er ugyldig." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Skal daglige referater sendes med e-post?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Et cronjob kan sættes op til at sende daglige refereater af Snortlogge til " "en valgt e-post-adresse." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Vælg venligst hvorvidt du ønsker at aktivere denne funktion." #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Modtager af daglig statistikpost:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Angiv venligst e-post-adressen som skal modtage daglige referater af " "Snortlogge." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Yderligere tilpassede indstillinger:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Angiv venligst alle yderligere indstillinger som Snort skal bruge." #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "Minimale forekomster før påmindelser rapporteres:" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Indtast venligst det minimale antal påmindelsesforekomster før en angivet " "påmindelse er inkluderet i den daglige statistik." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Genstart af Snort er krævet" #. Type: note #. Description #: ../snort.templates:11001 msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "Da Snort startes manuelt, skal du køre »/etc/init.d/snort« for at " "ændringerne træder i kraft." #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "Forældet konfigurationsfil" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Dette system bruger en forældet konfigurationsfil (/etc/snort/snort.common." "parameters), som automatisk er blevet konverteret til det nye " "konfigurationsfilformat (ved /etc/default/snort)." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Gennemse venligst den nye konfiguration og fjern den forældede. Indtil du " "udfører dette, vil initialiseringskriptet ikke bruge den nye konfiguration " "og du vil ikke få fordel af de fordele, som er blevet introduceret i nyere " "udgivelser." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "Deprecated options in configuration file" msgstr "Forældede (deprecated) indstillinger i konfigurationsfilen" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "Snorts konfigurationsfil (/etc/snort/snort.conf) bruger forældede " "indstillinger, som ikke længere er tilgængelige for denne Snortudgivelse. " "Snort vil ikke kunne starte med mindre, at du angiver en gyldig " "konfigurationsfil. Tillad enten at konfigurationsfilen bliver erstattet med " "konfigurationsfilen i denne pakke eller ret det manuelt ved at fjerne " "forældede indstillinger." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "De følgende forældede indstillinger blev fundet i konfigurationsfilen: " "${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Konfigurationsfejl" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "Den aktuelle Snortkonfiguration er ugyldig og vil forhindre Snort i at " "starte op normalt. Gennemse og ret den venligst." #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "For at diagnosticere fejl i din Snortkonfigurationsfil kan du køre (som " "root) følgende: »/usr/sbin/snort -T -c /etc/snort/snort.conf«." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "Forældet (deprecated) konfigurationsfil" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" "Dit system har forældede konfigurationsfiler, som ikke bør bruges længere " "og kan indeholder forældede indstillinger. Hvis inkluderet via " "standardkonfigurationsfilen (/etc/snort/snort.conf), kan de forhindre " "Snort i at starte korrekt op." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" "Fjern venligst disse filer samt alle eksisterende referencer til dem i " "konfigurationsfilen /etc/snort/snort.conf." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "De følgende forældede konfigurationsfiler blev fundet ${DEP_FILE}" debian/po/cs.po0000664000000000000000000003145312317374526010573 0ustar # Czech PO debconf template translation of snort. # Copyright (C) 2008 Jan Outrata # This file is distributed under the same license as the snort package. # Michal Simunek , 2013. # msgid "" msgstr "" "Project-Id-Version: snort 2.9.5.3-2\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-13 08:03+0200\n" "PO-Revision-Date: 2013-09-23 12:01+0200\n" "Last-Translator: Michal Simunek \n" "Language-Team: Czech \n" "Language: cs\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "při zavádění" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "při vytáčeném připojení" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "ručně" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Způsob spuštění Snort:" #. Type: select #. Description #: ../snort.templates:2002 msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Zvolte si prosím, jak se má Snort spouštět: automaticky při zavádění, " "automaticky při připojování k síti s pppd, nebo ručně příkazem /" "usr/sbin/snort." #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Rozhraní, na kterém (kterých) má Snort naslouchat:" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Tato hodnota obyčejně bývá \"eth0\", ale to nemusí být v některých síťových " "prostředích vhodné; pro vytáčené připojení může být vhodnější \"ppp0\" (viz " "výstup \"/sbin/ifconfig\")." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Typicky je to stejné rozhraní jako je \"výchozí směrování (default route)\". " "Které rozhraní se pro toto používá, můžete zjistit spuštěním \"/sbin/route -" "n' (hledejte '0.0.0.0\")." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Také není neobvyklé použít rozhraní bez IP adresy nastavené do " "promiskuitního módu. V tomto případě vyberte rozhraní systému fyzicky " "připojené k síti a které chcete sledovat, následně povolte promiskuitní mód " "a ujistěte se, že je síťový provoz posílán na toto rozhraní (buď připojené k " "\"port mirroring/spanning\" portu přepínače, k hubu nebo k tap rozhraní)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Můžete také zadat více rozhraní, jednoduše zapsáním více než jednoho jména " "rozhraní, oddělených mezerami. Každé rozhraní může mít své specifické " "nastavení." #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Adresní rozsah lokální sítě:" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Použijte zápis CIDR - například 192.168.1.0/24 pro blok 256 adres nebo " "192.168.1.42/32 pro jednu jedinou adresu. Více adres zadejte oddělených " "čárkou (bez mezer)." #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Pokud je Snort nakonfigurován pro použití více rozhraní, použije tuto " "hodnotu jako definici HOME_NET pro všechna z nich." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Má Snort zakázat promiskuitní mód na tomto rozhraní?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Zakázání promiskuitního módu znamená, že Snort uvidí jen pakety adresované " "rozhraní, které monitoruje. Povolení umožňuje Snortu kontrolovat každý " "paket, který prochází ethernetovým segmentem, i když je to spojení mezi " "jinými dvěma počítači." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Neplatné rozhraní" #. Type: error #. Description #: ../snort.templates:6001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort se pokouší použít rozhraní, které neexistuje nebo je vypnuté. Buď se " "jedná o výchozí nastavení na \"eth0\", nebo bylo zadáno neplatné rozhraní." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Mají se denní souhrny zasílat e-mailem?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Pro zasílání denních souhrnů logů Snortu na zvolenou e-mailovou adresu může " "být nastavena úloha cronu." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Zvolte, zda chcete aktivovat tuto možnost." #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Příjemce denních mailů se statistikami:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Zadejte e-mailovou adresu, na kterou mají být zasílány denní souhrny logů " "Snortu." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Další vlastní volby:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Zadejte jakékoliv další volby, které by měl Snort použít." #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "Minimální počet výskytů před hlášením upozornění:" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Zadejte minimální počet výskytů upozornění před tím, než je toto upozornění " "obsaženo v denní statistice." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Vyžadován restart Snortu" #. Type: note #. Description #: ../snort.templates:11001 msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "Jelikož je Snort spouštěn ručně, pro uplatnění změn musíte spustit " "\"service snort restart\"" #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "Zastaralý konfigurační soubor" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Tento systém používá zastaralý konfigurační soubor (/etc/snort/snort.common." "parameters), který byl automaticky převeden do nového formátu konfiguračního " "souboru (v /etc/default/snort)." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Zkontrolujte novou konfiguraci a odstraňte tu zastaralou. Dokud to " "neuděláte, inicializační skript nebude používat novou konfiguraci a " "nevyužijete tak výhod představených v novějších verzích." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "Deprecated options in configuration file" msgstr "Zastaralé volby v konfiguračním souboru" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "Konfigurační soubor Snortu (/etc/snort/snort.conf) používá zrušené volby, " "které již nejsou v tomto vydání Snortu dostupné. Snort se nebude moci " "spustit, dokud neposkytnete korektní konfigurační soubor. Můžete povolit " "nahrazení konfiguračního souboru souborem obsaženým v tomto balíku nebo to " "opravit ručně odstraněním zrušených voleb." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "V konfiguračním souboru byly nalezeny následující zrušené volby: " "${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Chyba konfigurace" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "Aktuální konfigurace Snortu je neplatná a Snort nebude možné normálně " "spustit. Zkontrolujte a opravte ji." #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "Pro diagnostikování chyb v nastavení Snort spusťte (jako root) tento " "příkaz: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "Zrušený konfigurační soubor" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" "Váš systém má zastaralé konfigurační soubory, které by se dále neměly používat, " "protože mohou obsahovat zastaralé volby. Pokud jsou obsaženy ve standardním " "konfiguračním souboru (/etc/snort/snort.conf), mohou bránit tomu, aby se Snort " "správně spouštěl." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" "Odstraňte prosím tyto soubory a také všechny stávající odkazy na ně z " "konfiguračního souboru /etc/snort/snort.conf." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "Byly nalezeny následující zastaralé konfigurační soubory: ${DEP_FILE}" debian/po/pt.po0000664000000000000000000007206612317374526010616 0ustar # Portuguese translation for snort's debconf messages # Copyright (C) 2007 Miguel Figueiredo # This file is distributed under the same license as the snort package. # Miguel Figueiredo , 2007-2013 # msgid "" msgstr "" "Project-Id-Version: snort 2.7.0-10\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-13 08:03+0200\n" "PO-Revision-Date: 2013-09-15 10:38+0100\n" "Last-Translator: Miguel Figueiredo \n" "Language-Team: Portuguese \n" "Language: pt\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "arranque" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "dialup" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "manual" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Método de arraque do Snort:" #. Type: select #. Description #: ../snort.templates:2002 msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Por favor escolha como deve ser iniciado o Snort: automaticamente no " "arranque, automaticamente ao ligar à rede com pppd ou manualmente com o " "comando /usr/bin/snort." #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Interface(s) que o Snort deve escutar:" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Normalmente este valor é \"eth0\", mas poderá ser desadequado em alguns " "ambientes de rede; para uma ligação dialup \"ppp0\" poderá ser mais " "apropriado (veja a saída de \"/sbin/ifconfig\")." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Normalmente este é o mesmo interface onde está \"default route\". Pode " "determinar qual o interface que é utilizado para isto correndo \"/sbin/route " "-n\" (procure por \"0.0.0.0\")." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Também não é invulgar utilizar um interface sem endereço IP configurado em " "modo promíscuo. Para esses casos, escolha o interface neste sistema que está " "fisicamente ligado à rede que deseja inspeccionar, posteriormente active o " "modo promíscuo e assegure-se que o tráfego de rede é enviado para este " "interface (quer ligado a um porto de \"mirroring/spanning\" num switch, num " "hub ou a um tap)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Pode configurar aqui vários interfaces, apenas adicionando mais do que um " "nome de interface separado por espaços. Cada interface pode ter a sua " "configuração específica." #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Gama de endereços para a rede local:" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Por favor utilize o formato CIDR - por exemplo, 192.168.1.0/24 para um bloco " "de 256 endereços ou 192.168.1.42/32 para apenas um. Vários endereços devem " "ser separados por vírgulas (sem espaços)." #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Por favor note que se o Snort está a utilizar vários interfaces, irá " "utilizar este valor como a definição HOME_NET para todos eles." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Deve o Snort desabilitar o modo promíscuo no interface?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Desabilitar o modo promíscuo significa que o Snort irá apenas ver pacotes " "endereçados ao interface que está a monitorizar. Habilitá-lo permite ao " "Snort verificar cada pacote que passa o segmento Ethernet mesmo que seja a " "ligação entre outros dois computadores." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Interface inválido" #. Type: error #. Description #: ../snort.templates:6001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "O Snort está a tentar utilizar um interface que não existe ou que está " "desactivado. Ou está a utilizar a predefinição errada para \"eth0\", ou " "especificou um que é inválido." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Devem ser enviados por e-mail sumários diários?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Pode ser criado um trabalho cron para enviar diariamente os sumários dos " "registos do Snort para um determinado endereço de e-mail." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Por favor escolha se quer activar esta funcionalidade." #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Destinatário que deve receber mails diários das estatísticas:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Por favor especifique qual o endereço de e-mail que deve receber os resumos " "diários dos registos do Snort." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Opções adicionais de personalização:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Por favor especifique que opções adicionais deve o Snort utilizar." #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "Número minimo de ocorrências antes de serem reportados alertas:" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Por favor introduza o número minimo de ocorrências de alertas antes de um " "dado alerta ser incluido nas estatísticas diárias." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "É necessário que o Snort seja reiniciado" #. Type: note #. Description #: ../snort.templates:11001 msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "Como o Snort é arrancado manualmente, você tem de executar \"service snort " "restart\" para as alterações terem efeito." #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "Ficheiro de configuração obsoleto" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Este sistema utiliza um ficheiro de configuração obsoleto (/etc/snort/snort." "common.parameters) que foi automaticamente convertido para o novo formato de " "ficheiro de configuração (em /etc/default/snort)." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Por favor reveja a nova configuração e remova a obsoleta. Até fazer isto, o " "script de arranque não irá utilizar a nova configuração e você não irá tirar " "vantagem dos benefícios introduzidos nos lançamentos mais recentes." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "Deprecated options in configuration file" msgstr "Opções depreciadas no ficheiro de configuração" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "O ficheiro de configuração do Snort (/etc/snort/snort.conf) utiliza opções " "depreciadas que já não estão disponíveis para este lançamento do Snort. O " "Snort não irá ser capaz de iniciar a menos que você forneça um ficheiro de " "configuração correcto. Você pode substituir o seu ficheiro de configuração " "pelo que é disponibilizado neste pacote ou corrigi-lo manualmente removendo " "as opções depreciadas." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "As seguintes opções depreciadas foram encontradas no ficheiro de " "configuração: ${DEP_CONFIG}." #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Erro na configuração" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "A actual configuração do Snort é inválida e impede que o Snort inicie " "normalmente. Por favor reveja e corrija." #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "Para diagnosticar erros na sua configuração do Snort, pode correr (como " "root) o seguinte: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "Ficheiro de configuração depreciado" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" "O seu sistema tem ficheiros de configuração depreciados que já não devem ser " "utilizados e poderão conter opções depreciadas. Se forem incluidos através " "do ficheiro de configuração standard (/etc/snort/snort.conf), podem prevenir " "que o Snort funcione correctamente." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" "Por favor remova esses ficheiros assim como quaisquer referências a eles no " "ficheiros de configuração /etc/snort/snort.conf." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "Foram encontrados os seguintes ficheiros de configuração depreciados: " "${DEP_FILE}." #~ msgid "Set up a database for snort-mysql to log to?" #~ msgstr "" #~ "Deseja configurar uma base de dados para o snort-mysql fazer registos?" #~ msgid "" #~ "No database has been set up for Snort to log to. Before continuing, you " #~ "should make sure you have:" #~ msgstr "" #~ "Não foi configurada uma base de dados para o Snort guardar os registos. " #~ "Antes de continuar, você deve assegurar-se que tem:" #~ msgid "" #~ " - the server host name (that server must allow TCP connections\n" #~ " from this machine);\n" #~ " - a database on that server;\n" #~ " - a username and password to access the database." #~ msgstr "" #~ " - o nome da máquina do servidor (esse servidor tem de permitir ligações " #~ "TCP\n" #~ " a partir desta máquina);\n" #~ " - uma base de dados nesse servidor;\n" #~ " - um nome de utilizador e palavra-passe para aceder à base de dados." #~ msgid "" #~ "If some of these requirements are missing, reject this option and run " #~ "with regular file logging support." #~ msgstr "" #~ "Se faltar algum destes requisitos, rejeite esta opção e corra com o " #~ "suporte de registos em ficheiro normal." #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-mysql'." #~ msgstr "" #~ "O registo em base de dados pode ser reconfigurado posteriormente ao " #~ "correr 'dpkg-reconfigure -plow snort-mysql'." #~ msgid "Database server hostname:" #~ msgstr "Nome da máquina do servidor da base de dados:" #~ msgid "" #~ "Please specify the host name of a database server that allows incoming " #~ "connections from this host." #~ msgstr "" #~ "Por favor especifique o nome da máquina de um servidor de bases de dados " #~ "que permita receber ligações feitas a partir desta máquina." #~ msgid "Database name:" #~ msgstr "Nome da base de dados:" #~ msgid "" #~ "Please specify the name of an existing database to which the database " #~ "user has write access." #~ msgstr "" #~ "Por favor especifique o nome da base de dados existente na qual o " #~ "utilizador da base de dados tem acesso de escrita." #~ msgid "Username for database access:" #~ msgstr "Nome de utilizador para acesso à base de dados:" #~ msgid "" #~ "Please specify a database server username with write access to the " #~ "database." #~ msgstr "" #~ "Por favor especifique um nome de utilizador de base de dados com acesso " #~ "de escrita à base de dados." #~ msgid "Password for the database connection:" #~ msgstr "Palavra-passe para a ligação à base de dados:" #~ msgid "" #~ "Please enter the password to use to connect to the Snort Alert database." #~ msgstr "" #~ "Por favor introduza a palavra-passe a utilizar para ligar à base de dados " #~ "Snort Alert." #~ msgid "Configured database mandatory for Snort" #~ msgstr "É obrigatório configurar uma base de dados para o Snort" #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:" #~ msgstr "" #~ "O Snort necessita de uma base de dados configurada antes de poder iniciar " #~ "com sucesso. De modo a criar a estrutura você necessita e correr os " #~ "seguintes comandos DEPOIS do pacote estar instalado:" #~ msgid "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ msgstr "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ "" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. MySQL " #~ "will prompt you for the password." #~ msgstr "" #~ "Preencha os valores correctos para nome de utilizador, de máquina e de " #~ "base de dados. O MySQL irá perguntar-lhe a palavra-passe." #~ msgid "" #~ "After you have created the database structure, you will need to start " #~ "Snort manually." #~ msgstr "" #~ "Depois de ter criado a estrutura da base de dados, necessita iniciar " #~ "manualmente o Snort." #~ msgid "Set up a database for snort-pgsql to log to?" #~ msgstr "Configurar uma base de dados para o snort-pgsql fazer registos?" #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-pgsql'." #~ msgstr "" #~ "O registo em base de dados pode ser reconfigurado posteriormente ao " #~ "correr 'dpkg-reconfigure -plow snort-pgsql'." #~ msgid "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ msgstr "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ "" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Preencha os valores correctos para os nomes de utilizador, máquina e base " #~ "de dados. O PostgreSQL irá pedir-lhe a palavra-passe." #~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" #~ msgstr "Deve a ordem de teste do Snort ser alterada para Pass|Alert|Log?" #~ msgid "" #~ "Snort's default testing order is Alert|Pass|Log; if you accept this " #~ "option, the order will be changed to Pass|Alert|Log, which can make it " #~ "simpler to use Snort with some packet-filtering tools." #~ msgstr "" #~ "O ordem de teste pré-definida do Snort é Alert|Pass|Log; se aceitar esta " #~ "opção a ordem será alterada para Pass|Alert|Log, que pode simplificar a " #~ "utilização do Snort com outras ferramentas de filtragem de pacotes." #~ msgid "You are running Snort manually" #~ msgstr "Você está a correr o Snort manualmente" #~ msgid "There is an error in your configuration" #~ msgstr "Existe um erro na sua configuração" #~ msgid "boot, dialup, manual" #~ msgstr "arranque, dialup, manual" #~ msgid "When should Snort be started?" #~ msgstr "Como deve o Snort ser iniciado?" #~ msgid "" #~ "If you want you can specify 'any', to not trust any side of the network." #~ msgstr "" #~ "Se quiser pode especificar 'any', para não confiar em nenhum lado da rede." #~ msgid "" #~ "One of the interfaces you specified is not valid (it might not exist on " #~ "the system or be down). Please introduce a valid interface when answering " #~ "the question of which interface(s) should Snort listen on." #~ msgstr "" #~ "Um dos interfaces que especificou não é válido (pode não existir no " #~ "sistema ou estar desligado). Por favor introduza um interface válido " #~ "quando responder á questão acerca de qual(is) interface(s) deve o Snort " #~ "escutar." #~ msgid "" #~ "If you did not configure an interface then the package is trying to use " #~ "the default ('eth0') which does not seem to be valid in your system." #~ msgstr "" #~ "Se não configurar um interface então o pacote está a tentar utilizar o " #~ "valor prédefinido ('eth0') que não parece ser válido no seu sistema." #~ msgid "" #~ "If you change Snort's rules testing order to Pass|Alert|Log, they will be " #~ "applied in Pass->Alert->Log order, instead of standard Alert->Pass->Log. " #~ "This will prevent people from having to make huge Berky Packet Filter " #~ "command line arguments to filter their alert rules." #~ msgstr "" #~ "Se alterar a ordem de teste das regras do Snort para Pass|Alert|Log, " #~ "serão aplicadas na ordem Pass->Alert->Log, em vez do padrão Alert->Pass-" #~ ">Log. Isto irá previnir as pessoas de terem de fazer grandes argumentos " #~ "na linha de comandos Berky Packet Filter para filtrar as suas regras de " #~ "alerta." #~ msgid "" #~ "This Snort installation provides a cron job that runs daily and " #~ "summarises the information of Snort logs to a selected email address. If " #~ "you want to disable this feature say 'no' here." #~ msgstr "" #~ "Esta instalação do Snort disponibiliza um trabalho no cron que corre " #~ "diáriamente e dá um sumário da informação dos registos do Snort para um " #~ "endereço de email seleccionado. Se quiser desligar esta funcionalidade " #~ "diga 'não' aqui." #~ msgid "" #~ "A cron job running daily will summarise the information of the logs " #~ "generated by Snort using a script called 'snort-stat'. Introduce here the " #~ "recipient of these mails. The default value is the system administrator. " #~ "If you keep this value, make sure that the mail of the administrator is " #~ "redirected to a user that actually reads those mails." #~ msgstr "" #~ "Um trabalho do cron que corre diariamente irá sumarizar a informação dos " #~ "registos gerados pelo Snort utilizando um script chamado 'snort-stat'. " #~ "Introduza aqui o destinatário para esses mails. O valor prédefinido é o " #~ "administrador do sistema. Se mantiver este valor, assegure-se que o mail " #~ "do administrador é redireccionado para um utilizar que realmente lê esses " #~ "mails." #~| msgid "" #~| "If you want to specify custom options to Snort, please specify them here." #~ msgid "" #~ "If you want to specify custom options to Snort, please specify them here." #~ msgstr "" #~ "Se quiser especificar opções de personalização para o Snort, por favor " #~ "especifique-as aqui." #~ msgid "" #~ "Please restart Snort using:\n" #~ " /etc/init.d/snort start\n" #~ "to let the settings take effect." #~ msgstr "" #~ "Por favor reinicie o Snort utilizando:\n" #~ " /etc/init.d/snort start\n" #~ "para deixar as definições terem efeito." #~ msgid "" #~ "Your Snort configuration is not correct and Snort will not be able to " #~ "start up normally. Please review your configuration and fix it. If you do " #~ "not do this, Snort package upgrades will probably break. To check which " #~ "error is being generated run '/usr/sbin/snort -T -c /etc/snort/snort." #~ "conf' (or point to an alternate configuration file if you are using " #~ "different files for different interfaces)" #~ msgstr "" #~ "A sua configuração do Snort não é correcta e o Snort não conseguirá " #~ "iniciar normalmente. Por favor reveja a sua configuração e corrija-a. Se " #~ "não fizer isto, as actualizações do pacote Snort provavelmente não irão " #~ "funcionar. Para ver qual o erro que está a ser gerado corra '/usr/bin/" #~ "snort -T -c /etc/snort/snort.conf' (ou aponte para um ficheiro de " #~ "configuração alternativo se está a utilizar ficheiros diferentes para " #~ "diferentes interfaces)" #~ msgid "" #~ "You only need to do this the first time you install snort-mysql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "mysql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-mysql " #~ "package with 'dpkg-reconfigure -plow snort-mysql'" #~ msgstr "" #~ "Necessita fazer isto apenas a primeira vez que instalar o snort-mysql. " #~ "Antes de continuar, assegure-se que tem (1) o nome de máquina de uma " #~ "máquina que corra um servidor mysql configurado para permitir ligações " #~ "tcp a partir daqui, (2) uma base de dados nesse servidor, (3) um nome de " #~ "utilizador e palavra chave para aceder à base de dados. Se não tem " #~ "_todos_ estes, ou escolha 'não' e corra com o normal suporte para " #~ "registos em ficheiro, ou primeiro corrija isto. Pode sempre, " #~ "posteriormente, configurar o registo na base de dados, ao reconfigurar o " #~ "pacote mysql-snort com 'dpkg-reconfigure -plow snort-mysql'" #~ msgid "Make sure this user has been created and has write access." #~ msgstr "Assegure-se que este utilizador foi criado e tem acesso de escrita." #~| msgid "Snort needs a configured database to log to before it starts." #~ msgid "Snort needs a configured database to log to before it starts" #~ msgstr "" #~ "O Snort necessita, antes de ser iniciado, de uma base de dados " #~ "configurada para registos" #~ msgid "" #~ "You only need to do this the first time you install snort-pgsql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "pgsql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-pgsql " #~ "package with 'dpkg-reconfigure -plow snort-pgsql'" #~ msgstr "" #~ "Necessita fazer isto apenas a primeira vez que instalar o snort-pgsql. " #~ "Antes de continuar, assegure-se que tem (1) o nome de máquina de uma " #~ "máquina que corra um servidor pgsql configurado para permitir ligações " #~ "tcp a partir daqui, (2) uma base de dados nesse servidor, (3) um nome de " #~ "utilizador e palavra chave para aceder à base de dados. Se não tem " #~ "_todos_ estes, ou escolha 'não' e corra com o normal suporte para " #~ "registos em ficheiro, ou primeiro corrija isto. Pode sempre, " #~ "posteriormente, configurar o registo na base de dados, ao reconfigurar o " #~ "pacote mysql-snort com 'dpkg-reconfigure -plow snort-pgsql'" #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W \n" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "O Snort necessita de uma base de dados configurada antes de iniciar com " #~ "sucesso. De modo a criar a estrutura você necessita e correr o seguinte " #~ "comando DEPOIS do pacote estar instalado:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | pgsql -u -h -p " #~ "\n" #~ "Preencha os valores correctos para o utilizador, máquina e nome da base " #~ "de dados. O PostgreSQL irá perguntar-lhe pela palavra chave." #~ msgid "Your configuration file is deprecated" #~ msgstr "O seu ficheiro de configuração foi depreciado" #~ msgid "" #~ "Please enter the name(s) of the interface(s) which Snort should listen " #~ "on. The names of the available interfaces are provided by either " #~ "running 'ip link show' of 'ifconfig'. This value usually is 'eth0', but " #~ "you might want to vary this depending on your environment, if you are " #~ "using a dialup connection 'ppp0' might be more appropiate." #~ msgstr "" #~ "Por favor introduza o(s) nome(s) do(s) interface(s) que o Snort deve " #~ "escutar. Os nomes dos interfaces disponíveis são disponibilizados quer " #~ "ao correr 'ip link show' ou 'ifconfig'. Normalmente este valor é 'eth0', " #~ "mas você pode querer alterá-lo dependendo do seu ambiente, se está a " #~ "utilizar uma ligação dialup, 'ppp0 poderá ser mais apropriado." #~ msgid "Please enter the address range that Snort will listen on." #~ msgstr "" #~ "Por favor introduza o intervalo de endereços que o Snort irá escutar." #~ msgid "" #~ "Disable promiscuous mode if you are configuring Snort on an interface " #~ "without a configured IP address." #~ msgstr "" #~ "Desabilitar o modo promíscuo se está a configurar o Snort num interface " #~ "sem um endereço IP configurado." #~ msgid "Please enter the hostname of the mysql database server to use." #~ msgstr "" #~ "Por favor introduza o nome da máquina do servidor de base de dados mysql " #~ "a utilizar." #~ msgid "Please enter the name of the database to use." #~ msgstr "Por favor introduza o nome da base de dados a utilizar." #~ msgid "Please enter the name of the database user you want to use." #~ msgstr "" #~ "Por favor introduza o nome do utilizador da base de dados que quer " #~ "utilizar." #~ msgid "Please enter the hostname of the pgsql database server to use." #~ msgstr "" #~ "Por favor introduza o nome da máquina do servidor de base de dados pgsql " #~ "a utilizar." debian/po/ja.po0000664000000000000000000003445312317374526010563 0ustar # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # # msgid "" msgstr "" "Project-Id-Version: snort 2.9.5.3-2\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-13 08:03+0200\n" "PO-Revision-Date: 2013-09-13 15:03+0900\n" "Last-Translator: Hideki Yamane (Debian-JP) \n" "Language-Team: Japanese \n" "Language: ja\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "起動時" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "ダイヤルアップ時" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "手動" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "snort の起動方法:" #. Type: select #. Description #: ../snort.templates:2002 msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Snort の起動方法を、システム起動時に自動で、pppd を利用してネットワークに接続" "した時に自動で、/usr/sbin/snort コマンドにより手作業で、から選択してください。" #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Snort が listen するインターフェイス:" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "ここでの値は通常「eth0」ですが、ネットワーク環境によってはそれでは適切ではない" "かもしれません: ダイヤルアップ接続を利用している場合は、「ppp0」がより適切で" "しょう (「/sbin/ifconfig」の出力を確認してください)。" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "大抵の場合、これは「default route」が存在するものと同じです。どのインターフェ" "イスを使うかは「/sbin/route -n」を実行して (「0.0.0.0」を探して)、決定できま" "す。" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "IP を付与していないインターフェイス上でプロミスキャスモードの Snort を動作させ" "るのも珍しいことではありません。このような場合、受信を行いたいネットワークに対" "して物理的に接続されているこのシステム上のインターフェイスを選択し、後ほどプロ" "ミスキャスモードを有効にしてネットワークトラフィックがこのインターフェイス (ス" "イッチの「port mirrorining/spanning」ポートかハブ、あるいはネットワークタップ" "に接続されています) に届いているのを確認してください。" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "インターフェイスの名前を空白で区切って複数列挙することで複数のインターフェイス" "を設定できます。インターフェイスごとに固有の設定が可能です。" #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "ローカルネットワークのアドレス範囲:" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "CIDR 形式で記述してください。例えば 192.168.1.0/24 は 256 個のアドレスブロック" "で、192.168.1.42/32 は 1 個のアドレスとなります。値を複数指定する場合、(空白は" "入れずに) コンマで区切って記述しましょう。" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Snort が複数のインターフェイスを使うように設定されている場合、この値は全ての" "インターフェイスの HOME_NET 定義として利用されることに注意してください。" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Snort で、このインターフェイスでのプロミスキャスモードを無効にしますか?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "プロミスキャスモードを無効にすると、Snort は自身がモニタリングしているインター" "フェイスへ向けられたパケットのみを監視します。有効にすると、自身以外の他のコン" "ピュータ間のやり取りを含めたイーサネットセグメント上の全てのパケットをチェック" "するようになります。" #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "不正なインターフェイス" #. Type: error #. Description #: ../snort.templates:6001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort が存在していない、あるいはダウンしているインターフェイスを使おうとしてい" "ます。適切ではなくデフォルトにされている「eth0」あるいはあなたが指定したイン" "ターフェイスは正しくありません。" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "メールで毎日サマリを送りますか?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "cron ジョブで指定したメールアドレスに Snort ログの日次サマリを送るように設定" "できます。" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "この機能を有効にするかどうかを選択してください。" #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "日次統計のメールの宛先:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "Snort ログの日次サマリを受け取れるメールアドレスを指定してください。" #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "追加のカスタムオプション:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Snort が使う追加のオプションを指定してください。" #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "アラートを報告する最小発生件数:" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "アラートが日時統計に含められる場合の最小アラート発生数を入力してください。" #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Snort の再起動が必要です" #. Type: note #. Description #: ../snort.templates:11001 msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "Snort が手動で起動されているため、変更を反映するには「/etc/init.d/snort」を実" "行する必要があります。" #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "古く無効な設定ファイル" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "このシステムが使っている、既に利用できない設定ファイル (/etc/snort/snort." "common.parameters) は自動的に新しい設定ファイル形式 (/etc/default/snort) に変" "換されます。" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "新しい設定を確認して古い設定を削除してください。古い設定が削除されるまで初期化" "スクリプトは新しい設定を使おうとはしないので、新しいリリースでの恩恵を享受する" "ことはできません。" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "Deprecated options in configuration file" msgstr "設定ファイルに無効なオプションがあります" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "Snort の設定ファイル (/etc/snort/snort.conf) は、今回の Snort のリリース以降使" "えなくなっている無効なオプションを指定しています。設定ファイルを修正しない限り" "起動できなくなります。設定ファイルをこのパッケージが提供しているものに置換する" "か、無効なオプションを手動で削除するかすれば起動できるようになります。" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "設定ファイルで以下の無効なオプションが見つかりました: ${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "設定エラー" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "現在の Snort の設定が正しくないので、Snort は正常に起動しません。確認の上で修" "正してください。" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "Snort の設定ファイル中のエラーを分析するには、root で「/usr/sbin/snort -T -c " "/etc/snort/snort.conf」を実行してください。" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "無効にされた設定ファイル" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" "このシステムにはもう使うべきではない古い設定ファイルがあり、無効なオプションが" "使われているかもしれません。標準の設定ファイル (/etc/snort/snort.conf) からこ" "れを読み込ませた場合、Snort が正常に起動しなくなるかもしれません。" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" "こういったファイルや /etc/snort/snort.conf 設定ファイルからそれを参照している" "個所を削除してください。" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "以下の無効な設定ファイルが見つかりました: ${DEP_FILE}" debian/po/pt_BR.po0000664000000000000000000010126112317374526011167 0ustar # # Translators, if you are not familiar with the PO format, gettext # documentation is worth reading, especially sections dedicated to # this format, e.g. by running: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Some information specific to po-debconf are available at # /usr/share/doc/po-debconf/README-trans # or http://www.debian.org/intl/l10n/po-debconf/README-trans # # Developers do not need to manually edit POT or PO files. # msgid "" msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-29 00:16+0200\n" "PO-Revision-Date: 2004-08-07 22:06-0300\n" "Last-Translator: Andr Lus Lopes \n" "Language-Team: Debian-BR Project \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=ISO-8859-1\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../snort.templates:2001 #, fuzzy #| msgid "root" msgid "boot" msgstr "root" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "" #. Type: select #. Description #: ../snort.templates:2002 #, fuzzy #| msgid "" #| "Snort can be started during boot, when connecting to the net with pppd or " #| "only when you manually start it via /usr/sbin/snort." msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "O Snort pode ser iniciado durante a inicializao da mquina, quando " "conectando a Internet com o pppd ou somente quando voc iniciar manualmente " "atravs do comando /usr/sbin/snort." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "On which interface Snort should listen? (only one!)" msgid "Interface(s) which Snort should listen on:" msgstr "Em qual interface de rede o Snort deve ouvir ? (somente uma !)" #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "Please enter the interface name which snort should listen on. The name of " #| "the available interfaces are provided by running 'ip link show'. This " #| "value usually is 'eth0', but you might want to vary this depending on " #| "your environment, if you are using a dialup connection 'ppp0' might be " #| "more appropiate." msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Por favor, informe o nome da interface na qual o snort dever ouvir. O nome " "das interfaces disponveis podem ser visualizados executando-se o comando " "'ip link show'. Esse valor geralmente 'eth0', mas voc pode querer variar " "isso dependendo de seu ambiente, caso voc esteja usando uma conexo " "discada, 'ppp0' pode ser mais apropriado." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "Notice that Snort is usually configured to inspect all traffic coming " #| "from the Internet, so the interface you add here is usually the same the " #| "'default route' is on. You can determine which interface is used for " #| "this running either '/sbin/ip ro sh' or '/sbin/route -n' (look for " #| "'default' or '0.0.0.0')." msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Note que o Snort geralmente configurado para inspecionar todo trfego " "chegando da Internet, de modo que a interface que voc adicionar aqui " "geralmente a mesma onde a 'rota padro' est. Voc pode determinar qual " "interface usada para isso executando o comando '/sbin/ip ro sh' ou '/sbin/" "route -n' (procure por 'default' ou '0.0.0.0')." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "It is also not uncommon to run Snort on an interface with no IP and " #| "configured in promiscuous mode, if this is your case, select the " #| "interface in this system that is physically connected to the network you " #| "want to inspect, enable promiscuous mode later on and make sure that the " #| "network traffic is sent to this interface (either connected to a 'port " #| "mirroring/spanning' port in a switch, to a hub or to a tap)" msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Tambm no incomum executar o Snort em uma interface sem endereo IP e " "configurada em modo promscuo, caso esse seja seu caso, selecione a " "interface neste sistema que esteja fisicamente conectada a rede que voc " "quer inspecionar, habilite o modo promscuo depois e certifique-se de que o " "trfego de rede seja enviada para essa interface (conectado a uma porta " "'port mirroring/spanning' em um switch, a um hub ou a uma tap)" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" #. Type: string #. Description #: ../snort.templates:4001 #, fuzzy #| msgid "Please enter the address range that Snort will listen on." msgid "Address range for the local network:" msgstr "Por favor, especifique a faixa de endereos na qual o Snort ir ouvir." #. Type: string #. Description #: ../snort.templates:4001 #, fuzzy #| msgid "" #| "You have to use CIDR form, i.e. 192.168.1.0/24 for a block of 256 IPs or " #| "192.168.1.42/32 for just one. Specify multiple addresses on a single line " #| "separated by ',' (comma characters), no spaces allowed!" msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Voc precisar usar a notao CIDR, ou seja, 192.168.1.0/24 para um bloco de " "256 IPs ou 192.168.1.42/32 para um nico host. Especifique mltiplos " "endereos em uma nica linha separados por ',' (caracter vrgula). Espaos " "no so permitidos !" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "O Snort deve desabilitar o modo promscuo na interface ?" #. Type: boolean #. Description #: ../snort.templates:5001 #, fuzzy #| msgid "" #| "Disabling promiscuous mode means that Snort will only see packets " #| "addressed to it's own interface. Enabling it allows Snort to check every " #| "packet that passes ethernet segment even if it's a connection between two " #| "other computers." msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Desabilitar o modo promscuo significa que o Snort ir somente ver pacotes " "destinados a sua prpria interface. Habilitar o modo promscuo permitir que " "o Snort cheque cada pacote que passa pelo segmento ethernet mesmo caso os " "pacotes faam parte de uma conexo entre dois outros computadores." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "" #. Type: error #. Description #: ../snort.templates:6001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "" #. Type: string #. Description #: ../snort.templates:8001 #, fuzzy #| msgid "Who should receive the daily statistics mails?" msgid "Recipient of daily statistics mails:" msgstr "Quem dever receber os e-mails de estatsticas dirias ?" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "" #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "" #. Type: string #. Description #: ../snort.templates:10001 #, fuzzy #| msgid "" #| "An alert needs to appear more times than this number to be included in " #| "the daily statistics." msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Um alerta precisa aparecer mais do que esta quantidade de vezes para ser " "considerado nas estatsticas dirias." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "" #. Type: note #. Description #: ../snort.templates:11001 msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "Deprecated options in configuration file" msgstr "" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" #, fuzzy #~| msgid "Do you want to set up a database for snort-mysql to log to?" #~ msgid "Set up a database for snort-mysql to log to?" #~ msgstr "" #~ "Voc deseja configurar uma base de dados para o snort-mysql armazenar " #~ "seus logs ?" #, fuzzy #~| msgid "" #~| "Make sure it has been set up correctly to allow incoming connections " #~| "from this host!" #~ msgid "" #~ "Please specify the host name of a database server that allows incoming " #~ "connections from this host." #~ msgstr "" #~ "Certifique-se de ter configurado a base de dados corretamente para " #~ "permitir conexes originadas deste host !" #, fuzzy #~| msgid "" #~| "Make sure this database has been created and your database user has " #~| "write access to this database." #~ msgid "" #~ "Please specify a database server username with write access to the " #~ "database." #~ msgstr "" #~ "Certifique-se de que essa base de dados tenha sido criada e que seu " #~ "usurio tenha acesso de escrita nessa base de dados." #, fuzzy #~| msgid "Please enter the password for the database connection" #~ msgid "Password for the database connection:" #~ msgstr "" #~ "Por favor informe a senha a ser usada pelo Snort para a conexo com a " #~ "base de dados" #, fuzzy #~| msgid "Please enter a password to connect to the Snort Alert database." #~ msgid "" #~ "Please enter the password to use to connect to the Snort Alert database." #~ msgstr "" #~ "Por favor, informe uma senha para conexo na base de dados de Alertas do " #~ "Snort." #, fuzzy #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:" #~ msgstr "" #~ "Por favor, crie a estrutura da base de dados agora, usando o comando a " #~ "seguir :\n" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p \n" #~ "Informando os valores corretos para usurio, host e nome da base de " #~ "dados. O MySQL ir solicitar a senha." #, fuzzy #~ msgid "" #~ "After you have created the database structure, you will need to start " #~ "Snort manually." #~ msgstr "" #~ "Depois de ter criado a estrutura da base de dados, pressione 'ok' para " #~ "continuar." #, fuzzy #~| msgid "Do you want to set up a database for snort-pgsql to log to?" #~ msgid "Set up a database for snort-pgsql to log to?" #~ msgstr "" #~ "Voc deseja configurar uma base de dados para o snort-pgsql armazenar " #~ "seus logs ?" #, fuzzy #~| msgid "Should Snort's rules testing order be changed to Pass|Alert|Log?" #~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" #~ msgstr "" #~ "A ordem de teste das regras do Snort deve ser mudada para Passar|Alertar|" #~ "Logar ?" #, fuzzy #~| msgid "You are running Snort manually." #~ msgid "You are running Snort manually" #~ msgstr "Voc est executando o Snort manualmente." #~ msgid "boot, dialup, manual" #~ msgstr "inicializao, discagem, manual" #~ msgid "When should Snort be started?" #~ msgstr "Quando o Snort deve ser iniciado ?" #~ msgid "" #~ "If you want you can specify 'any', to not trust any side of the network." #~ msgstr "" #~ "Caso voc queira, possvel especificar 'any', para no confiar em " #~ "nenhum dos lados da rede." #~ msgid "" #~ "If you change Snort's rules testing order to Pass|Alert|Log, they will be " #~ "applied in Pass->Alert->Log order, instead of standard Alert->Pass->Log. " #~ "This will prevent people from having to make huge Berky Packet Filter " #~ "command line arguments to filter their alert rules." #~ msgstr "" #~ "Caso voc mude a ordem de teste das regras do Snort para Passar|Alertar|" #~ "Logar, as regras sero aplicadas na ordem Passar->Alertar->Logar, ao " #~ "invs da ordem padro Alertar->Passar->Logar. Isso evitar que os " #~ "usurios do Snort tenham que fazer grandes argumentos de linha de comando " #~ "Berkely Packet Filtering para filtrar suas regras de alerta." #~ msgid "" #~ "A cron job running daily will summarise the information of the logs " #~ "generated by Snort using a script called 'snort-stat'. Introduce here the " #~ "recipient of these mails. The default value is the system administrator. " #~ "If you keep this value, make sure that the mail of the administrator is " #~ "redirected to a user that actually reads those mails." #~ msgstr "" #~ "Um job cron executado diariamente ir sumarizar a informao dos logs " #~ "gerados pelo Snort usando um script chamado 'snort-stat'. Informe aqui o " #~ "destinatrio dessas mensagens. O valor padro o administrador do " #~ "sistema. Caso voc mantenha esse valor, certifique-se de que as mensagens " #~ "para o administrador sejam redirecionadas para um usurio que na verdade " #~ "leia essas mensagens." #, fuzzy #~| msgid "" #~| "If you want to specify custom options to Snort, please specify them here." #~ msgid "" #~ "If you want to specify custom options to Snort, please specify them here." #~ msgstr "" #~ "Caso voc queira especificar opes personalizadas para o Snort, por " #~ "favor, especifique-os aqui." #~ msgid "" #~ "Please restart Snort using:\n" #~ " /etc/init.d/snort start\n" #~ "to let the settings take effect." #~ msgstr "" #~ "Por favor reinicie o Snort usando :\n" #~ " /etc/init.d/snort start\n" #~ "para fazer com que as configuraes tenham efeito." #~ msgid "" #~ "You only need to do this the first time you install snort-mysql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "mysql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-mysql " #~ "package with 'dpkg-reconfigure -plow snort-mysql'" #~ msgstr "" #~ "Voc precisa fazer isso somente na primeira vez que voc instalar o snort-" #~ "mysql. Antes de prosseguir, certifique-se de possuir (1) o hostname da " #~ "mquina executando um servidor mysql, configurado para permitir conexes " #~ "tcp originadas desse host, (2) uma base de dados nesse servidor, (3) um " #~ "nome de usurio e senha para acessar a base de dados. Caso voc no tenha " #~ "_tudo_ isso, selecione 'no' e execute o snort com o suporte comum de " #~ "logging em arquivo ou providencie tudo o que necessrio " #~ "antecipadamente. Voc poder sempre configurar o logging em base de dados " #~ "posteriormente, reconfigurando o pacote snort-mysql com o comando 'dpkg-" #~ "reconfigure -plow snort-mysql'" #~ msgid "Make sure this user has been created and has write access." #~ msgstr "" #~ "Certifique-se que esse usurio tenha sido criado e tenha acesso de " #~ "escrita." #, fuzzy #~ msgid "Snort needs a configured database to log to before it starts" #~ msgstr "" #~ "O Snort depende de um base de dados configuradas para armazenar seus logs." #~ msgid "" #~ "You only need to do this the first time you install snort-pgsql. Before " #~ "you go on, make sure you have (1) the hostname of a machine running a " #~ "pgsql server set up to allow tcp connections from this host, (2) a " #~ "database on that server, (3) a username and password to access the " #~ "database. If you don't have _all_ of these, either select 'no' and run " #~ "with regular file logging support, or fix this first. You can always " #~ "configure database logging later, by reconfiguring the snort-pgsql " #~ "package with 'dpkg-reconfigure -plow snort-pgsql'" #~ msgstr "" #~ "Voc precisa fazer isso somente na primeira vez que voc instalar o snort-" #~ "pgsql. Antes de prosseguir, certifique-se de possuir (1) o hostname da " #~ "mquina executando um servidor pgsql, configurado para permitir conexes " #~ "tcp originadas desse host, (2) uma base de dados nesse servidor, (3) um " #~ "nome de usurio e senha para acessar a base de dados. Caso voc no tenha " #~ "_tudo_ isso, selecione 'no' e execute o snort com o suporte comum de " #~ "logging em arquivo ou providencie tudo o que necessrio " #~ "antecipadamente. Voc poder sempre configurar o logging em base de dados " #~ "posteriormente, reconfigurando o pacote snort-pgsql com o comando 'dpkg-" #~ "reconfigure -plow snort-pgsql'" #, fuzzy #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W \n" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Por favor, crie a estrutura da base de dados agora, usando o comando a " #~ "seguir :\n" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_pgsql.gz | psql -U -h -W \n" #~ "Informando os valores corretos para usurio, host e nome da base de " #~ "dados. O PostgreSQL ir solicitar a senha." #, fuzzy #~ msgid "On which interface(s) should Snort listen?" #~ msgstr "Em qual interface de rede o Snort deve ouvir ?" #, fuzzy #~ msgid "" #~ "Please enter the name(s) of the interface(s) which Snort should listen " #~ "on. The names of the available interfaces are provided by either " #~ "running 'ip link show' of 'ifconfig'. This value usually is 'eth0', but " #~ "you might want to vary this depending on your environment, if you are " #~ "using a dialup connection 'ppp0' might be more appropiate." #~ msgstr "" #~ "Por favor, informe o nome da interface na qual o snort dever ouvir. O " #~ "nome das interfaces disponveis podem ser visualizados executando-se o " #~ "comando 'ip link show'. Esse valor geralmente 'eth0', mas voc pode " #~ "querer variar isso dependendo de seu ambiente, caso voc esteja usando " #~ "uma conexo discada, 'ppp0' pode ser mais apropriado." #~ msgid "Please enter the address range that Snort will listen on." #~ msgstr "" #~ "Por favor, especifique a faixa de endereos na qual o Snort ir ouvir." #~ msgid "" #~ "Disable promiscuous mode if you are configuring Snort on an interface " #~ "without a configured IP address." #~ msgstr "" #~ "Desabilite o modo promscuo caso voc esteja configurando o Snort em uma " #~ "interface sem um endereo IP configurado." #~ msgid "Please enter the hostname of the mysql database server to use." #~ msgstr "" #~ "Por favor, informe o hostname do servidor de base de dados mysql a ser " #~ "utilizado." #~ msgid "Please enter the name of the database to use." #~ msgstr "Por favor, informe o nome da base de dados a ser usada." #~ msgid "Please enter the name of the database user you want to use." #~ msgstr "" #~ "Por favor, informe o nome do usurio desejado para acessar a base dados." #~ msgid "Please enter the password for the database connection." #~ msgstr "Por favor, informe a senha para conexo na base de dados." #~ msgid "Please enter the hostname of the pgsql database server to use." #~ msgstr "" #~ "Por favor, informe o hostname do servidor de base de dados pgsql a ser " #~ "utilizado." #, fuzzy #~ msgid "" #~ "Please enter the name(s) of the interface(s) which Snort should listen " #~ "on. The names of the available interfaces are provided by either running " #~ "'ip link show' of 'ifconfig'. This value usually is 'eth0', but you might " #~ "want to vary this depending on your environment, if you are using a " #~ "dialup connection 'ppp0' might be more appropiate." #~ msgstr "" #~ "Por favor, informe o nome da interface na qual o snort dever ouvir. O " #~ "nome das interfaces disponveis podem ser visualizados executando-se o " #~ "comando 'ip link show'. Esse valor geralmente 'eth0', mas voc pode " #~ "querer variar isso dependendo de seu ambiente, caso voc esteja usando " #~ "uma conexo discada, 'ppp0' pode ser mais apropriado." #~ msgid "On which interface should Snort listen?" #~ msgstr "Em qual interface de rede o Snort deve ouvir ?" #~ msgid "" #~ "Notice that Snort is usually configured to inspect all traffic coming " #~ "from the Internet, so the interface you add here is usually the same the " #~ "'default route' is on. You can determine which interface is used for " #~ "this running either 'ip route show' or '/sbin/route -n' (look for " #~ "'default' or '0.0.0.0')." #~ msgstr "" #~ "Note que o Snort geralmente configurado para inspecionar todo trfego " #~ "chegando da Internet, de modo que a interface que voc adicionar aqui " #~ "geralmente a mesma onde a 'rota padro' est. Voc pode determinar qual " #~ "interface usada para isso executando o comando '/sbin/ip ro sh' ou '/" #~ "sbin/route -n' (procure por 'default' ou '0.0.0.0')." #~ msgid "Should Snort disable promiscous mode on the interface?" #~ msgstr "O Snort deve desabilitar o modo promscuo na interface ?" #~ msgid "What address range should Snort consider to be local?" #~ msgstr "Qual faixa de endereos o Snort deve considerar local ?" #~ msgid "" #~ "You have to use CIDR form, i.e. 192.168.1.0/24 for a block of 256 IPs or " #~ "192.168.1.42/32 for just one. Specify multiple addresses on a single " #~ "line, seperated by ',' (comma characters). No spaces allowed!" #~ msgstr "" #~ "Voc precisa usar o formato CIDR, ou seja, 192.168.1.0/24 para um bloco " #~ "de 256 IPs ou 192.168.1.42/32 para um nico host. Especifique mltiplos " #~ "endereos em uma nica linha, separados por ',' (caracter de vrgula). " #~ "Espaos no so permitidos !" #~ msgid "" #~ "Disabling the promiscuous mode means that Snort will only see packets " #~ "addressed to its own interface. Enabling allows it to check every packet " #~ "that passes the ethernet even if it's a connection between two other " #~ "computers" #~ msgstr "" #~ "Desabilitar o modo promscuo significa que o Snort ir somente ver " #~ "pacotes destinados a sua prpria interface. Habilitar o modo promscuo " #~ "permitir que o Snort cheque cada pacote que passa pela ethernet mesmo " #~ "caso os pacotes faam parte de uma conexo entre dois outros computadores." #~ msgid "When should snort be started?" #~ msgstr "Quando o Snort deve ser iniciado ?" #~ msgid "Please enter the address range that snort will listen on." #~ msgstr "" #~ "Por favor especifique a faixa de endereos na qual o Snort ir ouvir." #~ msgid "" #~ "You have to use CIDR form, i.e. 192.168.1.0/24 for a block of 256 IPs or " #~ "192.168.1.42/32 for just one. Specify multiple addresses on a single " #~ "line, separated by ',' (comma characters). No spaces allowed!" #~ msgstr "" #~ "Voc precisar usar a notao CIDR, ou seja, 192.168.1.0/24 para um bloco " #~ "de 256 IPs ou 192.168.1.42/32 para um nico host. Especifique mltiplos " #~ "endereos em uma nica linha separados por ',' (caracter vrgula). " #~ "Espaos no so permitidos !" #~ msgid "" #~ "Disabling the promiscuous mode means that snort will only see packets " #~ "addressed to it's own interface. Enabling allows it to check every packet " #~ "that passes the ethernet even if it's a connection between two other " #~ "computers" #~ msgstr "" #~ "Desabilitar o modo promscuo significa que o Snort ir somente ver " #~ "pacotes destinados a sua prpria interface. Habilitar o modo promscuo " #~ "permitir que o Snort cheque cada pacote que passa pela ethernet mesmo " #~ "caso os pacotes faam parte de uma conexo entre dois outros computadores." #~ msgid "Should snort's rules testing order be changed to Pass|Alert|Log?" #~ msgstr "" #~ "A ordem de teste das regras do Snort devem ser mudadas para Passar|" #~ "Alertar|Logar ?" #~ msgid "" #~ "If you change snort's rules testing order to Pass|Alert|Log, they will be " #~ "applied in Pass->Alert->Log order, instead of standard Alert->Pass->Log. " #~ "This will prevent people from having to make huge BPF command line " #~ "arguments to filter their alert rules." #~ msgstr "" #~ "Caso voc mude a ordem de teste das regras do Snort para Passar|Alertar|" #~ "Logar as regras sero aplicadas na ordem Passar->Alertar->Logar ao invs " #~ "da ordem padro Alertar->Passar->Logar. Isso evitar que os usurios do " #~ "Snort tenham que fazer grandes argumentos de linha de comando BFP para " #~ "filtrar suas regras de alerta." #~ msgid "" #~ "You only need to do this the first time you install snort-pgsql. Before " #~ "you go on, make sure you have the following things at hand: - The " #~ "hostname of a machine running a pgsql server, set up to allow TCP\n" #~ " connections to the database (from this host).\n" #~ "- A database on the database server - A username and password for a user " #~ "that has write access to this database. If you don't have _all_ of these, " #~ "either select 'no' and run with regular file logging support, or fix this " #~ "first. You can always configure database logging later, by reconfiguring " #~ "the snort-pgsql package." #~ msgstr "" #~ "Voc precisa fazer isso somente na primeira vez que voc instalar o Snort-" #~ "MySQL. Antes de prosseguir, certifique-se de ter em mos as seguintes " #~ "informaes : \n" #~ "- O hostname da mquina onde se encontra o servidor PostgreSQL, " #~ "configurado para permitir conexes TCP originadas desse host.\n" #~ "- Uma base de dados nesse servidor PostgreSQL.\n" #~ "- Um nome de usurio que possua acesso de escrita na base dados e sua " #~ "senha.\n" #~ " . Caso voc no possua _tudo_ isso, selecione 'No' e execute o Snort " #~ "com o suporte comum de logging em arquivo ou providencie tudo o que " #~ "necessrio antecipadamente. Voc poder sempre configurar o logging em " #~ "base de dados posteriormente, reconfigurando o pacote snort-pgsql." #~ msgid "" #~ "Please create the database structure now, using the following command:\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -u -h \n" #~ "Filling in the correct values for the user, host, and database names. The " #~ "pgsql tool will prompt you for the password." #~ msgstr "" #~ "Por favor crie a estrutura da base de dados agora, usando o comando a " #~ "seguir :\n" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -u -h \n" #~ "Informando os valores corretos para usurio, host e nome da base de " #~ "dados. O PostgreSQL ir solicitar a senha." #~ msgid "Please enter a password to connect to the SNORT Alert database" #~ msgstr "" #~ "Por favor informe uma senha para se conectar a base de dados de Alertas " #~ "do Snort." #~ msgid "You are running snort manually." #~ msgstr "Voc est executando o Snort manualmente." #~ msgid "" #~ "Please restart snort using:\n" #~ " /etc/init.d/snort start\n" #~ "to let the settings take effect." #~ msgstr "" #~ "Por favor reinicie o Snort usando :\n" #~ " /etc/init.d/snort start\n" #~ "para fazer com que as configuraes tenham efeito." #~ msgid "MIB-File addition for snmpd" #~ msgstr "Adio de Arquivo-MIB para o snmpd" #~ msgid "" #~ "Snort-common comes with two MIB-files for your snmpd to load, so it knows " #~ "about Snort's information. It is impossible for me to add these MIB-files " #~ "to your snmpd automatically. So if you want to have snort information " #~ "from your snmpd, please read the documentation that came with your snmpd " #~ "on how to install external MIB additions." #~ msgstr "" #~ "O Snort-common fornecido com dois arquivos-MIB para seu servidor snmpd " #~ "carregar, de forma que seu servidor snmpd obtenha informaes sobre o " #~ "Snort. impossvel para esse assistente adicionar esses arquivos-MIB " #~ "automaticamente em seu snmpd. Portanto caso voc queira obter informaes " #~ "do Snort a partir de seu snmpd, por favor leia a documentao que " #~ "acompanha seu snmpd sobre como instalar adies MIB externas." #~ msgid "Snort-common placed these two MIB-files in /usr/share/snmp/mibs/" #~ msgstr "" #~ "O Snort-common colocou esses dois arquivos-MIB em /usr/share/snmpd/mibs/" #~ msgid "eth0" #~ msgstr "eth0" #~ msgid "192.168.0.0/16" #~ msgstr "192.168.0.0/16" #~ msgid "1" #~ msgstr "1" debian/po/eu.po0000664000000000000000000004635312317374526010604 0ustar # translation of snort-eu.po to Euskara # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # # Piarres Beobide , 2008. msgid "" msgstr "" "Project-Id-Version: snort-eu\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-29 00:16+0200\n" "PO-Revision-Date: 2008-04-30 12:13+0200\n" "Last-Translator: Piarres Beobide \n" "Language-Team: Euskara \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: KBabel 1.11.4\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "abioan" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "markatzean" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "eskuz" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Snort abiarazteko metodoa:" #. Type: select #. Description #: ../snort.templates:2002 #, fuzzy #| msgid "" #| "Snort can be started during boot, when connecting to the net with pppd or " #| "only manually with the /usr/sbin/snort command." msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Snort sistema abioan, sarera pppd bidez konektatzean edo eskuz /usr/sbin/" "snort komandoa erabiliaz abiarazi daiteke." #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Snort-ek entzun behar duen interfazea(k):" #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "This value is usually 'eth0', but this may be inappropriate in some " #| "network environments; for a dialup connection 'ppp0' might be more " #| "appropriate (see the output of '/sbin/ifconfig')." msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Balio hau arruntean 'eth0' da, baina hau baliogabea izan daiteke zenbait " "sare inguruneetan markaketa bidezko konexioetarako 'ppp0' izan daiteke " "egokiagoa (begiratu '/sbin/ifconfig' irteeran)." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "Typically, this is the same interface as the 'default route' is on. You " #| "can determine which interface is used for this by running '/sbin/route -" #| "n' (look for '0.0.0.0')." msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Normalean hau 'default route' (lehenetsiriko bidea) ezarria duen interfazea " "da. Zein interfaze erabiltzen den jakiteko '/sbin/route -n' komandoaren " "irteera begiratu ('0.0.0.0' bilatu)." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "It is also not uncommon to use an interface with no IP address configured " #| "in promiscuous mode. For such cases, select the interface in this system " #| "that is physically connected to the network that should be inspected, " #| "enable promiscuous mode later on and make sure that the network traffic " #| "is sent to this interface (either connected to a 'port mirroring/" #| "spanning' port in a switch, to a hub or to a tap)." msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Ez da guztiz arraroa ere promiskuoa moduan konfiguratutako IP gabeko " "interfaze bat erabiltzea ere. Kasu hauetan gainbegiratu behar den sarera " "konektaturik dagoen interfazea hautatu, promiskuo modua gaitu eta ziurtatu " "sareko trafikoa interfaze honetara bidaltzen dela (ataka ispilu/spanning " "port batetan switch batetan, hub batetan edo \"tap\" batetan)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Interfaze anitz konfiguratu ditzakezu, interfaze izenak bata bestean atzean " "zuriune batez bereizirik. Interfaze bakoitzak bere konfigurazio berezia izan " "dezake." #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Sare lokaleko helbide tartea:" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Mesedez erabili CIDR formatua - adibidez, 192.168.1.0/24 256 helbideetako " "bloke batentzat edo 192.168.1.42/32 bakar batentzat. Balio ezberdinak gakoz " "bereizi behar dira (hutsunerik gabe)." #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Mesedez kontutan izan Snort interfaze anitz erabiltzeko konfiguraturik " "dagoela, balio hau HOME_NET definizio bezala erabiliko da guztietan." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Snort-ek modu promiskuoa ezgaitu behar al du interfaze guztietan?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Modu promiskuoa ezgaitzeak Snort-ek monitorizatzen ari den interfazerako " "diren paketeak bakarrik ikustea eragingo du. Berau gaitzean Snort ethernet " "segmentutik pasatzen diren pakete guztiak arakatzeko aukera ematen dio nahiz " "beste bi ordenagailuen arteko konexio bat denean." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Interfaze baliogabea" #. Type: error #. Description #: ../snort.templates:6001 #, fuzzy #| msgid "" #| "Snort is trying to use an interface which does not exist or is down. " #| "Either it is defaulting inappropriately to 'eth0', or you specified one " #| "which is invalid." msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort edo ez dagoen edo konexio gabe dagoen interfaze bat erabiltzen " "saiatzen ari da. Edo modu okerrean 'eth0' lehenespena da, edo interfaze " "baliogabe bat ezarri duzu." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Eguneko laburpena eposta bidez bidali behar al da?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Cron lan bat ezarri daiteke Snort erregistroen eguneko laburpena hautatutako " "eposta helbidera bidali dadin." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Mesedez hautatu ezaugarri hau gaitu nahi duzun." #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Eguneroko estatistika eposta hartzailea:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Mesedez ezarri Snort erregistroen eguneroko laburpena jaso behar duen eposta " "helbidea." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Aukera pertsonal gehigarriak:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Mesedez ezarri Snort-ek erabili behar duen edozein aukera gehigarri." #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "Alertak erreportatzeko errepikatze gutxienekoa:" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Mesedez ezarri alerta bat eguneroko estatistiketan sartzeko gertatu behar " "diren gutxieneko errepikapenak." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Snort berrabiaraztea beharrezkoa" #. Type: note #. Description #: ../snort.templates:11001 #, fuzzy #| msgid "" #| "As Snort is manually launched, you need to run '/etc/init.d/snort' for " #| "the changes to take place." msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "Snort eskuz abiarazirik dagoenez, '/etc/init.d/snort' exekutatu behar duzu " "aldaketak egiteko." #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "Zaharkitutako konfigurazio fitxategia" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Sistema honek automatikoki konfigurazio formatu berrira (/etc/default/snort-" "en) bihurtu den zaharkituriko konfigurazio fitxategi bat erabiltzen du (/etc/" "snort/snort.common.parameters)." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Mesedez gainbegiratu konfigurazio berria eta kendu zaharra. Zuk hau egin " "arte abiarazte skriptak ez du konfigurazio berria erabiliko eta ez duzu " "bertsio berrietan sartutako hobetzeen erabilerarik egingo." #. Type: note #. Description #: ../snort-common.templates:2001 #, fuzzy #| msgid "Deprecated configuration file" msgid "Deprecated options in configuration file" msgstr "Zaharkitutako konfigurazio fitxategia" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "Snort konfigurazio fitxategiak (/etc/snort/snort.conf) Snort bertsio onetan " "onartzen ez diren zaharkituriko aukerak erabiltzen ditu. Snort ez da " "abiarazteko gai izango zuk konfigurazio zuzen bat sortu arte. Edo onartu " "pakete honek dakarren konfigurazio fitxategiaz ordeztea edo eskuz konpondu " "zaharkituriko aukerak kenduaz." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "Hurrengo zaharkituriko aukerak aurkitu dira konfigurazio fitxategian: " "${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Konfigurazio errorea" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "Dagoen Snort konfigurazioa baliogabea da eta Snort behar bezala abiaraztea " "ezintzen du. Mesedez egiaztatu eta konpondu ezazu." #. Type: error #. Description #: ../snort-common.templates:3001 #, fuzzy #| msgid "" #| "To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -" #| "T -c '." msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "Snort konfigurazio fitxategian errore bat aztertzeko '/usr/sbin/snort -T -c " "' erabili." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "Zaharkitutako konfigurazio fitxategia" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 #, fuzzy #| msgid "" #| "The following deprecated options were found in the configuration file: " #| "${DEP_CONFIG}" msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "Hurrengo zaharkituriko aukerak aurkitu dira konfigurazio fitxategian: " "${DEP_CONFIG}" #~ msgid "Set up a database for snort-mysql to log to?" #~ msgstr "Datubase bat konfiguratu snort-mysql bertan erregistratzeko?" #~ msgid "" #~ "No database has been set up for Snort to log to. Before continuing, you " #~ "should make sure you have:" #~ msgstr "" #~ "Ez da datubaserik konfiguratu Snort-ek bertan erregistroa egiteko. " #~ "Aurrera jarraitu haurretik hurrengo hauek betetzen dituzula ziurtatu:" #~ msgid "" #~ " - the server host name (that server must allow TCP connections\n" #~ " from this machine);\n" #~ " - a database on that server;\n" #~ " - a username and password to access the database." #~ msgstr "" #~ " - zerbitari ostalari-izena (zerbitzari horrek makina honetako TCP \n" #~ " konexioak onartu behar ditu);\n" #~ " - datubase bat zerbitzari horretan;\n" #~ " - datubase hori erabili ahal izateko erabiltzaile eta pasahitz bat." #~ msgid "" #~ "If some of these requirements are missing, reject this option and run " #~ "with regular file logging support." #~ msgstr "" #~ "Eskakizun hauetako batenbat falta bada, baztertu aukera hau eta fitxategi " #~ "bidezko erregistro onarpen arruntaz exekutatu." #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-mysql'." #~ msgstr "" #~ "Datubase erregistroa beranduago konfiguratu daiteke 'dpkg-reconfigure -" #~ "plow snort-mysql' exekutatuaz." #~ msgid "Database server hostname:" #~ msgstr "Datubase zerbitzari ostalari-izena:" #~ msgid "" #~ "Please specify the host name of a database server that allows incoming " #~ "connections from this host." #~ msgstr "" #~ "Mesedez ezarri ostalari honetatik konexioak onartzen dituen datubase " #~ "zerbitzariaren ostalari izena." #~ msgid "Database name:" #~ msgstr "Datu-base izena:" #~ msgid "" #~ "Please specify the name of an existing database to which the database " #~ "user has write access." #~ msgstr "" #~ "Mesedez ezarri datubase erabiltzaileak idazketa baimena duen sorturiko " #~ "datubase baten izena." #~ msgid "Username for database access:" #~ msgstr "Datubasea atzitzeko erabiltzaile-izena:" #~ msgid "" #~ "Please specify a database server username with write access to the " #~ "database." #~ msgstr "" #~ "Mesedez ezarri datubasean idazketa baimena duen datubase zerbitzari " #~ "erabiltzaile izen bat." #~ msgid "Password for the database connection:" #~ msgstr "Datubase konexiorako pasahitza:" #~ msgid "" #~ "Please enter the password to use to connect to the Snort Alert database." #~ msgstr "" #~ "Mesedez idatzi Snort alerta datubasera konektatzeko etabiliko den " #~ "pasahitza." #~ msgid "Configured database mandatory for Snort" #~ msgstr "Konfiguratutako datubasea beharrezkoa Snort erabiltzeko" #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:" #~ msgstr "" #~ "Snort-ek konfiguratutako datubase bat behar du behar bezala abiarazteko. " #~ "Egitura sortu ahala izateko hurrengo komandoak exekutatu behar dituzu " #~ "paketea instalatu AURRETIK:" #~ msgid "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ msgstr "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ "" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. MySQL " #~ "will prompt you for the password." #~ msgstr "" #~ "Bete erabiltzaile, ostalari eta datubase izenaren balio zuzenak. MySQL-k " #~ "pasahitza eskatuko dizu." #~ msgid "" #~ "After you have created the database structure, you will need to start " #~ "Snort manually." #~ msgstr "" #~ "Behin datubase egitura sortu duzunean, Snort eskuz abiarazi beharko duzu." #~ msgid "Set up a database for snort-pgsql to log to?" #~ msgstr "Datubase bat konfiguratu snort-pgsql bertan erregistratzeko?" #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-pgsql'." #~ msgstr "" #~ "Datubase erregistroa beranduago berkonfiguratu daiteke 'dpkg-reconfigure -" #~ "plow snort-pgsql' exekutatuaz." #~ msgid "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ msgstr "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ "" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Bete erabiltzaile, ostalari eta datubase izenaren balio zuzenak. " #~ "PostgreSQL -k pasahitza eskatuko dizu." #~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" #~ msgstr "Snort probatze ordena Pasa|Alerta|Erregistro-ra aldatu?" #~ msgid "" #~ "Snort's default testing order is Alert|Pass|Log; if you accept this " #~ "option, the order will be changed to Pass|Alert|Log, which can make it " #~ "simpler to use Snort with some packet-filtering tools." #~ msgstr "" #~ "Snort-en proba orden lehenetsia Alerta|Pasa|Erregistroa da; aukera hau " #~ "onartzen baduzu berau Pasa|Alerta|Erregistroa izatera pasako da zenbait " #~ "pakete-iragazte lanabesekin Snort erabiltzea errazagoa izan dadin." #~ msgid "You are running Snort manually" #~ msgstr "Snort eskuz exekutatzen ari zara" #~ msgid "There is an error in your configuration" #~ msgstr "Errore bat aurkitu da zure konfigurazioan" debian/po/fr.po0000664000000000000000000003245612317374526010601 0ustar # Translation of snort debconf templates to French # Copyright (C) 2007 Christian Perrier # This file is distributed under the same license as the snort package. # # Christian Perrier , 2004, 2006, 2007, 2008. msgid "" msgstr "" "Project-Id-Version: \n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-13 08:03+0200\n" "PO-Revision-Date: 2013-09-16 09:38+0200\n" "Last-Translator: JP Guillonneau \n" "Language-Team: French \n" "Language: fr\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: \n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "Au démarrage" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "À la connexion" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "Manuellement" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Méthode de lancement de Snort :" #. Type: select #. Description #: ../snort.templates:2002 msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Snort peut être lancé au démarrage du système, lors de la connexion au " "réseau avec pppd ou à la demande avec la commande « /usr/sbin/snort »." #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Interface(s) où Snort sera à l'écoute :" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "La valeur habituelle est « eth0 » mais elle peut varier selon " "l'environnement réseau : pour une connexion ponctuelle (« dialup »), " "« ppp0 » est probablement plus adapté (voir le résultat de la commande « /" "sbin/ifconfig »)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "L'interface est celle qu'utilise la route par défaut. Vous pouvez obtenir " "cette information avec la commande « /sbin/route -n » (rechercher " "« 0.0.0.0 »)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Il est également fréquent d'utiliser Snort sur une interface sans adresse " "IP, en mode promiscuité (« promiscuous »). Dans ce cas, choisissez " "l'interface connectée physiquement au réseau que vous voulez analyser et " "activez ce mode plus tard. Assurez-vous que le trafic réseau est bien envoyé " "à cette interface (soit connectée à un port de miroir ou de répartition " "(« mirroring/spanning port ») sur un commutateur réseau, soit connectée à un " "répartiteur ou à un dérivateur)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Il est possible de configurer plusieurs interfaces en les mentionnant " "toutes, séparées par des espaces. Chacune d'elles pourra avoir une " "configuration différente." #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Plage d'adresses du réseau local :" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Veuillez utiliser le format CIDR, par exemple 192.168.1.0/24 pour un bloc de " "256 adresses IP ou 192.168.1.42/32 pour une seule adresse. Il est possible " "d'indiquer plusieurs adresses sur une seule ligne en les séparant par des " "virgules (sans espaces)." #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Veuillez noter que si Snort est configuré pour utiliser plusieurs " "interfaces, la valeur définie ici sera la valeur HOME_NET pour chacune " "d'elles." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Faut-il désactiver le mode promiscuité sur l'interface ?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Si le mode promiscuité (« promiscuous ») est désactivé, Snort ne verra que " "les paquets adressés à sa propre interface. S'il est activé, il vérifiera " "chaque paquet transitant sur le segment Ethernet même s'il s'agit d'échanges " "entres deux autres ordinateurs." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Interface non valable" #. Type: error #. Description #: ../snort.templates:6001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort tente d'utiliser une interface inexistante ou inactive. Soit il " "utilise par erreur la valeur par défaut (eth0), soit l'adresse indiquée " "n'est pas valable." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Faut-il envoyer des rapports quotidiens par courriel ?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Une tâche quotidienne de cron créera un résumé de l'information des journaux " "de Snort et l'enverra à une adresse électronique prédéfinie." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Veuillez choisir si vous souhaitez activer cette fonctionnalité." #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Destinataire des courriers électroniques quotidiens de statistiques :" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Veuillez indiquer l'adresse électronique qui recevra les résumés quotidiens " "des journaux de Snort." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Options personnelles supplémentaires :" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Veuillez indiquer les options supplémentaires qu'utilisera Snort." #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "Nombre d'occurrences minimales avant l'envoi d'alertes :" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Une alerte doit se produire un nombre de fois supérieur à celui indiqué pour " "être comptabilisée dans les statistiques quotidiennes." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Redémarrage de Snort indispensable" #. Type: note #. Description #: ../snort.templates:11001 msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "Comme Snort est lancé manuellement, il est nécessaire d'exécuter la commande " "« service snort restart » pour que les modifications soient prises en compte." #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "Fichier de configuration obsolète" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Le système utilise un fichier de configuration obsolète (/etc/snort/snort." "common.parameters) qui a été automatiquement converti vers le nouveau format " "(dans /etc/default/snort)." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Veuillez vérifier le nouveau fichier de configuration et supprimer l'ancien. " "Tant que cela n'aura pas été fait, le script de démarrage n'utilisera pas la " "nouvelle configuration et vous ne bénéficierez pas des améliorations des " "versions plus récentes." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "Deprecated options in configuration file" msgstr "Fichier de configuration avec des options obsolètes" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "Le fichier de configuration de Snort (/etc/snort/snort.conf) utilise des " "options qui ne sont plus disponibles dans cette version du logiciel. Snort " "ne pourra pas démarrer tant que le fichier de configuration ne sera pas " "corrigé. Vous pouvez remplacer ce fichier par celui fourni avec le paquet ou " "le corriger vous-même pour supprimer les options obsolètes." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "Liste des options obsolètes dans le fichier de configuration : ${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Erreur de configuration" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "La configuration actuelle de Snort n'est pas valable et l'empêchera de " "démarrer. Veuillez la contrôler et la corriger." #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "Le diagnostic des erreurs du fichier de configuration de Snort peut se faire " "(comme superutilisateur) avec la commande « /usr/sbin/snort -T -c /etc/snort/" "snort.conf »." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "Fichier de configuration obsolète" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" "Le système contient des fichiers de configuration obsolètes qui ne doivent " "plus être utilisés et pouvant contenir des options obsolètes. S’ils sont " "utilisés par le fichier de configuration standard (/etc/snort/snort.conf), " "ils peuvent empêcher Snort de démarrer correctement. " #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" "Veuillez supprimer ces fichiers ainsi que toutes leurs références dans le " "fichier de configuration /etc/snort/snort.conf. " #. Type: note #. Description #: ../snort-common.templates:4001 msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "Liste des fichiers de configuration obsolètes : ${DEP_FILE}" debian/po/ru.po0000664000000000000000000005543012317374526010615 0ustar # translation of ru.po to Russian # This file is distributed under the same license as the snort package. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER. # # Yuriy Talakan' , 2007. # Yuri Kozlov , 2008. # Yuri Kozlov , 2009, 2013. msgid "" msgstr "" "Project-Id-Version: snort 2.9.5.3-1\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2012-08-08 23:48+0200\n" "PO-Revision-Date: 2013-09-01 11:26+0400\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" "Language: ru\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Lokalize 1.4\n" "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" "%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" #. Type: select #. Choices #: ../snort.templates:1001 msgid "boot" msgstr "загрузка" #. Type: select #. Choices #: ../snort.templates:1001 msgid "dialup" msgstr "дозвон" #. Type: select #. Choices #: ../snort.templates:1001 msgid "manual" msgstr "вручную" #. Type: select #. Description #: ../snort.templates:1002 msgid "Snort start method:" msgstr "Способ запуска Snort:" #. Type: select #. Description #: ../snort.templates:1002 msgid "" "Snort can be started during boot, when connecting to the net with pppd or " "only manually with the /usr/sbin/snort command." msgstr "" "Snort может запускаться при загрузке, при подключении к сети через pppd, или " "только когда вы вручную запустите его с помощью /usr/sbin/snort." #. Type: string #. Description #: ../snort.templates:2001 msgid "Interface(s) which Snort should listen on:" msgstr "Интерфейсы, которые должен слушать Snort:" #. Type: string #. Description #: ../snort.templates:2001 msgid "" "This value is usually 'eth0', but this may be inappropriate in some network " "environments; for a dialup connection 'ppp0' might be more appropriate (see " "the output of '/sbin/ifconfig')." msgstr "" "Обычно, это значение равно «eth0», но оно может не работать в некоторых " "сетях; для коммутируемого подключения больше подходит «ppp0» (посмотрите " "результат работы «/sbin/ifconfig»)." #. Type: string #. Description #: ../snort.templates:2001 msgid "" "Typically, this is the same interface as the 'default route' is on. You can " "determine which interface is used for this by running '/sbin/route -n' (look " "for '0.0.0.0')." msgstr "" "Обычно, это тот же интерфейс, через который проходит «маршрут по умолчанию». " "Вы можете определить какой интерфейс использовать с помощью команды «/sbin/" "route -n» (ищите «0.0.0.0»)." #. Type: string #. Description #: ../snort.templates:2001 msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a 'port mirroring/spanning' port in a " "switch, to a hub or to a tap)." msgstr "" "Также нет ничего необычного в запуске Snort на интерфейсе без IP в режиме " "прослушивания. В этом случае, выберите на этой системе интерфейс, физически " "подключённый к инспектируемой сети, разрешите потом режим прослушивания и " "убедитесь, что сетевой трафик отправляется на этот интерфейс (подключённый к " "порту коммутатора «port mirroring/spanning», к концентратору или к сетевой " "ловушке)." #. Type: string #. Description #: ../snort.templates:2001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Вы можете указать здесь несколько интерфейсов, просто добавив более одного " "имени интерфейса через пробел. У каждого интерфейса могут быть свои " "собственные настройки." #. Type: string #. Description #: ../snort.templates:3001 msgid "Address range for the local network:" msgstr "Диапазон адресов локальной сети:" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Используйте формат CIDR, например 192.168.1.0/24 для блока из 256 IP адресов " "или 192.168.1.42/32 для одного. Несколько адресов указываются на одной " "строке через запятую (без пробелов)." #. Type: string #. Description #: ../snort.templates:3001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Обратите внимание, если для Snort указано несколько интерфейсов, то это " "определение будет использовано как определение HOME_NET для всех интерфейсов." #. Type: boolean #. Description #: ../snort.templates:4001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Должен ли Snort запретить режим прослушивания на интерфейсе?" #. Type: boolean #. Description #: ../snort.templates:4001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Запрет режима прослушивания означает, что Snort будет видеть только те " "пакеты, которые адресованы его интерфейсу. Разрешение позволяет Snort " "проверить каждый пакет, проходящий через сегмент Ethernet, даже если это " "соединение между двумя другими компьютерами." #. Type: error #. Description #: ../snort.templates:5001 msgid "Invalid interface" msgstr "Неправильный интерфейс" #. Type: error #. Description #: ../snort.templates:5001 msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to 'eth0', or you specified one which is " "invalid." msgstr "" "Snort пытается использовать интерфейс, который не существует или выключен. " "Возможно, интерфейс по умолчанию «eth0» в вашем случае не подходит, или " "указанный вами интерфейс неправилен." #. Type: boolean #. Description #: ../snort.templates:6001 msgid "Should daily summaries be sent by e-mail?" msgstr "Отправлять ежедневные отчёты по e-mail?" #. Type: boolean #. Description #: ../snort.templates:6001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Для отправки ежедневного отчёта по журналам Snort на указанный адрес " "электронной почты может быть настроено задание cron." #. Type: boolean #. Description #: ../snort.templates:6001 msgid "Please choose whether you want to activate this feature." msgstr "Укажите, хотите ли вы включить эту возможность." #. Type: string #. Description #: ../snort.templates:7001 msgid "Recipient of daily statistics mails:" msgstr "Получатель ежедневного отчёта по почте:" #. Type: string #. Description #: ../snort.templates:7001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Укажите адрес электронной почты, на который нужно отправлять ежедневный " "отчёт по журналам Snort." #. Type: string #. Description #: ../snort.templates:8001 msgid "Additional custom options:" msgstr "Дополнительные специальные настройки:" #. Type: string #. Description #: ../snort.templates:8001 msgid "Please specify any additional options Snort should use." msgstr "" "Здесь можно указать любые дополнительные специальные настройки, которые " "должен использовать Snort." #. Type: string #. Description #: ../snort.templates:9001 msgid "Minimum occurrences before alerts are reported:" msgstr "" "Минимальное количество возникновения тревоги, чтобы она попала в отчёт:" #. Type: string #. Description #: ../snort.templates:9001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Чтобы быть включённой в дневной отчёт, тревога должна возникнуть более, чем " "указанное число раз." #. Type: note #. Description #: ../snort.templates:10001 msgid "Snort restart required" msgstr "Snort требуется перезапустить" #. Type: note #. Description #: ../snort.templates:10001 msgid "" "As Snort is manually launched, you need to run '/etc/init.d/snort' for the " "changes to take place." msgstr "" "Так как Snort запускается вручную, для того, чтобы изменения начали " "работать, вам нужно выполнить «/etc/init.d/snort»." #. Type: error #. Description #: ../snort.templates:11001 msgid "Obsolete configuration file" msgstr "Устаревший файл настройки" #. Type: error #. Description #: ../snort.templates:11001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "В системе используется устаревший файл настройки (/etc/snort/snort.common." "parameters), он был автоматически преобразован в файл нового формата (в /etc/" "default/snort)." #. Type: error #. Description #: ../snort.templates:11001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Просмотрите новые настройки и удалите устаревшие. Пока вы этого не сделаете, " "сценарий запуска не будет использовать новые настройки и вы не получите " "преимуществ, появившихся в новых выпусках." #. Type: note #. Description #: ../snort-common.templates:1001 #| msgid "Deprecated configuration file" msgid "Deprecated options in configuration file" msgstr "Устаревшие параметры в файле настройки" #. Type: note #. Description #: ../snort-common.templates:1001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "В файле настройки Snort (/etc/snort/snort.conf) используются устаревшие " "параметры, " "более недоступные в этом выпуске Snort. Snort не сможет запуститься, пока вы " "не предоставите корректный файл настройки. Вы можете подменить ваш файл " "настройки одним из поставляемых с этим пакетом или поправить его вручную, " "удалив устаревшие параметры." #. Type: note #. Description #: ../snort-common.templates:1001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "В файле настройки были найдены следующие устаревшие параметры: ${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:2001 msgid "Configuration error" msgstr "Ошибка настройки" #. Type: error #. Description #: ../snort-common.templates:2001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "Имеющаяся настройка Snort неправильна, и из-за этого Snort не будет " "запускаться. Просмотрите и исправьте её." #. Type: error #. Description #: ../snort-common.templates:2001 #| msgid "" #| "To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -" #| "T -c '." msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: '/usr/sbin/snort -T -c /etc/snort/snort.conf'" msgstr "" "Чтобы найти ошибку в файле настройки Snort, запустите (как root) " "следующую команду: «/usr/sbin/snort -T -c /etc/snort/snort.conf»" #. Type: note #. Description #: ../snort-common.templates:3001 msgid "Deprecated configuration file" msgstr "Устаревший файл настройки" #. Type: note #. Description #: ../snort-common.templates:3001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" "В вашей системе найдены устаревшие файлы настройки, которые " "больше не должны использоваться и в которых могут содержаться " "устаревшие параметры. Если их добавить через стандартный файл " "настройки (/etc/snort/snort.conf), то Snort может перестать запускаться." #. Type: note #. Description #: ../snort-common.templates:3001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" "Удалите эти файлы, а также все существующие ссылки на них из " "файла настройки /etc/snort/snort.conf." #. Type: note #. Description #: ../snort-common.templates:3001 #| msgid "" #| "The following deprecated options were found in the configuration file: " #| "${DEP_CONFIG}" msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "Были найдены следующие устаревшие файлы настройки: ${DEP_FILE}" #~ msgid "Set up a database for snort-mysql to log to?" #~ msgstr "Подготовить базу данных для журналирования с помощью snort-mysql?" #~ msgid "" #~ "No database has been set up for Snort to log to. Before continuing, you " #~ "should make sure you have:" #~ msgstr "" #~ "Для журналирования Snort не хватает настроенной базы данных. Перед тем " #~ "как продолжить, проверьте:" #~ msgid "" #~ " - the server host name (that server must allow TCP connections\n" #~ " from this machine);\n" #~ " - a database on that server;\n" #~ " - a username and password to access the database." #~ msgstr "" #~ " - имя машины-сервера (этот сервер должен принимать TCP-соединения\n" #~ " с этой машины);\n" #~ " - базу данных на этом сервере;\n" #~ " - имя пользователя и пароль для доступа к базе данных." #~ msgid "" #~ "If some of these requirements are missing, reject this option and run " #~ "with regular file logging support." #~ msgstr "" #~ "Если не хватает хотя бы одного параметра, ответьте отрицательно и " #~ "включите поддержку журналирования в обычный файл." #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-mysql'." #~ msgstr "" #~ "Журналирование в базу данных можно настроить позже с помощью команды " #~ "'dpkg-reconfigure -plow snort-mysql'." #~ msgid "Database server hostname:" #~ msgstr "Имя сервера базы данных:" #~ msgid "" #~ "Please specify the host name of a database server that allows incoming " #~ "connections from this host." #~ msgstr "" #~ "Убедитесь, что сервер базы данных настроен на прием входящих соединений " #~ "от этого компьютера." #~ msgid "Database name:" #~ msgstr "Имя базы данных:" #~ msgid "" #~ "Please specify the name of an existing database to which the database " #~ "user has write access." #~ msgstr "" #~ "Укажите имя существующей базы данных, для которой у пользователя базы " #~ "данных есть права на запись." #~ msgid "Username for database access:" #~ msgstr "Имя пользователя базы данных:" #~ msgid "" #~ "Please specify a database server username with write access to the " #~ "database." #~ msgstr "" #~ "Укажите имя пользователя на сервере базы данных, имеющего доступ на " #~ "запись в базу." #~ msgid "Password for the database connection:" #~ msgstr "Пароль для подключения к базе данных:" #~ msgid "" #~ "Please enter the password to use to connect to the Snort Alert database." #~ msgstr "Введите пароль для подключения к базе данных Snort Alert." #~ msgid "Configured database mandatory for Snort" #~ msgstr "Для Snort должна быть настроена база данных" #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:" #~ msgstr "" #~ "Snort нужна настроенная база данных, прежде чем он сможет успешно " #~ "запуститься. Чтобы создать структуру, вы должны запустить следующие " #~ "команды ПОСЛЕ установки пакета:" #~ msgid "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ msgstr "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u <пользователь> -h <машина> -p <имя базы " #~ "данных>" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. MySQL " #~ "will prompt you for the password." #~ msgstr "" #~ "Замените на правильные значения пользователя, машины и базы данных. MySQL " #~ "запросит у вас пароль." #~ msgid "" #~ "After you have created the database structure, you will need to start " #~ "Snort manually." #~ msgstr "" #~ "Вам надо запустить Snort вручную после создания структуры базы данных." #~ msgid "Set up a database for snort-pgsql to log to?" #~ msgstr "Подготовить базу данных для журналирования с помощью snort-pgsql?" #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-pgsql'." #~ msgstr "" #~ "Журналирование в базу данных можно настроить позже с помощью команды " #~ "'dpkg-reconfigure -plow snort-pgsql'." #~ msgid "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ msgstr "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U <пользователь> -h <машина> -W <имя " #~ "базы данных>" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Замените на правильные значения пользователя, машины и базы данных. " #~ "PostgreSQL запросит у вас пароль." #~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" #~ msgstr "Изменить порядок проверки правил Snort на Pass|Alert|Log?" #~ msgid "" #~ "Snort's default testing order is Alert|Pass|Log; if you accept this " #~ "option, the order will be changed to Pass|Alert|Log, which can make it " #~ "simpler to use Snort with some packet-filtering tools." #~ msgstr "" #~ "Порядок проверки правил по умолчанию в Snort установлен как Alert|Pass|" #~ "Log; если вы ответите утвердительно, то порядок будет изменён на Pass|" #~ "Alert|Log, что упростит использование Snort с другими инструментами " #~ "фильтрации пакетов." debian/po/nl.po0000664000000000000000000004745512317374526010610 0ustar # Dutch translation of snort debconf templates. # Copyright (C) 2005-2012 THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the snort package. # Bart Cornelis , 2005. # Peter Vandenabeele , 2008. # Jeroen Schot , 2012. # msgid "" msgstr "" "Project-Id-Version: snort 2.8.5.2-9.1\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-29 00:16+0200\n" "PO-Revision-Date: 2012-01-02 15:29+0100\n" "Last-Translator: Jeroen Schot \n" "Language-Team: Debian l10n Dutch \n" "Language: nl\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "opstarten" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "inbellen" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "handmatig" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Opstartmethode van Snort:" # Type: select # Description #. Type: select #. Description #: ../snort.templates:2002 #, fuzzy #| msgid "" #| "Snort can be started during boot, when connecting to the net with pppd or " #| "only manually with the /usr/sbin/snort command." msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Snort kan gestart worden tijdens het opstarten van de computer, bij het " "openen van de netwerkverbinding door pppd of wanneer u het handmatig opstart." "via /usr/bin/snort." # Type: string # Description #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Op welke interface(s) moet Snort luisteren?" #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "This value is usually 'eth0', but this may be inappropriate in some " #| "network environments; for a dialup connection 'ppp0' might be more " #| "appropriate (see the output of '/sbin/ifconfig')." msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Deze waarde is normaal 'eth0', maar misschien wil u dit aanpassen " "afhankelijk van uw netwerkomgeving. Als u een inbelverbinding gebruikt, is " "'ppp0' misschien meer geschikt (hint: gebruik 'ip link show' of 'ifconfig')." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "Typically, this is the same interface as the 'default route' is on. You " #| "can determine which interface is used for this by running '/sbin/route -" #| "n' (look for '0.0.0.0')." msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Deze interface is normaal dezelfde die de 'default route' heeft. Om te " "bepalen welke interface gebruikt wordt, kunt u '/sbin/route -n' " "uitvoeren(zoek naar '0.0.0.0')." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "It is also not uncommon to use an interface with no IP address configured " #| "in promiscuous mode. For such cases, select the interface in this system " #| "that is physically connected to the network that should be inspected, " #| "enable promiscuous mode later on and make sure that the network traffic " #| "is sent to this interface (either connected to a 'port mirroring/" #| "spanning' port in a switch, to a hub or to a tap)." msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Het is ook niet ongewoon om Snort te draaien op een interface zonder IP " "adres en geconfigureerd in promiscue modus. In dat geval, selecteert u de " "interface die fysiek verbonden is met het netwerk dat u wilt onderzoeken, " "activeert u later de promiscue modus en verzekert u zich ervan dat het " "netwerkverkeer naar deze interface verzonden wordt (verbonden via een 'port " "mirroring/spanning'-poort op een switch, via een hub, of via een tap)" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "U kunt hier verschillende interfaces definiëren, door meer dan één naam van " "een interface te vermelden, gescheiden door spaties. Elke interface kan zijn " "eigen specifieke configuratie hebben." # Type: string # Description #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Adresbereik waarop Snort zal luisteren?" # Type: string # Description #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "U dient de CIDR-vorm te gebruiken (dit is 192.168.1.0/24 voor een blok van " "256 IP-adressen of 192.168.1.42/32 voor één enkel IP-adres). U kunt meerdere " "adressen opgeven op één regel door ze te scheiden met komma's; spaties zijn " "hierbij niet toegestaan!" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Merk op dat als u meerdere interfaces gebruikt, deze definitie gebruikt zal " "worden als de HOME_NET definitie van al deze interfaces." # Type: boolean # Description #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "Wilt u dat Snort de promiscue modus van de interface uitschakelt?" # Type: boolean # Description #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "Uitschakelen van de promiscue modus betekent dat Snort enkel die pakketten " "ziet die bestemd zijn voor zijn eigen interface. Het inschakelen van de " "promiscue modus laat Snort toe om elk op dit ethernet-segment langskomend " "pakket te controleren, zelfs als het een pakket is van een verbinding tussen " "twee andere computers." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Ongeldige interface" #. Type: error #. Description #: ../snort.templates:6001 #, fuzzy #| msgid "" #| "Snort is trying to use an interface which does not exist or is down. " #| "Either it is defaulting inappropriately to 'eth0', or you specified one " #| "which is invalid." msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort probeert een interface te gebruiken die niet bestaat of die niet " "actief is. Ofwel gebruikt Snort onterecht de standaard interface 'eth0', or " "heb je een interface opgegeven die niet correct is." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Moeten de dagelijkse samenvattingen per e-mail worden verstuurd ?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Een cron job kan opgezet worden om dagelijks samenvattingen van de " "logbestanden van Snort naar een bepaald e-mailadres te sturen." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Gelieve te kiezen als u deze optie wil activeren." # Type: string # Description #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Ontvanger van de dagelijkse statistiek-e-mails:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Gelieve het e-mailadres op te geven dat de dagelijkse samenvatting van de " "logbestanden van Snort moet ontvangen." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Extra eigen opties:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Gelieve eventuele additionele opties te geven die Snort moet gebruiken" #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "Minimum aantal keren voorkomen om alarmen te rapporteren:" # Type: string # Description #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Een waarschuwing dient vaker dan het hier opgegeven aantal keren voor te " "komen opdat die weergegeven zou worden in de dagelijkse statistieken." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Een herstart van Snort is vereist" #. Type: note #. Description #: ../snort.templates:11001 #, fuzzy #| msgid "" #| "As Snort is manually launched, you need to run '/etc/init.d/snort' for " #| "the changes to take place." msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "Aangezien Snort normaal handmatig wordt gestart, moet u '/etc/init.d/snort' " "uitvoeren om de aanpassingen door te voeren." #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "Verouderd configuratie bestand" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Uw systeem heeft een verouderd configuratiebestand (/etc/snort/snort.common." "parameters) dat nu automatisch is omgezet in een nieuw " "configuratiebestandsindeling (in /etc/default/snort)." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Gelieve het nieuwe configuratiebestand na te kijken en het verouderde " "bestand te verwijderen. Tot u dit doet, zal het initialisatie-script de " "nieuwe configuratie niet gebruiken en zal u niet kunnen genieten van de " "voordelen die de nieuwere versies bieden." #. Type: note #. Description #: ../snort-common.templates:2001 #, fuzzy #| msgid "Deprecated configuration file" msgid "Deprecated options in configuration file" msgstr "Verouderd configuratie bestand" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "Uw snort-configuratiebestand (/etc/snort/snort.conf) maakt gebruik van " "verouderde opties die door deze versie niet meer ondersteund worden. Met een " "onjuist configuratiebestand kan Snort niet opstarten. U kunt uw bestaande " "configuratiebestand vervangen met het door dit pakket meegeleverde bestand, " "of u kunt de verouderde opties handmatig verwijderen." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "De volgende verouderde opties werden in uw configuratiebestand aangetroffen: " "${DEP_CONFIG}" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Configuratiefout" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "De huidige Snort configuratie is ongeldig en zal verhinderen dat Snort " "normaal wordt opgestart. Gelieve de configuratie na te kijken en te " "corrigeren." #. Type: error #. Description #: ../snort-common.templates:3001 #, fuzzy #| msgid "" #| "To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -" #| "T -c '." msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "Om een fout in een Snort configuratiebestand te analyseren, gebruik '/usr/" "sbin/snort -T -c '." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "Verouderd configuratie bestand" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 #, fuzzy #| msgid "" #| "The following deprecated options were found in the configuration file: " #| "${DEP_CONFIG}" msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "De volgende verouderde opties werden in uw configuratiebestand aangetroffen: " "${DEP_CONFIG}" # Type: boolean # Description #~ msgid "Set up a database for snort-mysql to log to?" #~ msgstr "" #~ "Wilt u een een database opzetten waar snort-mysql het logboek in kan " #~ "bijhouden?" #~ msgid "" #~ "No database has been set up for Snort to log to. Before continuing, you " #~ "should make sure you have:" #~ msgstr "" #~ "Er is geen database opgezet voor Snort om naar te loggen. Voor u verder " #~ "kan gaan, moet u deze eerst opzetten:" #~ msgid "" #~ " - the server host name (that server must allow TCP connections\n" #~ " from this machine);\n" #~ " - a database on that server;\n" #~ " - a username and password to access the database." #~ msgstr "" #~ " - De computernaam van de server (deze moet TCP-verbindingen van\n" #~ " deze machine accepteren);\n" #~ " - een database op die server;\n" #~ " - een gebruikersnaam en wachtwoord om toegang te krijgen tot de database." #~ msgid "" #~ "If some of these requirements are missing, reject this option and run " #~ "with regular file logging support." #~ msgstr "" #~ "Als sommige van deze noodzakelijke elementen ontbreken, gebruik dan deze " #~ "optie niet en draai Snort met gewone logging naar een bestand." #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-mysql'." #~ msgstr "" #~ "Logging naar een database kan later ook nog geconfigureerd worden met het " #~ "commando 'dpkg-reconfigure -plow snort-mysql'" #~ msgid "Database server hostname:" #~ msgstr "Computernaam van databaseserver:" # Type: string # Description #~ msgid "" #~ "Please specify the host name of a database server that allows incoming " #~ "connections from this host." #~ msgstr "" #~ "Gelieve een hostnaam voor de database server op te geven. U dient ervoor " #~ "te zorgen dat deze correct is ingesteld is om inkomende verbindingen van " #~ "deze computer te aanvaarden!" #~ msgid "Database name:" #~ msgstr "databasenaam:" #~ msgid "" #~ "Please specify the name of an existing database to which the database " #~ "user has write access." #~ msgstr "" #~ "Gelieve de naam van een bestaande database op te geven waarnaar de " #~ "database gebruiker schrijftoegang heeft" #~ msgid "Username for database access:" #~ msgstr "Gebruikersnaam voor databasetoegang:" # Type: string # Description #~ msgid "" #~ "Please specify a database server username with write access to the " #~ "database." #~ msgstr "" #~ "Gelieve een database-gebruikersnaam op te geven met schrijfrechten in de " #~ "database:" # Type: password # Description #~ msgid "Password for the database connection:" #~ msgstr "Gelieve het wachtwoord voor de databaseverbinding in te geven:" # Type: password # Description #~ msgid "" #~ "Please enter the password to use to connect to the Snort Alert database." #~ msgstr "" #~ "Wat is het wachtwoord om verbinding te maken met de Snort-Alert database?" #~ msgid "Configured database mandatory for Snort" #~ msgstr "Een geconfigureerde database is noodzakelijk voor Snort" # Type: note # Description #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:" #~ msgstr "" #~ "Snort heeft een geconfigureerde database nodig voor het succesvol kan " #~ "opstarten. Om de structuur aan te maken, moet u volgende commando's " #~ "uitvoeren NADAT het pakket is geïnstalleerd:" #~ msgid "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ msgstr "" #~ "cd·/usr/share/doc/snort-mysql/zcat·create_mysql.gz·|·mysql·-u··-" #~ "h··-p·" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. MySQL " #~ "will prompt you for the password." #~ msgstr "" #~ "Vul de correcte waarden in voor gebruiker, host en database namen. MySQL " #~ "zal u vragen naar het wachtwoord." # Type: note # Description #~ msgid "" #~ "After you have created the database structure, you will need to start " #~ "Snort manually." #~ msgstr "" #~ "Nadat u de database-indeling heeft aangemaakt, moet u Snort handmatig " #~ "starten." # Type: boolean # Description #~ msgid "Set up a database for snort-pgsql to log to?" #~ msgstr "" #~ "Wilt u een database opzetten waar snort-pgsql het logboek in kan " #~ "bijhouden?" #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-pgsql'." #~ msgstr "" #~ "Logging naar een database kan later opnieuw geconfigureerd worden met het " #~ "commando 'dpkg-reconfigure -plow snort-pgslq'" #~ msgid "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ msgstr "" #~ "·cd·/usr/share/doc/snort-pgsql/·zcat·create_postgresql.gz·|·psql·-" #~ "U··-h··-W·" #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Vul de correcte waarden in voor gebruiker, host en database namen. " #~ "PostgreSQL zal u later vragen om het wachtwoord." debian/po/fi.po0000664000000000000000000004650012317374526010563 0ustar msgid "" msgstr "" "Project-Id-Version: snort\n" "Report-Msgid-Bugs-To: snort@packages.debian.org\n" "POT-Creation-Date: 2013-09-29 00:16+0200\n" "PO-Revision-Date: 2008-04-28 07:39+0200\n" "Last-Translator: Esko Arajärvi \n" "Language-Team: debian-l10n-finnish@lists.debian.org \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: FINLAND\n" #. Type: select #. Choices #: ../snort.templates:2001 msgid "boot" msgstr "käynnistettäessä järjestelmä" #. Type: select #. Choices #: ../snort.templates:2001 msgid "dialup" msgstr "soitettaessa" #. Type: select #. Choices #: ../snort.templates:2001 msgid "manual" msgstr "manuaalinen" #. Type: select #. Description #: ../snort.templates:2002 msgid "Snort start method:" msgstr "Snortin käynnistystapa:" #. Type: select #. Description #: ../snort.templates:2002 #, fuzzy #| msgid "" #| "Snort can be started during boot, when connecting to the net with pppd or " #| "only manually with the /usr/sbin/snort command." msgid "" "Please choose how Snort should be started: automatically on boot, " "automatically when connecting to the net with pppd, or manually with the /" "usr/sbin/snort command." msgstr "" "Snort voidaan käynnistää järjestelmän käynnistyksen yhteydessä, otettaessa " "verkkoyhteys pppd:llä tai manuaalisesti komennolla /usr/bin/snort." #. Type: string #. Description #: ../snort.templates:3001 msgid "Interface(s) which Snort should listen on:" msgstr "Verkkoliitännät, joita Snortin tulisi kuunnella:" #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "This value is usually 'eth0', but this may be inappropriate in some " #| "network environments; for a dialup connection 'ppp0' might be more " #| "appropriate (see the output of '/sbin/ifconfig')." msgid "" "This value is usually \"eth0\", but this may be inappropriate in some " "network environments; for a dialup connection \"ppp0\" might be more " "appropriate (see the output of \"/sbin/ifconfig\")." msgstr "" "Tämä arvo on useimmiten ”eth0”, mutta verkkoympäristöstä riippuen se saattaa " "olla muukin. Käytettäessä soittosarjayhteyttä ”ppp0” saattaa olla sopivampi. " "(Katso komennon /sbin/ifconfig tulostetta.)" #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "Typically, this is the same interface as the 'default route' is on. You " #| "can determine which interface is used for this by running '/sbin/route -" #| "n' (look for '0.0.0.0')." msgid "" "Typically, this is the same interface as the \"default route\" is on. You " "can determine which interface is used for this by running \"/sbin/route -n" "\" (look for \"0.0.0.0\")." msgstr "" "Tyypillisesti oletusreitti kulkee tämän liitännän kautta. Oletusreitin saa " "selville komennolla ”/sbin/route -n” (etsi kohta ”0.0.0.0”)." #. Type: string #. Description #: ../snort.templates:3001 #, fuzzy #| msgid "" #| "It is also not uncommon to use an interface with no IP address configured " #| "in promiscuous mode. For such cases, select the interface in this system " #| "that is physically connected to the network that should be inspected, " #| "enable promiscuous mode later on and make sure that the network traffic " #| "is sent to this interface (either connected to a 'port mirroring/" #| "spanning' port in a switch, to a hub or to a tap)." msgid "" "It is also not uncommon to use an interface with no IP address configured in " "promiscuous mode. For such cases, select the interface in this system that " "is physically connected to the network that should be inspected, enable " "promiscuous mode later on and make sure that the network traffic is sent to " "this interface (either connected to a \"port mirroring/spanning\" port in a " "switch, to a hub, or to a tap)." msgstr "" "Usein käytetään myös liitäntää, jolla ei ole IP-osoitetta ja joka on " "asetettu tilaan, jossa kaikki nähdyt paketit otetaan vastaan (”promiscuous " "mode”). Valitse tällaisissa tapauksissa järjestelmän liitäntä, joka on " "fyysisesti kiinni tutkittavassa verkossa, valitse vastaanottotila myöhemmin " "ja varmista, että verkkoliikenne lähetetään tähän liitäntään (yhdistä se " "portit peilaavaan kytkimen liitäntään, keskittimeen tai muuhun monistimeen)." "\"" #. Type: string #. Description #: ../snort.templates:3001 msgid "" "You can configure multiple interfaces, just by adding more than one " "interface name separated by spaces. Each interface can have its own specific " "configuration." msgstr "" "Useampia liitäntöjä voidaan asettaa antamalla liitäntöjen nimet välilyönnein " "eroteltuina. Jokaiselle liitännälle voidaan tehdä omat asetukset." #. Type: string #. Description #: ../snort.templates:4001 msgid "Address range for the local network:" msgstr "Paikallisen verkon osoitealue:" #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 " "addresses or 192.168.1.42/32 for just one. Multiple values should be comma-" "separated (without spaces)." msgstr "" "Käytä CIDR-muotoa, esimerkiksi 192.168.1.0/24 256 IP-osoitteen " "määrittämiseksi tai 192.168.1.42/32 yhden määrittämiseksi. Useampi alue " "voidaan syöttää pilkuin eroteltuina (ilman välilyöntejä)." #. Type: string #. Description #: ../snort.templates:4001 msgid "" "Please note that if Snort is configured to use multiple interfaces, it will " "use this value as the HOME_NET definition for all of them." msgstr "" "Jos Snort on asetettu käyttämään useampia liitäntöjä, se käyttää tätä arvoa " "niiden kaikkien HOME_NET-määritteenä." #. Type: boolean #. Description #: ../snort.templates:5001 msgid "Should Snort disable promiscuous mode on the interface?" msgstr "" "Tulisiko Snortin asettaa liitäntä ottamaan vastaan vain sille tarkoitetut " "paketit?" #. Type: boolean #. Description #: ../snort.templates:5001 msgid "" "Disabling promiscuous mode means that Snort will only see packets addressed " "to the interface it is monitoring. Enabling it allows Snort to check every " "packet that passes the Ethernet segment even if it's a connection between " "two other computers." msgstr "" "”Promiscuous mode”-tilan poistaminen käytöstä tarkoittaa, että Snort näkee " "vain paketit, jotka on lähetetty sen seuraamaan liitäntään. Tilan " "käyttäminen sallii Snortin tarkistaa kaikki verkkolohkon paketit, vaikka ne " "lähetettäisiinkin kahden muun koneen välillä." #. Type: error #. Description #: ../snort.templates:6001 msgid "Invalid interface" msgstr "Virheellinen liitäntä" #. Type: error #. Description #: ../snort.templates:6001 #, fuzzy #| msgid "" #| "Snort is trying to use an interface which does not exist or is down. " #| "Either it is defaulting inappropriately to 'eth0', or you specified one " #| "which is invalid." msgid "" "Snort is trying to use an interface which does not exist or is down. Either " "it is defaulting inappropriately to \"eth0\", or you specified one which is " "invalid." msgstr "" "Snort yrittää käyttää liitäntää, jota ei ole olemassa tai joka ei ole " "toiminnassa. Joko se yrittää virheellisesti kuunnella oletusliitäntää ”eth0” " "tai asettamasi liitäntä on virheellinen." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Should daily summaries be sent by e-mail?" msgstr "Tulisiko päivittäiset yhteenvedot lähettää sähköpostilla?" #. Type: boolean #. Description #: ../snort.templates:7001 msgid "" "A cron job can be set up to send daily summaries of Snort logs to a selected " "e-mail address." msgstr "" "Päivittäiset Snortin lokien yhteenvedot voidaan lähettää annettuun " "sähköpostiosoitteeseen cron-työn avulla." #. Type: boolean #. Description #: ../snort.templates:7001 msgid "Please choose whether you want to activate this feature." msgstr "Valitse otetaanko tämä ominaisuus käyttöön." #. Type: string #. Description #: ../snort.templates:8001 msgid "Recipient of daily statistics mails:" msgstr "Päivittäisten tilastosähköpostien vastaanottaja:" #. Type: string #. Description #: ../snort.templates:8001 msgid "" "Please specify the e-mail address that should receive daily summaries of " "Snort logs." msgstr "" "Anna sähköpostiosoite, johon päivittäiset Snortin lokien yhteenvedot tulisi " "lähettää." #. Type: string #. Description #: ../snort.templates:9001 msgid "Additional custom options:" msgstr "Mukauttavat lisäasetukset:" #. Type: string #. Description #: ../snort.templates:9001 msgid "Please specify any additional options Snort should use." msgstr "Anna mahdolliset lisäasetukset, joita Snortin tulisi käyttää." #. Type: string #. Description #: ../snort.templates:10001 msgid "Minimum occurrences before alerts are reported:" msgstr "Varoituksen esiintymiskertojen vähimmäismäärä:" #. Type: string #. Description #: ../snort.templates:10001 msgid "" "Please enter the minimum number of alert occurrences before a given alert is " "included in the daily statistics." msgstr "" "Anna vähimmäismäärä montako kertaa varoituksen tulee esiintyä ennen kuin se " "sisällytetään päivittäisiin tilastoihin." #. Type: note #. Description #: ../snort.templates:11001 msgid "Snort restart required" msgstr "Snort tulee käynnistää uudelleen" #. Type: note #. Description #: ../snort.templates:11001 #, fuzzy #| msgid "" #| "As Snort is manually launched, you need to run '/etc/init.d/snort' for " #| "the changes to take place." msgid "" "As Snort is manually launched, you need to run \"service snort restart\" for " "the changes to take place." msgstr "" "Koska Snort on käynnistetty käsin, tulee komento ”/etc/init.d/snort” ajaa " "muutosten ottamiseksi käyttöön." #. Type: error #. Description #: ../snort.templates:12001 msgid "Obsolete configuration file" msgstr "Vanhentunut asetustiedosto" #. Type: error #. Description #: ../snort.templates:12001 msgid "" "This system uses an obsolete configuration file (/etc/snort/snort.common." "parameters) which has been automatically converted into the new " "configuration file format (at /etc/default/snort)." msgstr "" "Järjestelmä käyttää vanhentunutta asetustiedostoa (/etc/snort/snort.common." "parameters), joka on automaattisesti muunnettu asetustiedoston uuteen " "muotoon (sijaintiin /etc/default/snort)." #. Type: error #. Description #: ../snort.templates:12001 msgid "" "Please review the new configuration and remove the obsolete one. Until you " "do this, the initialization script will not use the new configuration and " "you will not take advantage of the benefits introduced in newer releases." msgstr "" "Tarkista uudet asetukset ja poista vanha tiedosto. Ennen kuin tämä tehdään, " "alustuskomentosarja ei käytä uusia asetuksia, eikä tällöin saada käyttöön " "uudempien julkaisuiden parannuksia." #. Type: note #. Description #: ../snort-common.templates:2001 #, fuzzy #| msgid "Deprecated configuration file" msgid "Deprecated options in configuration file" msgstr "Vanhentunut asetustiedosto" #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The Snort configuration file (/etc/snort/snort.conf) uses deprecated options " "no longer available for this Snort release. Snort will not be able to start " "unless you provide a correct configuration file. Either allow the " "configuration file to be replaced with the one provided in this package or " "fix it manually by removing deprecated options." msgstr "" "Snortin asetustiedostossa (/etc/snort/snort.conf) on käytetty valitsimia, " "jotka eivät enää ole käytössä tässä Snortin julkaisussa. Snortia ei voida " "käynnistää ilman kelvollista asetustiedostoa. Asetustiedosto voidaan joko " "korvata tämän paketin mukana tulleella tai se voidaan korjata käsin " "poistamalla vanhentuneet valitsimet." #. Type: note #. Description #: ../snort-common.templates:2001 msgid "" "The following deprecated options were found in the configuration file: " "${DEP_CONFIG}" msgstr "" "Asetustiedostosta löytyi seuraavat käytöstä poistetut valitsimet:\n" " ${DEB_CONFIG}." #. Type: error #. Description #: ../snort-common.templates:3001 msgid "Configuration error" msgstr "Asetusvirhe" #. Type: error #. Description #: ../snort-common.templates:3001 msgid "" "The current Snort configuration is invalid and will prevent Snort starting " "up normally. Please review and correct it." msgstr "" "Snortin nykyiset asetukset ovat virheelliset ja estävät Snortin normaalin " "käynnistyksen. Tarkista ja korjaa ne." #. Type: error #. Description #: ../snort-common.templates:3001 #, fuzzy #| msgid "" #| "To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -" #| "T -c '." msgid "" "To diagnose errors in your Snort configuration you can run (as root) the " "following: \"/usr/sbin/snort -T -c /etc/snort/snort.conf\"" msgstr "" "Snortin asetustiedoston virheitä voidaan etsiä komennolla ”/usr/sbin/snort -" "T -c ”." #. Type: note #. Description #: ../snort-common.templates:4001 msgid "Deprecated configuration file" msgstr "Vanhentunut asetustiedosto" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Your system has deprecated configuration files which should not be used any " "longer and might contain deprecated options. If included through the " "standard configuration file (/etc/snort/snort.conf), they might prevent " "Snort from starting up properly." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 msgid "" "Please remove these files as well as any existing references to them in the /" "etc/snort/snort.conf configuration file." msgstr "" #. Type: note #. Description #: ../snort-common.templates:4001 #, fuzzy #| msgid "" #| "The following deprecated options were found in the configuration file: " #| "${DEP_CONFIG}" msgid "The following deprecated configuration files were found: ${DEP_FILE}" msgstr "" "Asetustiedostosta löytyi seuraavat käytöstä poistetut valitsimet:\n" " ${DEB_CONFIG}." #~ msgid "Set up a database for snort-mysql to log to?" #~ msgstr "Alustetaanko tietokanta snort-mysql:n lokeja varten?" #~ msgid "" #~ "No database has been set up for Snort to log to. Before continuing, you " #~ "should make sure you have:" #~ msgstr "" #~ "Snortille ei ole asetettu tietokantaa, johon se voisi kirjoittaa lokia. " #~ "Ennen kuin jatkat, varmista, että tiedät:" #~ msgid "" #~ " - the server host name (that server must allow TCP connections\n" #~ " from this machine);\n" #~ " - a database on that server;\n" #~ " - a username and password to access the database." #~ msgstr "" #~ " - palvelimen verkkonimen (palvelimen pitää sallia TCP-yhteydet\n" #~ " tältä koneelta)\n" #~ " - tietokannan kyseisellä palvelimella\n" #~ " - käyttäjätunnuksen ja salasanan tietokantaan" #~ msgid "" #~ "If some of these requirements are missing, reject this option and run " #~ "with regular file logging support." #~ msgstr "" #~ "Jos jokin näistä vaatimuksista ei täyty, älä valitse tätä vaihtoehtoa " #~ "vaan käytä lokien kirjoittamista tavallisiin tiedostoihin." #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-mysql'." #~ msgstr "" #~ "Lokien tietokantaan kirjoittaminen voidaan asettaa myöhemmin ajamalla " #~ "komento ”dpkg-reconfigure -plow snort-mysql”." #~ msgid "Database server hostname:" #~ msgstr "Tietokantapalvelimen verkkonimi:" #~ msgid "" #~ "Please specify the host name of a database server that allows incoming " #~ "connections from this host." #~ msgstr "" #~ "Anna sellaisen tietokantapalvelimen verkkonimi, joka sallii yhteydet " #~ "tältä koneelta." #~ msgid "Database name:" #~ msgstr "Tietokannan nimi:" #~ msgid "" #~ "Please specify the name of an existing database to which the database " #~ "user has write access." #~ msgstr "" #~ "Anna olemassa olevan tietokannan nimi, johon tietokantakäyttäjällä on " #~ "kirjoitusoikeudet." #~ msgid "Username for database access:" #~ msgstr "Tietokantayhteydessä käytettävä käyttäjätunnus:" #~ msgid "" #~ "Please specify a database server username with write access to the " #~ "database." #~ msgstr "" #~ "Anna tietokantapalvelimen käyttäjätunnus, jolla on kirjoitusoikeudet " #~ "tietokantaan." #~ msgid "Password for the database connection:" #~ msgstr "Tietokantayhteyden salasana:" #~ msgid "" #~ "Please enter the password to use to connect to the Snort Alert database." #~ msgstr "" #~ "Anna salasana, jota käytetään otettaessa yhteys Snortin " #~ "varoitustietokantaan." #~ msgid "Configured database mandatory for Snort" #~ msgstr "Snortin tietokannan asetusten teko pakollista" #~ msgid "" #~ "Snort needs a configured database before it can successfully start up. In " #~ "order to create the structure you need to run the following commands " #~ "AFTER the package is installed:" #~ msgstr "" #~ "Snort tarvitsee asetetun tietokannan ennen kuin se voidaan käynnistää " #~ "onnistuneesti. Tietokantarakenteen luomiseksi seuraavat komennot tulee " #~ "ajaa sen jälkeen, kun tämä paketti on asennettu:" #~ msgid "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ msgstr "" #~ " cd /usr/share/doc/snort-mysql/\n" #~ " zcat create_mysql.gz | mysql -u -h -p " #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. MySQL " #~ "will prompt you for the password." #~ msgstr "" #~ "Täytä oikeat arvot kohtiin tunnus, kone ja tietokanta. MySQL pyytää tämän " #~ "jälkeen salasanan." #~ msgid "" #~ "After you have created the database structure, you will need to start " #~ "Snort manually." #~ msgstr "Kun tietokannan rakenne on luotu, Snort täytyy käynnistää käsin." #~ msgid "Set up a database for snort-pgsql to log to?" #~ msgstr "Alustetaanko tietokanta snort-pgsql:n lokeja varten?" #~ msgid "" #~ "Database logging can be reconfigured later by running 'dpkg-reconfigure -" #~ "plow snort-pgsql'." #~ msgstr "" #~ "Lokien tietokantaan kirjoittaminen voidaan asettaa myöhemmin ajamalla " #~ "komento ”dpkg-reconfigure -plow snort-pgsql”." #~ msgid "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ msgstr "" #~ " cd /usr/share/doc/snort-pgsql/\n" #~ " zcat create_postgresql.gz | psql -U -h -W " #~ msgid "" #~ "Fill in the correct values for the user, host, and database names. " #~ "PostgreSQL will prompt you for the password." #~ msgstr "" #~ "Täytä oikeat arvot kohtiin tunnus, kone ja tietokannan nimi. PostgreSQL " #~ "pyytää tämän jälkeen salasanan." #~ msgid "Should Snort's testing order be changed to Pass|Alert|Log?" #~ msgstr "" #~ "Tulisiko Snortin sääntöjen testausjärjestykseksi vaihtaa Pass|Alert|Log?" #~ msgid "" #~ "Snort's default testing order is Alert|Pass|Log; if you accept this " #~ "option, the order will be changed to Pass|Alert|Log, which can make it " #~ "simpler to use Snort with some packet-filtering tools." #~ msgstr "" #~ "Oletuksena Snortin sääntöjen testausjärjestys on Alert|Pass|log. Jos " #~ "valitset tämän vaihtoehdon, järjestykseksi vaihdetaan Pass|Alert|Log, " #~ "mikä saattaa helpottaa Snortin käyttöä joidenkin " #~ "pakettiensuodatustyökalujen kanssa." #~ msgid "You are running Snort manually" #~ msgstr "Snortia ajetaan manuaalisesti" #~ msgid "There is an error in your configuration" #~ msgstr "Asetuksissa on virhe" debian/snort-inline.templates0000664000000000000000000001024612317374213013537 0ustar Template: snort-inline/startup Type: select __Choices: boot, dialup, manual Default: boot _Description: Snort start method: Snort can be started during boot, when connecting to the net with pppd or only manually with the /usr/sbin/snort command. Template: snort-inline/interface Type: string Default: eth0 _Description: Interface(s) which Snort should listen on: This value is usually 'eth0', but this may be inappropriate in some network environments; for a dialup connection 'ppp0' might be more appropiate (see the output of '/sbin/ifconfig'). . Typically, this is the same interface as the 'default route' is on. You can determine which interface is used for this by running '/sbin/route -n' (look for '0.0.0.0'). . It is also not uncommon to use an interface with no IP address configured in promiscuous mode. For such cases, select the interface in this system that is physically connected to the network that should be inspected, enable promiscuous mode later on and make sure that the network traffic is sent to this interface (either connected to a 'port mirroring/spanning' port in a switch, to a hub or to a tap). . You can configure multiple interfaces, just by adding more than one interface name separated by spaces. Each interface can have its own specific configuration. Template: snort-inline/address_range Type: string Default: 192.168.0.0/16 _Description: Address range for the local network: Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 addresses or 192.168.1.42/32 for just one. Multiple values should be comma-separated (without spaces). . Please note that if Snort is configured to use multiple interfaces, it will use this value as the HOME_NET definition for all of them. Template: snort-inline/disable_promiscuous Type: boolean Default: false _Description: Should Snort disable promiscuous mode on the interface? Disabling promiscuous mode means that Snort will only see packets addressed to the interface it is monitoring. Enabling it allows Snort to check every packet that passes the Ethernet segment even if it's a connection between two other computers. Template: snort-inline/invalid_interface Type: error _Description: Invalid interface Snort is trying to use an interface which does not exist or is down. Either it is defaulting inappropriately to 'eth0', or you specified one which is invalid. Template: snort-inline/send_stats Type: boolean Default: true _Description: Should daily summaries be sent by e-mail? A cron job can be set up to send daily summaries of Snort logs to a selected e-mail address. . Please choose whether you want to activate this feature. Template: snort-inline/stats_rcpt Type: string Default: root _Description: Recipient of daily statistics mails: Please specify the e-mail address that should receive daily summaries of Snort logs. Template: snort-inline/options Type: string _Description: Additional custom options: Please specify any additional options Snort should use. Template: snort-inline/stats_treshold Type: string Default: 1 _Description: Minimum occurrences before alerts are reported: Please enter the minimum number of alert occurrences before a given alert is included in the daily statistics. Template: snort-inline/please_restart_manually Type: note _Description: Snort restart required As Snort is manually launched, you need to run '/etc/init.d/snort' for the changes to take place. Template: snort-inline/config_error Type: error _Description: Configuration error The current Snort configuration is invalid and will prevent Snort starting up normally. Please review and correct it. . To diagnose an error in a Snort configuration file, use '/usr/sbin/snort -T -c '. Template: snort-inline/config_parameters Type: error _Description: Obsolete configuration file This system uses an obsolete configuration file (/etc/snort/snort.common.parameters) which has been automatically converted into the new configuration file format (at /etc/default/snort). . Please review the new configuration and remove the obsolete one. Until you do this, the initialization script will not use the new configuration and you will not take advantage of the benefits introduced in newer releases. debian/snort-mysql.templates0000664000000000000000000001333012317374213013423 0ustar Template: snort-mysql/startup Type: select __Choices: boot, dialup, manual Default: boot _Description: Snort start method: Snort can be started during boot, when connecting to the net with pppd or only manually with the /usr/sbin/snort command. Template: snort-mysql/interface Type: string Default: eth0 _Description: Interface(s) which Snort should listen on: This value is usually 'eth0', but this may be inappropriate in some network environments; for a dialup connection 'ppp0' might be more appropiate (see the output of '/sbin/ifconfig'). . Typically, this is the same interface as the 'default route' is on. You can determine which interface is used for this by running '/sbin/route -n' (look for '0.0.0.0'). . It is also not uncommon to use an interface with no IP address configured in promiscuous mode. For such cases, select the interface in this system that is physically connected to the network that should be inspected, enable promiscuous mode later on and make sure that the network traffic is sent to this interface (either connected to a 'port mirroring/spanning' port in a switch, to a hub or to a tap). . You can configure multiple interfaces, just by adding more than one interface name separated by spaces. Each interface can have its own specific configuration. Template: snort-mysql/address_range Type: string Default: 192.168.0.0/16 _Description: Address range for the local network: Please use the CIDR form - for example, 192.168.1.0/24 for a block of 256 addresses or 192.168.1.42/32 for just one. Multiple values should be comma-separated (without spaces). . Please note that if Snort is configured to use multiple interfaces, it will use this value as the HOME_NET definition for all of them. Template: snort-mysql/disable_promiscuous Type: boolean Default: false _Description: Should Snort disable promiscuous mode on the interface? Disabling promiscuous mode means that Snort will only see packets addressed to the interface it is monitoring. Enabling it allows Snort to check every packet that passes the Ethernet segment even if it's a connection between two other computers. Template: snort-mysql/invalid_interface Type: error _Description: Invalid interface Snort is trying to use an interface which does not exist or is down. Either it is defaulting inappropriately to 'eth0', or you specified one which is invalid. Template: snort-mysql/send_stats Type: boolean Default: true _Description: Should daily summaries be sent by e-mail? A cron job can be set up to send daily summaries of Snort logs to a selected e-mail address. . Please choose whether you want to activate this feature. Template: snort-mysql/stats_rcpt Type: string Default: root _Description: Recipient of daily statistics mails: Please specify the e-mail address that should receive daily summaries of Snort logs. Template: snort-mysql/options Type: string _Description: Additional custom options: Please specify any additional options Snort should use. Template: snort-mysql/stats_treshold Type: string Default: 1 _Description: Minimum occurrences before alerts are reported: Please enter the minimum number of alert occurrences before a given alert is included in the daily statistics. Template: snort-mysql/please_restart_manually Type: note _Description: Snort restart required As Snort is manually launched, you need to run '/etc/init.d/snort' for the changes to take place. Template: snort-mysql/config_parameters Type: error _Description: Obsolete configuration file This system uses an obsolete configuration file (/etc/snort/snort.common.parameters) which has been automatically converted into the new configuration file format (at /etc/default/snort). . Please review the new configuration and remove the obsolete one. Until you do this, the initialization script will not use the new configuration and you will not take advantage of the benefits introduced in newer releases. Template: snort-mysql/configure_db Type: boolean Default: true _Description: Set up a database for snort-mysql to log to? No database has been set up for Snort to log to. Before continuing, you should make sure you have: . - the server host name (that server must allow TCP connections from this machine); - a database on that server; - a username and password to access the database. . If some of these requirements are missing, reject this option and run with regular file logging support. . Database logging can be reconfigured later by running 'dpkg-reconfigure -plow snort-mysql'. Template: snort-mysql/db_host Type: string _Description: Database server hostname: Please specify the host name of a database server that allows incoming connections from this host. Template: snort-mysql/db_database Type: string _Description: Database name: Please specify the name of an existing database to which the database user has write access. Template: snort-mysql/db_user Type: string _Description: Username for database access: Please specify a database server username with write access to the database. Template: snort-mysql/db_pass Type: password _Description: Password for the database connection: Please enter the password to use to connect to the Snort Alert database. Template: snort-mysql/needs_db_config Type: note _Description: Configured database mandatory for Snort Snort needs a configured database before it can successfully start up. In order to create the structure you need to run the following commands AFTER the package is installed: . cd /usr/share/doc/snort-mysql/ zcat create_mysql.gz | mysql -u -h -p . Fill in the correct values for the user, host, and database names. MySQL will prompt you for the password. . After you have created the database structure, you will need to start Snort manually. debian/generate-templates.sh0000664000000000000000000000153712317374213013323 0ustar #!/bin/sh -e # Generate templates for the Snort packages # This should be done whenever the templates are modified for package in "" mysql pgsql inline; do packagename=$package [ -n "$package" ] && packagename="-$packagename" OUTPUT="snort$packagename.templates" echo "Generating templates for snort$packagename at $OUTPUT" cat snort.TEMPLATE.templates | sed -e "s/{PACKAGE}/$packagename/g" >$OUTPUT # Add Database templates also if [ "$package" = "mysql" ] || [ "$package" = "pgsql" ] ; then cat snort.DATABASE.templates | sed -e "s/{PACKAGE}/$packagename/g" | sed -e "s/{DATABASE}/$package/g" >>$OUTPUT fi # Finally, add any additional templates this package might have if [ -e "snort$packagename.ADD.templates" ] ; then cat "snort$packagename.ADD.templates" >>$OUTPUT fi done exit 0 debian/README.docs0000664000000000000000000000013012317374526011003 0ustar Please notice that additional documentation is available at http://www.snort.org/docs/ debian/snort.init.d0000664000000000000000000003105412317374526011461 0ustar #!/bin/sh -e # # Init.d script for Snort in Debian # # Copyright (c) 2001 Christian Hammers # Copyright (c) 2001-2002 Robert van der Meulen # Copyright (c) 2002-2004 Sander Smeenk # Copyright (c) 2004-2012 Javier Fernandez-Sanguino # # This is free software; you may redistribute it and/or modify # it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2, # or (at your option) any later version. # # This is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License with # the Debian operating system, in /usr/share/common-licenses/GPL; if # not, write to the Free Software Foundation, Inc., 59 Temple Place, # Suite 330, Boston, MA 02111-1307 USA # ### BEGIN INIT INFO # Provides: snort # Required-Start: $time $network $local_fs $remote_fs # Required-Stop: $network $remote_fs # Should-Start: $syslog # Should-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Lightweight network intrusion detection system # Description: Intrusion detection system that will # capture traffic from the network cards and will # match against a set of known attacks. ### END INIT INFO PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin test $DEBIAN_SCRIPT_DEBUG && set -v -x DAEMON=/usr/sbin/snort NAME=snort DESC="Network Intrusion Detection System" . /lib/lsb/init-functions CONFIG=/etc/snort/snort.debian.conf # Old (obsolete) way to provide parameters if [ -f /etc/snort/snort.common.parameters ] ; then COMMON=`cat /etc/snort/snort.common.parameters` elif [ -r /etc/default/snort ] ; then # Only read this if the old configuration is not present . /etc/default/snort COMMON="$PARAMS -l $LOGDIR -u $SNORTUSER -g $SNORTGROUP" fi test -x $DAEMON || exit 0 test -f $CONFIG && . $CONFIG test -z "$DEBIAN_SNORT_HOME_NET" && DEBIAN_SNORT_HOME_NET="192.168.0.0/16" # to find the lib files cd /etc/snort running() { PIDFILE=$1 # No pidfile, probably no daemon present [ ! -f "$PIDFILE" ] && return 1 pid=`cat $PIDFILE` # No pid, probably no daemon present [ -z "$pid" ] && return 1 [ ! -d /proc/$pid ] && return 1 cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1` # No daemon [ "$cmd" != "$DAEMON" ] && return 1 return 0 } check_log_dir() { # Does the logging directory belong to Snort? # If we cannot determine the logdir return without error # (we will not check it) # This will only be used by people using /etc/default/snort [ -n "$LOGDIR" ] || return 0 [ -n "$SNORTUSER" ] || return 0 if [ ! -e "$LOGDIR" ] ; then log_failure_msg "ERR: logging directory $LOGDIR does not exist" return 1 elif [ ! -d "$LOGDIR" ] ; then log_failure_msg "ERR: logging directory $LOGDIR does not exist" return 1 else real_log_user=`stat -c %U $LOGDIR` # An alternative way is to check if the snort user can create # a file there... if [ "$real_log_user" != "$SNORTUSER" ] ; then log_failure_msg "ERR: logging directory $LOGDIR does not belong to the snort user $SNORTUSER" return 1 fi fi return 0 } check_root() { if [ "$(id -u)" != "0" ]; then log_failure_msg "You must be root to start, stop or restart $NAME." exit 4 fi } case "$1" in start) check_root log_daemon_msg "Starting $DESC " "$NAME" if ! check_log_dir; then log_failure_msg " will not start $DESC!" exit 5 fi if [ "$DEBIAN_SNORT_STARTUP" = "dialup" ]; then shift set +e /etc/ppp/ip-up.d/snort "$@" ret=$? if [ $ret -eq 0 ] ; then log_end_msg 0 else log_end_msg 1 fi exit $ret fi # Usually, we start all interfaces interfaces="$DEBIAN_SNORT_INTERFACE" # If we are requested to start a specific interface... test "$2" && interfaces="$2" # If the interfaces list is empty stop (no error) if [ -z "$interfaces" ] ; then log_progress_msg "no interfaces configured, will not start" log_end_msg 0 exit 0 fi myret=0 got_instance=0 for interface in $interfaces; do got_instance=1 log_progress_msg "($interface" # Check if the interface is available: # - only if iproute is available # - the interface exists # - the interface is up if ! [ -x /sbin/ip ] || ( ip link show dev "$interface" >/dev/null 2>&1 && [ -n "`ip link show up "$interface" 2>/dev/null`" ] ) ; then PIDFILE=/var/run/snort_$interface.pid CONFIGFILE=/etc/snort/snort.$interface.conf # Defaults: fail="failed (check /var/log/daemon.log, /var/log/syslog and /var/log/snort/)" run="yes" if [ -e "$PIDFILE" ] && running $PIDFILE; then run="no" # Do not start this instance, it is already runing fi if [ "$run" = "yes" ] ; then if [ ! -e "$CONFIGFILE" ]; then log_progress_msg "using /etc/snort/snort.conf" CONFIGFILE=/etc/snort/snort.conf else log_progress_msg "using /etc/snort/snort.$interface.conf" fi set +e /sbin/start-stop-daemon --start --quiet \ --pidfile "$PIDFILE" \ --exec $DAEMON -- $COMMON $DEBIAN_SNORT_OPTIONS \ -c $CONFIGFILE \ -S "HOME_NET=[$DEBIAN_SNORT_HOME_NET]" \ -i $interface >/dev/null ret=$? case "$ret" in 0) log_progress_msg "...done)" ;; *) log_progress_msg "...ERROR: $fail)" myret=$(expr "$myret" + 1) ;; esac set -e else log_progress_msg "...already running)" fi else # What to do if the interface is not available # or is not up if [ "$ALLOW_UNAVAILABLE" != "no" ] ; then log_progress_msg "...interface not available)" else log_progress_msg "...ERROR: interface not available)" myret=$(expr "$myret" + 1) fi fi done if [ "$got_instance" = 0 ] && [ "$ALLOW_UNAVAILABLE" = "no" ]; then log_failure_msg "No snort instance found to be started!" >&2 exit 6 fi if [ $myret -eq 0 ] ; then log_end_msg 0 else log_end_msg 1 fi exit $myret ;; stop) check_root log_daemon_msg "Stopping $DESC " "$NAME" if [ "$DEBIAN_SNORT_STARTUP" = "dialup" ]; then shift set +e /etc/ppp/ip-down.d/snort "$@" ret=$? if [ $ret -eq 0 ] ; then log_end_msg 0 else log_end_msg 1 fi exit $ret fi # Usually, we stop all current running interfaces pidpattern=/var/run/snort_*.pid # If we are requested to stop a specific interface... test "$2" && pidpattern=/var/run/snort_"$2".pid got_instance=0 myret=0 for PIDFILE in $pidpattern; do # This check is also needed, if the above pattern doesn't match test -f "$PIDFILE" || continue got_instance=1 interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//') log_progress_msg "($interface" set +e if [ ! -e "$PIDFILE" -o -r "$PIDFILE" ] ; then # Change ownership of the pidfile /sbin/start-stop-daemon --stop --retry 5 --quiet --oknodo \ --pidfile "$PIDFILE" --exec $DAEMON >/dev/null ret=$? rm -f "$PIDFILE" rm -f "$PIDFILE.lck" else log_progress_msg "cannot read $PIDFILE" ret=4 fi case "$ret" in 0) log_progress_msg "...done)" ;; *) log_progress_msg "...ERROR)" myret=$(expr "$myret" + 1) ;; esac set -e done if [ "$got_instance" = 0 ]; then log_warning_msg " - No running snort instance found" exit 0 # LSB demands we don't exit with error here fi if [ $myret -eq 0 ] ; then log_end_msg 0 else log_end_msg 1 fi exit $myret ;; restart|force-restart|reload|force-reload) check_root # Usually, we restart all current running interfaces pidpattern=/var/run/snort_*.pid # If we are requested to restart a specific interface... test "$2" && pidpattern=/var/run/snort_"$2".pid got_instance=0 for PIDFILE in $pidpattern; do # This check is also needed, if the above pattern doesn't match test -f "$PIDFILE" || continue got_instance=1 interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//') $0 stop $interface || true $0 start $interface || true done # If we did not find any instance of Snort then we restart all if [ "$got_instance" = 0 ]; then $0 start fi ;; status) # Non-root users can use this (if allowed to) log_daemon_msg "Status of snort daemon(s)" interfaces="$DEBIAN_SNORT_INTERFACE" # If we are requested to check for a specific interface... test "$2" && interfaces="$2" err=0 pid=0 for interface in $interfaces; do log_progress_msg " $interface " pidfile=/var/run/snort_$interface.pid if [ -f "$pidfile" ] ; then if [ -r "$pidfile" ] ; then pidval=`cat $pidfile` pid=$(expr "$pid" + 1) if ps -p $pidval | grep -q snort; then log_progress_msg "OK" else log_progress_msg "ERROR" err=$(expr "$err" + 1) fi else log_progress_msg "ERROR: cannot read status file" err=$(expr "$err" + 1) fi else log_progress_msg "ERROR" err=$(expr "$err" + 1) fi done if [ $err -ne 0 ] ; then if [ $pid -ne 0 ] ; then # More than one case where pidfile exists but no snort daemon # LSB demands a '1' exit value here log_end_msg 1 exit 1 else # No pidfiles at all # LSB demands a '3' exit value here log_end_msg 3 exit 3 fi fi log_end_msg 0 ;; config-check) log_daemon_msg "Checking $DESC configuration" if [ "$DEBIAN_SNORT_STARTUP" = "dialup" ]; then log_failure_msg "Config-check is currently not supported for snort in Dialup configuration" log_end_msg 3 exit 3 fi # usually, we test all interfaces interfaces="$DEBIAN_SNORT_INTERFACE" # if we are requested to test a specific interface... test "$2" && interfaces="$2" myret=0 got_instance=0 for interface in $interfaces; do got_instance=1 log_progress_msg "interface $interface" CONFIGFILE=/etc/snort/snort.$interface.conf if [ ! -e "$CONFIGFILE" ]; then CONFIGFILE=/etc/snort/snort.conf fi COMMON=`echo $COMMON | sed -e 's/-D//'` set +e fail="INVALID" if [ -r "$CONFIGFILE" ]; then $DAEMON -T $COMMON $DEBIAN_SNORT_OPTIONS \ -c $CONFIGFILE \ -S "HOME_NET=[$DEBIAN_SNORT_HOME_NET]" \ -i $interface >/dev/null 2>&1 ret=$? else fail="cannot read $CONFIGFILE" ret=4 fi set -e case "$ret" in 0) log_progress_msg "OK" ;; *) log_progress_msg "$fail" myret=$(expr "$myret" + 1) ;; esac done if [ "$got_instance" = 0 ]; then log_failure_msg "no snort instance found to be started!" >&2 exit 6 fi if [ $myret -eq 0 ] ; then log_end_msg 0 else log_end_msg 1 fi exit $myret ;; *) echo "Usage: $0 {start|stop|restart|force-restart|reload|force-reload|status|config-check}" exit 1 ;; esac exit 0 debian/snort-pgsql.preinst0000664000000000000000000000614312317374213013076 0ustar #!/bin/sh set -e # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' DEFAULT=/etc/default/snort PARAMETERS=/etc/snort/snort.common.parameters # Initialise variables SNORTUSER="" SNORTGROUP="" LOGDIR="" check_parameters() { # Check if the old parameters file is there and this is # an upgrade (default is not) # Abort if either the old parameters file does not exist # or if the new default has already been installed [ ! -r "$PARAMETERS" ] && return [ -r "$DEFAULT" ] && return # Extract our values from there logdir=`cat $PARAMETERS | perl -ne 'print $1 if /-l\s+([\w\/]+)/'` user_snort=`cat $PARAMETERS | perl -ne 'print $1 if /-u\s+(\w+)/'` group_snort=`cat $PARAMETERS | perl -ne 'print $1 if /-g\s+(\w+)/'` extraparms=`cat $PARAMETERS | sed -e 's/-l[[:space:]]\+[\/[:alnum:]]\+[[:space:]]\+//g; s/-u[[:space:]]\+[[:alnum:]]\+[[:space:]]*//g; s/-g[[:space:]]\+[[:alnum:]]\+[[:space:]]*//g;'` echo "Creating new $DEFAULT configuration based on $PARAMETERS" cat <$DEFAULT # Parameters for the daemon PARAMS="$extraparms" # Logging directory LOGDIR="$logdir" # Snort user SNORTUSER="$user_snort" # Snort group SNORTGROUP="$group_snort" EOF return } case "$1" in install|upgrade) check_parameters [ -r "$DEFAULT" ] && . $DEFAULT # Sane defaults, just in case [ -z "$SNORTUSER" ] && SNORTUSER=snort [ -z "$SNORTGROUP" ] && SNORTGROUP=snort [ -z "$LOGDIR" ] && LOGDIR=/var/log/snort # create snort user to avoid running snort as root # 1. create group if not existing if ! getent group | grep -q "^$SNORTGROUP:" ; then addgroup --quiet --system $SNORTGROUP 2>/dev/null || true fi # 2. create homedir if not existing test -d $LOGDIR || mkdir $LOGDIR # 3. create user if not existing if ! getent passwd | grep -q "^$SNORTUSER:"; then adduser --quiet \ --system \ --ingroup $SNORTGROUP \ --no-create-home \ --disabled-password \ $SNORTUSER 2>/dev/null || true fi # 4. adjust passwd entry usermod -c "Snort IDS" \ -d $LOGDIR \ -g $SNORTGROUP \ $SNORTUSER # 5. adjust file and directory permissions if ! dpkg-statoverride --list $LOGDIR >/dev/null then chown -R $SNORTUSER:adm $LOGDIR chmod u=rwx,g=rxs,o= $LOGDIR fi # setup /etc/snort test -d /etc/snort || mkdir /etc/snort # move config file to new location if [ -e /etc/snort.conf ]; then mv /etc/snort.conf /etc/snort/snort.conf fi # rename probably existing cron job with old name if [ -e /etc/cron.daily/snort ]; then mv /etc/cron.daily/snort /etc/cron.daily/5snort fi # If this is the first time we are installation then create # the /etc/snort/db-pending-config if [ "$1" = "install" ] && [ -z "$2" ] ; then touch /etc/snort/db-pending-config fi ;; configure) ;; abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/snort-mysql.ADD.templates0000664000000000000000000000111712317374213014012 0ustar Template: snort-mysql/needs_db_config Type: note _Description: Configured database mandatory for Snort Snort needs a configured database before it can successfully start up. In order to create the structure you need to run the following commands AFTER the package is installed: . cd /usr/share/doc/snort-mysql/ zcat create_mysql.gz | mysql -u -h -p . Fill in the correct values for the user, host, and database names. MySQL will prompt you for the password. . After you have created the database structure, you will need to start Snort manually. debian/snort-inline.cron.daily0000664000000000000000000000236512317374213013606 0ustar #!/bin/sh -e test -f /usr/sbin/snort || exit 0 LOGFILE=/var/log/snort/alert PATH=/bin:/usr/bin:/sbin:/usr/sbin CONFIG=/etc/snort/snort.debian.conf . $CONFIG # Don't generate stats if we are configured not to [ "$DEBIAN_SNORT_SEND_STATS" = "false" ] && exit 0 export DEBIAN_SNORT_STATS_RCPT DEBIAN_SNORT_STATS_THRESHOLD # Just in case it's not properly configured for whatever reason [ -z "$DEBIAN_SNORT_STATS_THRESHOLD" ] && DEBIAN_SNORT_STATS_THRESHOLD=1 [ -z "$DEBIAN_SNORT_STATS_RCPT" ] && DEBIAN_SNORT_STATS_RCPT=root # Cannot use logrotate to rotate these logfiles... # 'rotate' saved RAW-Ethernet streams # New snort has different naming scheme, old one still here for upgrades find /var/log/snort -name "snort-*@*.log" -mtime +15 | xargs --no-run-if-empty rm find /var/log/snort -name "tcpdump.log.*" -mtime +15 | xargs --no-run-if-empty rm find /var/log/snort -name "snort.log.*" -mtime +15 | xargs --no-run-if-empty rm # Mail snort stats if [ -s $LOGFILE ]; then (echo "To: $DEBIAN_SNORT_STATS_RCPT"; snort-stat -a -t $DEBIAN_SNORT_STATS_THRESHOLD < $LOGFILE) | sendmail -t fi # Restarting snort is now handled by the logrotate configuration. # The 'intelligence' of not to start in certain startup-modes moved # to the init.d script as well. exit 0 debian/clean_sources.sh0000664000000000000000000000042612317374526012365 0ustar #!/bin/sh # Clean the sources make distclean # TODO: Consider adjusting SUBDIRS, so we do not remove the # doc dir # Make sure the sources are removed (in case somebody removed the # main Makefile but did not distclean) (cd src && test -e Makefile && make distclean) exit 0 debian/patches/0000775000000000000000000000000012317400025010611 5ustar debian/patches/fix_ftbfs_in_manual.tex0000664000000000000000000000205712317374526015354 0ustar Description: Fix FTBFS in manual.tex caused by missing html.sty Author: Michael Bienia Origin: vendor Bug-Debian: http://bugs.debian.org/436244 Last-Update: 2011-11-28 --- snort-2.9.2.orig/doc/snort_manual.tex +++ snort-2.9.2/doc/snort_manual.tex @@ -16,7 +16,7 @@ %\IfFileExists{url.sty}{\usepackage{url}} % {\newcommand{\url}{\texttt}} -\usepackage{html} +\usepackage{hyperref} % \makeatletter @@ -71,18 +71,18 @@ } %\end{latexonly} -\begin{htmlonly} -\newenvironment{note}{ - \begin{rawhtml} -

- Note:   - \end{rawhtml} -}{ - \begin{rawhtml} -

- \end{rawhtml} -} -\end{htmlonly} +%\begin{htmlonly} +%\newenvironment{note}{ +% \begin{rawhtml} +%

+% Note:   +% \end{rawhtml} +%}{ +% \begin{rawhtml} +%

+% \end{rawhtml} +%} +%\end{htmlonly} \usepackage{babel} debian/patches/fix_ftbfs_in_faq.tex0000664000000000000000000000124712317374213014637 0ustar Description: Fix FTBFS caused by html.sty being unavailable Author: Javier Fernandez-Sanguino Pen~a Origin: vendor Bug-Debian: http://bugs.debian.org/365872 Last-Update: 2011-12-28 --- snort-2.9.2.orig/doc/faq.tex +++ snort-2.9.2/doc/faq.tex @@ -2,7 +2,7 @@ %latex2html -info 0 -local_icons -show_section_numbers -link 2 -split +1 faq.tex \documentclass{article} -\usepackage{html} +\usepackage{hyperref} \usepackage{graphicx} \usepackage{fancyhdr} \usepackage{makeidx} @@ -98,11 +98,11 @@ book. (route++) \newpage -\begin{latexonly} +%\begin{latexonly} \tableofcontents \newpage -\end{latexonly} +%\end{latexonly} \section{Background} debian/patches/config0000664000000000000000000001371112317374526012024 0ustar Description: Debianize the upstream Snort configuration file Make the paths FHS compliant and absolute Add in additional rules shipped with the Debian package Include community rules Disable experimental preprocessors Enable at least one output plugin (unified2) Add notes inline to Debian users Define max_gzip_mem as recommended in configuration guides Author: Javier Fernández-Sanguino Peña Origin: vendor Last-Update: 2012-08-09 --- a/etc/snort.conf +++ b/etc/snort.conf @@ -42,10 +42,20 @@ ################################################### # Setup the network addresses you are protecting +# +# Note to Debian users: this value is overriden when starting +# up the Snort daemon through the init.d script by the +# value of DEBIAN_SNORT_HOME_NET s defined in the +# /etc/snort/snort.debian.conf configuration file +# ipvar HOME_NET any # Set up the external network addresses. Leave as "any" in most situations ipvar EXTERNAL_NET any +# If HOME_NET is defined as something other than "any", alternative, you can +# use this definition if you do not want to detect attacks from your internal +# IP addresses: +#ipvar EXTERNAL_NET !$HOME_NET # List of DNS servers on your network ipvar DNS_SERVERS $HOME_NET @@ -101,17 +111,17 @@ # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\rules -var RULE_PATH ../rules -var SO_RULE_PATH ../so_rules -var PREPROC_RULE_PATH ../preproc_rules +var RULE_PATH /etc/snort/rules +var SO_RULE_PATH /etc/snort/so_rules +var PREPROC_RULE_PATH /etc/snort/preproc_rules # If you are using reputation preprocessor set these # Currently there is a bug with relative paths, they are relative to where snort is # not relative to snort.conf like the above variables # This is completely inconsistent with how other vars work, BUG 89986 # Set the absolute path appropriately -var WHITE_LIST_PATH ../rules -var BLACK_LIST_PATH ../rules +var WHITE_LIST_PATH /etc/snort/rules +var BLACK_LIST_PATH /etc/snort/rules ################################################### # Step #2: Configure the decoder. For more information, see README.decode @@ -244,13 +254,13 @@ ################################################### # path to dynamic preprocessor libraries -dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/ +dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/ # path to base preprocessor engine -dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so +dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so # path to dynamic rules libraries -dynamicdetection directory /usr/local/lib/snort_dynamicrules +dynamicdetection directory /usr/lib/snort_dynamicrules ################################################### # Step #5: Configure preprocessors @@ -294,7 +304,7 @@ # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000 # HTTP normalization and anomaly detection. For more information, see README.http_inspect -preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 +preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535 max_gzip_mem 104857600 preprocessor http_inspect_server: server default \ http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \ chunk_length 500000 \ @@ -502,13 +512,18 @@ memcap 262144 \ check_crc +# +# Note to Debian users: this is disabled since it is an experimental +# preprocessor. If you want to use it you have to create the rules files +# referenced below in the /etc/snort/rules directory +# # Reputation preprocessor. For more information see README.reputation -preprocessor reputation: \ - memcap 500, \ - priority whitelist, \ - nested_ip inner, \ - whitelist $WHITE_LIST_PATH/white_list.rules, \ - blacklist $BLACK_LIST_PATH/black_list.rules +#preprocessor reputation: \ +# memcap 500, \ +# priority whitelist, \ +# nested_ip inner, \ +# whitelist $WHITE_LIST_PATH/white_list.rules, \ +# blacklist $BLACK_LIST_PATH/black_list.rules ################################################### # Step #6: Configure output plugins @@ -518,6 +533,7 @@ # unified2 # Recommended for most installs # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types +output unified2: filename snort.log, limit 128, nostamp, mpls_event_types, vlan_event_types # Additional configuration for specific types of installs # output alert_unified2: filename snort.alert, limit 128, nostamp @@ -541,6 +557,10 @@ # NOTE: All categories are enabled in this conf file ################################################### +# Note to Debian users: The rules preinstalled in the system +# can be *very* out of date. For more information please read +# the /usr/share/doc/snort-rules-default/README.Debian file + # site specific rules include $RULE_PATH/local.rules @@ -659,6 +679,19 @@ include $RULE_PATH/web-misc.rules include $RULE_PATH/web-php.rules include $RULE_PATH/x11.rules +include $RULE_PATH/community-sql-injection.rules +include $RULE_PATH/community-web-client.rules +include $RULE_PATH/community-web-dos.rules +include $RULE_PATH/community-web-iis.rules +include $RULE_PATH/community-web-misc.rules +include $RULE_PATH/community-web-php.rules +include $RULE_PATH/community-sql-injection.rules +include $RULE_PATH/community-web-client.rules +include $RULE_PATH/community-web-dos.rules +include $RULE_PATH/community-web-iis.rules +include $RULE_PATH/community-web-misc.rules +include $RULE_PATH/community-web-php.rules + ################################################### # Step #8: Customize your preprocessor and decoder alerts debian/patches/series0000664000000000000000000000014612317377631012047 0ustar config fix_ftbfs_in_manual.tex rules signature_documentation config_disabled_rules fix_upstream_typos debian/patches/rules0000664000000000000000000771017612317374526011731 0ustar Description: Additional community rules Origin: other Last-Update: 2011-11-28 --- /dev/null +++ b/rules/community-web-dos.rules @@ -0,0 +1,5 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-web-dos.rules,v 1.8 2005/03/08 14:41:42 bmc Exp $ + --- /dev/null +++ b/rules/pop2.rules @@ -0,0 +1,26 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: pop2.rules,v 1.11.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ +#-------------- +# POP2 RULES +#-------------- + +alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:established,to_server; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:1934; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:1935; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|EB|,[|89 D9 80 C1 06|9|D9 7C 07 80 01|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:284; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|FF FF FF|/BIN/SH|00|"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:285; rev:8;) --- /dev/null +++ b/rules/backdoor.rules @@ -0,0 +1,119 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: backdoor.rules,v 1.44.2.6.2.3 2005/05/31 17:13:02 mwatchinski Exp $ +#--------------- +# BACKDOOR RULES +#--------------- +# + +alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flow:to_server,established; content:"|0D 0A|[RPL]002|0D 0A|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103; rev:7;) +alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; flow:from_server,established; content:"PWD"; classtype:trojan-activity; sid:107; rev:6;) + + +alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:110; rev:4;) + +alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR NetBus Pro 2.0 connection established"; flow:from_server,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; classtype:misc-activity; sid:115; rev:9;) + +# 3150, 4120 +alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1980; rev:4;) +alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:195; rev:7;) +alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1981; rev:3;) +alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [3150]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1982; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"; content:"00"; depth:2; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1983; rev:3;) +alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [4120]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; sid:1984; rev:3;) + + +alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; flow:established,from_server; content:"Wtzup Use"; depth:32; reference:arachnids,312; classtype:misc-activity; sid:119; rev:5;) +alert tcp $HOME_NET 1015 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; content:"Connected."; classtype:trojan-activity; sid:1985; rev:2;) + + +alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:16; reference:arachnids,483; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:104; rev:7;) +alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flow:from_server,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:105; rev:7;) +alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; flow:stateless; ack:101058054; flags:A,12; seq:101058054; reference:arachnids,445; classtype:misc-activity; sid:106; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:108; rev:6;) + + +alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR Infector.1.x"; flow:established,from_server; content:"WHATISIT"; reference:arachnids,315; classtype:misc-activity; sid:117; rev:6;) +alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; flow:established,from_server; content:"Remote|3A| You are connected to me."; reference:arachnids,316; classtype:misc-activity; sid:118; rev:5;) +alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector 1.6 Server to Client"; flow:established,from_server; content:"WHATISIT"; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:120; rev:8;) +alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; reference:cve,1999-0660; reference:nessus,11157; classtype:misc-activity; sid:121; rev:8;) + +alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flow:established,from_server; content:"host"; classtype:misc-activity; sid:141; rev:5;) + +alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; reference:arachnids,98; classtype:misc-activity; sid:145; rev:5;) +alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flow:established,from_server; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:146; rev:5;) +alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flow:established,from_server; content:"GateCrasher"; reference:arachnids,99; classtype:misc-activity; sid:147; rev:5;) +alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flow:established,from_server; content:"c|3A 5C|"; classtype:misc-activity; sid:152; rev:6;) +alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flow:from_server,established; content:"pINg"; reference:mcafee,98575; classtype:misc-activity; sid:153; rev:6;) +alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flow:from_server,established; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:155; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; classtype:misc-activity; sid:157; rev:5;) +alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:from_server,established; content:"FTP Port open"; classtype:misc-activity; sid:158; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:6;) +# alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flow:stateless; flags:A+; reference:arachnids,79; classtype:misc-activity; sid:160; rev:6;) +alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR Matrix 2.0 Client connect"; content:"activate"; reference:arachnids,83; classtype:misc-activity; sid:161; rev:4;) +alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR Matrix 2.0 Server access"; content:"logged in"; reference:arachnids,83; classtype:misc-activity; sid:162; rev:4;) +alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; reference:arachnids,36; classtype:misc-activity; sid:163; rev:9;) +alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - Q ICMP"; dsize:>1; itype:0; reference:arachnids,202; classtype:misc-activity; sid:183; rev:4;) +alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; flow:stateless; dsize:>1; flags:A+; reference:arachnids,203; classtype:misc-activity; sid:184; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; reference:arachnids,263; classtype:misc-activity; sid:185; rev:5;) + + +alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flow:established,from_server; content:"phAse"; classtype:misc-activity; sid:208; rev:5;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:4;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:3;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; classtype:attempted-admin; sid:211; rev:3;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; classtype:attempted-admin; sid:212; rev:3;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:4;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:4;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:4;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:6;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; classtype:attempted-admin; sid:217; rev:3;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; classtype:attempted-user; sid:218; rev:4;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; classtype:misc-activity; sid:219; rev:6;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; classtype:misc-activity; sid:220; rev:6;) +alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; reference:arachnids,314; classtype:attempted-recon; sid:614; rev:8;) +alert ip any any -> 216.80.99.202 any (msg:"BACKDOOR fragroute trojan connection attempt"; reference:bugtraq,4898; classtype:trojan-activity; sid:1791; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"BACKDOOR win-trin00 connection attempt"; content:"png []..Ks l44"; depth:14; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:6;) + + +# NOTES: this string should be within the first 3 bytes of the connection +alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:6;) +alert tcp any any -> 212.146.0.34 1963 (msg:"BACKDOOR TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:1929; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR SubSeven 2.1 Gold server connection response"; flow:from_server,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; reference:mcafee,10566; reference:nessus,10409; classtype:misc-activity; sid:2100; rev:6;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"BACKDOOR Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flow:stateless; flags:S,12; window:55808; reference:mcafee,100406; classtype:trojan-activity; sid:2182; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"BACKDOOR DoomJuice file upload attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BACKDOOR sensepost.exe command shell attempt"; flow:to_server,established; uricontent:"/sensepost.exe"; nocase; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:11;) +alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3015; rev:3;) +alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"BACKDOOR Insane Network 4.0 connection established port 63536"; flow:from_server,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; classtype:misc-activity; sid:3016; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get system directory attempt"; flow:to_server,established; content:"SYSDIR"; depth:6; classtype:misc-activity; sid:3011; rev:1;) +alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"BACKDOOR Asylum 0.1 connection established"; flow:from_server,established; flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3; classtype:misc-activity; sid:3014; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick get windows directory attempt"; flow:to_server,established; content:"WINDIR"; depth:6; classtype:misc-activity; sid:3010; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"BACKDOOR Asylum 0.1 connection request"; flow:to_server,established; content:"RQS"; depth:3; flowbits:set,backdoor.asylum.connect; flowbits:noalert; classtype:misc-activity; sid:3013; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"BACKDOOR NetBus Pro 2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; classtype:misc-activity; sid:3009; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick upload/execute arbitrary file attempt"; flow:to_server,established; content:"ABCJZDATEIV"; depth:11; classtype:misc-activity; sid:3012; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"BACKDOOR Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:3063; rev:2;) +alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"BACKDOOR Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; classtype:misc-activity; sid:3064; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; content:"getclient"; depth:9; flowbits:isset,backdoor.y3krat_15.connect; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; classtype:misc-activity; sid:3082; rev:1;) +alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connect"; flow:from_server,established; content:"connected"; depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; classtype:misc-activity; sid:3081; rev:1;) +alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:from_server, established; content:"client"; depth:6; flowbits:isset, backdoor.y3krat_15.client.response; classtype:misc-activity; sid:3083; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; classtype:trojan-activity; sid:3155; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"BACKDOOR mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:3272; rev:2;) --- /dev/null +++ b/rules/telnet.rules @@ -0,0 +1,42 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: telnet.rules,v 1.35.2.4.2.5 2005/06/29 15:35:04 mwatchinski Exp $ +#------------- +# TELNET RULES +#------------- +# +# These signatures are based on various telnet exploits and unpassword +# protected accounts. +# + + +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET Solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90|%|E0|"; classtype:shellcode-detect; sid:1430; rev:7;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; content:"bin/sh"; reference:arachnids,304; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:8;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; reference:arachnids,367; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:8;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; rawbytes; reference:arachnids,370; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:10;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; reference:arachnids,369; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:7;) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET Attempted SU from wrong group"; flow:from_server,established; content:"to su root"; nocase; classtype:attempted-admin; sid:715; rev:6;) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET not on console"; flow:from_server,established; content:"not on system console"; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:6;) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; flow:from_server,established; content:"login|3A| root"; classtype:suspicious-login; sid:719; rev:7;) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET bsd telnet exploit response"; flow:from_server,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:15;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET bsd exploit client finishing"; flow:to_client,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:13;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:9;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:9;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; classtype:suspicious-login; sid:2406; rev:4;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3274; rev:3;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|TTYPROMPT|01|"; rawbytes; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3147; rev:3;) --- /dev/null +++ b/rules/experimental.rules @@ -0,0 +1,27 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: experimental.rules,v 1.78.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ +# --------------- +# EXPERIMENTAL RULES +# --------------- +# These signatures are experimental, new and may trigger way too often. +# +# Be forwarned, this is our testing ground. We put new signatures here for +# testing before incorporating them into the default signature set. This is +# for bleeding edge stuff only. +# --- /dev/null +++ b/rules/web-php.rules @@ -0,0 +1,162 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: web-php.rules,v 1.21.2.2.2.2 2005/07/22 19:19:54 mwatchinski Exp $ +#-------------- +# WEB-PHP RULES +#-------------- + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP bb_smilies.php access"; flow:to_server,established; uricontent:"/bb_smilies.php"; nocase; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"name=|22 CC CC CC CC CC|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1423; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP content-disposition"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"form-data|3B|"; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1425; rev:13;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; uricontent:"/squirrelspell/modules/check_me.mod.php"; nocase; content:"SQSPELL_APP["; nocase; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP squirrel mail theme arbitrary command attempt"; flow:to_server,established; uricontent:"/left_main.php"; nocase; content:"cmdd="; reference:bugtraq,4385; reference:cve,2002-0516; classtype:web-application-attack; sid:1737; rev:6;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools administrator authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; nocase; content:"user_dnstools_administrator=true"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1739; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools authentication bypass attempt"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; content:"user_logged_in=true"; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1740; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DNSTools access"; flow:to_server,established; uricontent:"/dnstools.php"; nocase; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-activity; sid:1741; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established; uricontent:"/dostuff.php?action=modify_user"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-attack; sid:1742; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Blahz-DNS dostuff.php access"; flow:to_server,established; uricontent:"/dostuff.php"; nocase; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-activity; sid:1743; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Messagerie supp_membre.php access"; flow:to_server,established; uricontent:"/supp_membre.php"; nocase; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP php.exe access"; flow:to_server,established; uricontent:"/php.exe"; nocase; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:3;) + + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php arbitrary command attempt"; flow:to_server,established; uricontent:"/directory.php"; content:"dir="; content:"|3B|"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1815; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP directory.php access"; flow:to_server,established; uricontent:"/directory.php"; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Wiki cross site scripting attempt"; flow:established,to_server; uricontent:"/modules.php?"; uricontent:"name=Wiki"; nocase; uricontent:" $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php arbitrary command attempt"; flow:established,to_server; uricontent:"/quick-reply.php"; content:"phpbb_root_path="; distance:1; reference:bugtraq,6173; classtype:web-application-attack; sid:1967; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpbb quick-reply.php access"; flow:established,to_server; uricontent:"/quick-reply.php"; reference:bugtraq,6173; classtype:web-application-activity; sid:1968; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP read_body.php access attempt"; flow:established,to_server; uricontent:"/read_body.php"; reference:bugtraq,6302; reference:cve,2002-1341; classtype:web-application-activity; sid:1997; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP calendar.php access"; flow:established,to_server; uricontent:"/calendar.php"; reference:bugtraq,5820; reference:bugtraq,9353; reference:nessus,11179; classtype:web-application-activity; sid:1998; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP edit_image.php access"; flow:established,to_server; uricontent:"/edit_image.php"; reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104; classtype:web-application-activity; sid:1999; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php"; reference:cve,2001-1408; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:3;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP remote include path"; flow:established,to_server; uricontent:".php"; content:"path="; pcre:"/path=(http|https|ftp)/i"; classtype:web-application-attack; sid:2002; rev:5;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum admin access"; flow:to_server,established; uricontent:"/admin.php3"; nocase; reference:arachnids,205; reference:bugtraq,2271; classtype:attempted-recon; sid:1134; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP piranha passwd.php3 access"; flow:to_server,established; uricontent:"/passwd.php3"; reference:arachnids,272; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum read access"; flow:to_server,established; uricontent:"/read.php3"; nocase; reference:arachnids,208; classtype:attempted-recon; sid:1178; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum violation access"; flow:to_server,established; uricontent:"/violation.php3"; nocase; reference:arachnids,209; reference:bugtraq,2272; classtype:attempted-recon; sid:1179; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum code access"; flow:to_server,established; uricontent:"/code.php3"; nocase; reference:arachnids,207; classtype:attempted-recon; sid:1197; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php file upload attempt"; flow:to_server,established; uricontent:"/admin.php"; nocase; content:"file_name="; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smssend.php access"; flow:to_server,established; uricontent:"/smssend.php"; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"file="; pcre:"/file=(http|https|ftp)/i"; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php attempt"; flow:to_server,established; uricontent:"/support/common.php"; content:"ForumLang=../"; reference:bugtraq,1997; classtype:web-application-attack; sid:1490; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum /support/common.php access"; flow:to_server,established; uricontent:"/support/common.php"; reference:bugtraq,1997; reference:bugtraq,9361; classtype:web-application-attack; sid:1491; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; nocase; reference:arachnids,206; reference:bugtraq,2274; classtype:attempted-recon; sid:1137; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; reference:arachnids,431; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP strings overflow"; flow:to_server,established; uricontent:"?STRENGUR"; reference:arachnids,430; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:12;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1254; rev:8;) +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-PHP PHPLIB remote command attempt"; flow:to_server,established; uricontent:"/db_mysql.inc"; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; uricontent:"/uploadimage.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2074; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php upload php file attempt"; flow:to_server,established; uricontent:"/upload.php"; content:"userfile_name="; content:".php"; distance:1; reference:bugtraq,6572; classtype:web-application-attack; sid:2075; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo uploadimage.php access"; flow:to_server,established; uricontent:"/uploadimage.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2076; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo upload.php access"; flow:to_server,established; uricontent:"/upload.php"; reference:bugtraq,6572; classtype:web-application-activity; sid:2077; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpBB privmsg.php access"; flow:to_server,established; uricontent:"/privmsg.php"; reference:bugtraq,6634; classtype:web-application-activity; sid:2078; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP p-news.php access"; flow:to_server,established; uricontent:"/p-news.php"; reference:nessus,11669; classtype:web-application-activity; sid:2140; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php directory traversal attempt"; flow:to_server,established; uricontent:"/shoutbox.php"; content:"conf="; content:"../"; distance:0; reference:nessus,11668; classtype:web-application-attack; sid:2141; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP shoutbox.php access"; flow:to_server,established; uricontent:"/shoutbox.php"; reference:nessus,11668; classtype:web-application-activity; sid:2142; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; uricontent:"/gm-2-b2.php"; content:"b2inc="; pcre:"/b2inc=(http|https|ftp)/i"; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php access"; flow:to_server,established; uricontent:"/gm-2-b2.php"; reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password admin attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=admin"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2145; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; uricontent:"/admin.php"; content:"op=admin_enter"; content:"password=12345"; reference:bugtraq,7673; reference:nessus,11660; classtype:web-application-activity; sid:2146; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; uricontent:"/objects.inc.php4"; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(http|https|ftp)/"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 access"; flow:to_server,established; uricontent:"/objects.inc.php4"; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-activity; sid:2148; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Turba status.php access"; flow:to_server,established; uricontent:"/turba/status.php"; reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php remote file include attempt"; flow:to_server,established; uricontent:"/admin/templates/header.php"; content:"admin_root="; pcre:"/admin_root=(http|https|ftp)/"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-attack; sid:2150; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php access"; flow:to_server,established; uricontent:"/admin/templates/header.php"; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-activity; sid:2151; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP test.php access"; flow:to_server,established; uricontent:"/test.php"; reference:nessus,11617; classtype:web-application-activity; sid:2152; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php directory traversal attempt"; flow:to_server,established; uricontent:"/autohtml.php"; content:"name="; content:"../../"; distance:0; reference:nessus,11630; classtype:web-application-attack; sid:2153; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP autohtml.php access"; flow:to_server,established; uricontent:"/autohtml.php"; reference:nessus,11630; classtype:web-application-activity; sid:2154; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttforum remote file include attempt"; flow:to_server,established; uricontent:"forum/index.php"; content:"template="; pcre:"/template=(http|https|ftp)/i"; reference:bugtraq,7542; reference:bugtraq,7543; reference:nessus,11615; classtype:web-application-attack; sid:2155; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote file include attempt"; flow:to_server,established; uricontent:"lib.inc.php"; content:"pm_path="; pcre:"/pm_path=(http|https|ftp)/"; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP forum_details.php access"; flow:to_server,established; uricontent:"forum_details.php"; reference:bugtraq,7933; reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; uricontent:"db_details_importdocsql.php"; reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack; sid:2228; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP viewtopic.php access"; flow:to_server,established; uricontent:"viewtopic.php"; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP UpdateClasses.php access"; flow:to_server,established; uricontent:"/UpdateClasses.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2279; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Title.php access"; flow:to_server,established; uricontent:"/Title.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2280; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Setup.php access"; flow:to_server,established; uricontent:"/Setup.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2281; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP GlobalFunctions.php access"; flow:to_server,established; uricontent:"/GlobalFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2282; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DatabaseFunctions.php access"; flow:to_server,established; uricontent:"/DatabaseFunctions.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2283; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook remote file include attempt"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; content:"path="; reference:bugtraq,9057; classtype:web-application-attack; sid:2284; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP rolis guestbook access"; flow:to_server,established; uricontent:"/insert.inc.php"; nocase; reference:bugtraq,9057; classtype:web-application-activity; sid:2285; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP friends.php access"; flow:to_server,established; uricontent:"/friends.php"; nocase; reference:bugtraq,9088; classtype:web-application-activity; sid:2286; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_comment.php access"; flow:to_server,established; uricontent:"/admin_comment.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2287; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_edit.php access"; flow:to_server,established; uricontent:"/admin_edit.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2288; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_embed.php access"; flow:to_server,established; uricontent:"/admin_embed.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2289; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_help.php access"; flow:to_server,established; uricontent:"/admin_help.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2290; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_license.php access"; flow:to_server,established; uricontent:"/admin_license.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2291; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_logout.php access"; flow:to_server,established; uricontent:"/admin_logout.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2292; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_password.php access"; flow:to_server,established; uricontent:"/admin_password.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2293; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_preview.php access"; flow:to_server,established; uricontent:"/admin_preview.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2294; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_settings.php access"; flow:to_server,established; uricontent:"/admin_settings.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2295; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_stats.php access"; flow:to_server,established; uricontent:"/admin_stats.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2296; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates_misc.php access"; flow:to_server,established; uricontent:"/admin_templates_misc.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2297; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates.php access"; flow:to_server,established; uricontent:"/admin_templates.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2298; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_misc_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2299; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_new.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2300; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll booth.php access"; flow:to_server,established; uricontent:"/booth.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2301; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll poll_ssi.php access"; flow:to_server,established; uricontent:"/poll_ssi.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2302; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll popup.php access"; flow:to_server,established; uricontent:"/popup.php"; nocase; reference:bugtraq,8890; reference:nessus,11487; classtype:web-application-activity; sid:2303; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP files.inc.php access"; flow:to_server,established; uricontent:"/files.inc.php"; nocase; reference:bugtraq,8910; classtype:web-application-activity; sid:2304; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP chatbox.php access"; flow:to_server,established; uricontent:"/chatbox.php"; nocase; reference:bugtraq,8930; classtype:web-application-activity; sid:2305; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery remote file include attempt"; flow:to_server,established; uricontent:"/setup/"; content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:bugtraq,8814; reference:nessus,11876; classtype:web-application-attack; sid:2306; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file include attempt"; flow:to_server,established; content:"do=ext"; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP authentication_index.php access"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; reference:cve,2004-0032; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; nocase; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/editor/editor.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/lib.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView search.php access"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase; uricontent:"firstname="; nocase; reference:bugtraq,9369; reference:cve,2004-0032; classtype:web-application-activity; sid:2345; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke chatheader.php access"; flow:to_server,established; uricontent:"/chatheader.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2346; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke partner.php access"; flow:to_server,established; uricontent:"/partner.php"; nocase; reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox cord.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"ideaDir"; nocase; content:"cord.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2353; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IdeaBox notification.php file include"; flow:to_server,established; uricontent:"/index.php"; nocase; content:"gorumDir"; nocase; content:"notification.php"; nocase; reference:bugtraq,7488; classtype:web-application-activity; sid:2354; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board emailer.php file include"; flow:to_server,established; uricontent:"/ad_member.php"; nocase; content:"emailer.php"; nocase; reference:bugtraq,7204; classtype:web-application-activity; sid:2355; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat db_mysql.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"db_mysql.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2356; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WebChat english.php file include"; flow:to_server,established; uricontent:"/defines.php"; nocase; content:"WEBCHATPATH"; nocase; content:"english.php"; nocase; reference:bugtraq,7000; classtype:web-application-attack; sid:2357; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Typo3 translations.php file include"; flow:to_server,established; uricontent:"/translations.php"; nocase; content:"ONLY"; nocase; reference:bugtraq,6984; classtype:web-application-attack; sid:2358; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Invision Board ipchat.php file include"; flow:to_server,established; uricontent:"/ipchat.php"; nocase; content:"root_path"; nocase; content:"conf_global.php"; nocase; reference:bugtraq,6976; classtype:web-application-attack; sid:2359; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myphpPagetool pt_config.inc file include"; flow:to_server,established; uricontent:"/doc/admin"; nocase; content:"ptinclude"; nocase; content:"pt_config.inc"; nocase; reference:bugtraq,6744; classtype:web-application-attack; sid:2360; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP news.php file include"; flow:to_server,established; uricontent:"/news.php"; nocase; content:"template"; nocase; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP YaBB SE packages.php file include"; flow:to_server,established; uricontent:"/packages.php"; nocase; content:"packer.php"; nocase; reference:bugtraq,6663; classtype:web-application-attack; sid:2362; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards default_header.php access"; flow:to_server,established; uricontent:"/default_header.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2363; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Cyboards options_form.php access"; flow:to_server,established; uricontent:"/options_form.php"; nocase; reference:bugtraq,6597; classtype:web-application-activity; sid:2364; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP newsPHP Language file include attempt"; flow:to_server,established; uricontent:"/nphpd.php"; nocase; content:"LangFile"; nocase; reference:bugtraq,8488; classtype:web-application-activity; sid:2365; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2366; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/functions.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2367; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt"; flow:to_server,established; uricontent:"/config_gedcom.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2368; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Photopost PHP Pro showphoto.php access"; flow:to_server,established; uricontent:"/showphoto.php"; nocase; reference:bugtraq,9557; classtype:web-application-activity; sid:2372; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP /_admin access"; flow:to_server,established; uricontent:"/_admin/"; nocase; reference:bugtraq,9537; reference:nessus,12032; classtype:web-application-activity; sid:2393; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter newsletter.php file include attempt"; flow:to_server,established; uricontent:"newsletter.php"; nocase; content:"waroot"; nocase; content:"start.php"; nocase; reference:bugtraq,6965; classtype:web-application-attack; sid:2398; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP WAnewsletter db_type.php access"; flow:to_server,established; uricontent:"/sql/db_type.php"; nocase; reference:bugtraq,6964; classtype:web-application-activity; sid:2399; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phptest.php access"; flow:to_server,established; uricontent:"/phptest.php"; nocase; reference:bugtraq,9737; classtype:web-application-activity; sid:2405; rev:1;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; uricontent:"/page.php"; nocase; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP modules.php access"; flow:to_server,established; uricontent:"/modules.php"; nocase; reference:bugtraq,9879; classtype:web-application-activity; sid:2565; rev:1;) + + + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHPBB viewforum.php access"; flow:to_server,established; uricontent:"/viewforum.php"; nocase; reference:bugtraq,9865; reference:bugtraq,9866; reference:nessus,12093; classtype:web-application-activity; sid:2566; rev:4;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Opt-X header.php remote file include attempt"; flow:to_server,established; uricontent:"/header.php"; nocase; content:"systempath="; pcre:"/systempath=(http|https|ftp)/i"; reference:bugtraq,9732; classtype:web-application-attack; sid:2575; rev:1;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP TUTOS path disclosure attempt"; flow:to_server,established; uricontent:"/note_overview.php"; content:"id="; reference:bugtraq,10129; reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html; classtype:web-application-activity; sid:2588; rev:1;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; uricontent:"/modules.php"; nocase; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.*'/"; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView PGV base directory manipulation"; flow:to_server,established; uricontent:"_conf.php"; nocase; content:"PGV_BASE_DIRECTORY"; nocase; reference:bugtraq,9368; classtype:web-application-attack; sid:2926; rev:1;) --- /dev/null +++ b/rules/web-coldfusion.rules @@ -0,0 +1,58 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: web-coldfusion.rules,v 1.27.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ +#--------------------- +# WEB-COLDFUSION RULES +#--------------------- +# + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfcache.map access"; flow:to_server,established; uricontent:"/cfcache.map"; nocase; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp application.cfm"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:904; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; reference:bugtraq,1021; reference:cve,2000-0189; classtype:attempted-recon; sid:905; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getfile.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-recon; sid:906; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION addcontent.cfm access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; nocase; classtype:attempted-recon; sid:907; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION administrator access"; flow:to_server,established; uricontent:"/cfide/administrator/index.cfm"; nocase; reference:bugtraq,1314; reference:cve,2000-0538; classtype:attempted-recon; sid:908; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:909; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION fileexists.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/fileexists.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:910; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exprcalc access"; flow:to_server,established; uricontent:"/cfdocs/expeval/exprcalc.cfm"; nocase; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; classtype:attempted-recon; sid:911; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION parks access"; flow:to_server,established; uricontent:"/cfdocs/examples/parks/detail.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:912; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfappman access"; flow:to_server,established; uricontent:"/cfappman/index.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:913; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION beaninfo access"; flow:to_server,established; uricontent:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:914; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION evaluate.cfm access"; flow:to_server,established; uricontent:"/cfdocs/snippets/evaluate.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:915; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:916; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:917; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION expeval access"; flow:to_server,established; uricontent:"/cfdocs/expeval/"; nocase; reference:bugtraq,550; reference:cve,1999-0477; classtype:attempted-user; sid:918; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:919; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:920; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:921; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION displayfile access"; flow:to_server,established; uricontent:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:922; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:923; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:924; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION mainframeset access"; flow:to_server,established; uricontent:"/cfdocs/examples/mainframeset.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:925; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:926; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:927; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION exampleapp access"; flow:to_server,established; uricontent:"/cfdocs/exampleapp/"; nocase; classtype:attempted-recon; sid:928; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; nocase; reference:bugtraq,550; classtype:attempted-user; sid:929; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION snippets attempt"; flow:to_server,established; uricontent:"/cfdocs/snippets/"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:930; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"; flow:to_server,established; uricontent:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:931; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION application.cfm access"; flow:to_server,established; uricontent:"/application.cfm"; nocase; reference:arachnids,268; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION onrequestend.cfm access"; flow:to_server,established; uricontent:"/onrequestend.cfm"; nocase; reference:arachnids,269; reference:bugtraq,550; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION startstop DOS access"; flow:to_server,established; uricontent:"/cfide/administrator/startstop.html"; nocase; reference:bugtraq,247; classtype:web-application-attack; sid:935; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION gettempdirectory.cfm access "; flow:to_server,established; uricontent:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; reference:bugtraq,550; classtype:attempted-recon; sid:936; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION sendmail.cfm access"; flow:to_server,established; uricontent:"/sendmail.cfm"; nocase; classtype:attempted-recon; sid:1659; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION ?Mode=debug attempt"; flow:to_server,established; uricontent:"Mode=debug"; nocase; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:7;) --- /dev/null +++ b/rules/community-web-iis.rules @@ -0,0 +1,10 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-web-iis.rules,v 1.2 2005/10/20 13:49:44 akirk Exp $ + +#Rules submitted by rmkml +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt localhost"; flow:to_server,established; content:"localhost"; nocase; pcre:"/http\x3A\/\/localhost\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000138; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"127.0.0.1"; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000139; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent Redirect Overflow attempt"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; pcre:"/\x3fRedirect\x3f[^\s]{100,}/smi"; classtype:web-application-activity; sid:100000173; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-IIS RSA WebAgent access"; flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll"; nocase; reference:cve,2005-1118; reference:bugtraq,13168; classtype:web-application-activity; sid:100000174; rev:1;) --- /dev/null +++ b/rules/community-mail-client.rules @@ -0,0 +1,4 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-mail-client.rules,v 1.6 2005/03/08 14:41:42 bmc Exp $ --- /dev/null +++ b/rules/deleted.rules @@ -0,0 +1,451 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: deleted.rules,v 1.37.2.1.2.1 2005/05/16 22:17:51 mwatchinski Exp $ +#------------- +# DELETED RULES +#------------- +# These signatures have been deleted for various reasons, but we are keeping +# them here for historical purposes. + +# Duplicate to 332 +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER probe 0 attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:325; rev:4;) + +# Duplicate of 512 +alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:511; rev:5;) + +# Duplicate of 514 +alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen worm incoming"; flow:established; content:"GET "; depth:8; nocase; reference:arachnids,460; classtype:bad-unknown; sid:506; rev:4;) + +# Duplicate of 557 +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:5;) + +# Duplicate of 559 +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"P2P Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:6;) + +# Duplicate of 844 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly args.bat access"; flow:to_server,established; uricontent:"/cgi-dos/args.bat"; nocase; classtype:attempted-recon; sid:1121; rev:5;) + +# Yeah, so the one site that was vulnerable to edit.pl aint no more. +# http://packetstorm.widexs.nl/new-exploits/freestats-cgi.txt +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI edit.pl access"; flow:to_server,established; uricontent:"/edit.pl"; nocase; reference:bugtraq,2713; classtype:attempted-recon; sid:855; rev:6;) + +# duplicate of 987 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .htr request"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,4474; reference:cve,2002-0071; reference:nessus,10932; classtype:web-application-activity; sid:1619; rev:8;) + +# webmasters suck, so this happens ever so often. Its really not that bad, +# so lets disable it. +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC prefix-get //"; flow:to_server,established; uricontent:"get //"; nocase; classtype:attempted-recon; sid:1114; rev:6;) + +# dup of 1660 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .NET trace.axd access"; flow:to_server,established; uricontent:"/traace.axd"; nocase; classtype:web-application-attack; sid:1749; rev:4;) + +# dup +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet ../../ DOS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/../../../../../../../../../../../"; reference:bugtraq,2282; reference:cve,2001-0252; classtype:web-application-attack; sid:1049; rev:11;) + + +# Falses WAAAYYY too often. +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES directory listing"; flow:from_server,established; content:"Directory of"; nocase; classtype:unknown; sid:496; rev:8;) + +# Replaced with 1801,1802,1803,1804 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS header field buffer overflow attempt"; flow:to_server,established; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1768; rev:7;) + +# duplicate of sid:1673 +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:1698; rev:4;) + +# Port based only sigs suck, this is why stream4 has flow logs +alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected"; flow:established; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:5;) + +# basically duplicate of 330 +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:329; rev:8;) + +# duplicate of 1478 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc attempt"; flow:to_server,established; uricontent:"/swc"; nocase; classtype:attempted-recon; sid:1477; rev:5;) + +# duplicate of 1248 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>258; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-attack; sid:1246; rev:14;) + +# duplicate of 1249 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>259; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-attack; sid:1247; rev:11;) + +# duplicate of 1755 +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1780; rev:9;) + +# duplicate of 1538 +alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:291; rev:12;) + +# This rule looks for the exploit for w3-msql, but very badly +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql solaris x86 access"; flow:to_server,established; uricontent:"/bin/shA-cA/usr/openwin"; nocase; reference:arachnids,211; reference:cve,1999-0276; classtype:attempted-recon; sid:874; rev:7;) + + +alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overfow"; content:"echo netrjs stre"; reference:bugtraq,324; reference:cve,1999-0914; classtype:attempted-admin; sid:318; rev:6;) +alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5;) + + +# duplicate of 109 +alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags:A+; flow:established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:114; rev:5;) + +# duplicate of 110 +alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:5;) + + +# we have a backorifice preprocessor +alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags:A+; flow:established; content:"server|3A| BO/"; reference:arachnids,400; classtype:misc-activity; sid:112; rev:6;) + +# we have a backorifice preprocessor +alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:116; rev:5;) + + + +alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; classtype:misc-activity; sid:164; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:165; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; classtype:misc-activity; sid:166; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32"; reference:arachnids,106; classtype:misc-activity; sid:167; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33"; reference:arachnids,106; classtype:misc-activity; sid:168; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; classtype:misc-activity; sid:169; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110"; reference:arachnids,106; classtype:misc-activity; sid:170; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35"; reference:arachnids,106; classtype:misc-activity; sid:171; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; classtype:misc-activity; sid:172; rev:6;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; classtype:misc-activity; sid:173; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31"; reference:arachnids,106; classtype:misc-activity; sid:174; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; classtype:misc-activity; sid:175; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04"; reference:arachnids,106; classtype:misc-activity; sid:176; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down"; reference:arachnids,106; classtype:misc-activity; sid:177; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21"; reference:arachnids,106; classtype:misc-activity; sid:179; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64"; reference:arachnids,106; classtype:misc-activity; sid:180; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; classtype:misc-activity; sid:181; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; classtype:misc-activity; sid:182; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; classtype:misc-activity; sid:122; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; classtype:misc-activity; sid:124; rev:5;) +alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving"; reference:arachnids,106; classtype:misc-activity; sid:125; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12"; reference:arachnids,106; classtype:misc-activity; sid:126; rev:5;) +alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; classtype:misc-activity; sid:127; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; classtype:misc-activity; sid:128; rev:5;) +alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - "; reference:arachnids,106; classtype:misc-activity; sid:129; rev:5;) +alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; classtype:misc-activity; sid:130; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130"; reference:arachnids,106; classtype:misc-activity; sid:131; rev:5;) +alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; classtype:misc-activity; sid:132; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; classtype:misc-activity; sid:133; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17"; reference:arachnids,106; classtype:misc-activity; sid:134; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; classtype:misc-activity; sid:135; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; classtype:misc-activity; sid:136; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911"; reference:arachnids,106; classtype:misc-activity; sid:137; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; classtype:misc-activity; sid:138; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88"; reference:arachnids,106; classtype:misc-activity; sid:140; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content:"40"; reference:arachnids,106; classtype:misc-activity; sid:142; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; classtype:misc-activity; sid:143; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:149; rev:5;) +alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:150; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; reference:arachnids,106; classtype:misc-activity; sid:151; rev:5;) +alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; classtype:misc-activity; sid:154; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; classtype:misc-activity; sid:156; rev:5;) +alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content:"--Ahhhhhhhhhh"; reference:arachnids,405; classtype:misc-activity; sid:113; rev:6;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07"; reference:arachnids,106; classtype:misc-activity; sid:186; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; classtype:misc-activity; sid:187; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38"; reference:arachnids,106; classtype:misc-activity; sid:188; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23"; reference:arachnids,106; classtype:misc-activity; sid:189; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24"; reference:arachnids,106; classtype:misc-activity; sid:190; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; classtype:misc-activity; sid:191; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26"; reference:arachnids,106; classtype:misc-activity; sid:192; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; classtype:misc-activity; sid:193; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; classtype:misc-activity; sid:194; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30"; reference:arachnids,106; classtype:misc-activity; sid:196; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; classtype:misc-activity; sid:197; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; classtype:misc-activity; sid:198; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; classtype:misc-activity; sid:199; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; classtype:misc-activity; sid:200; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15"; reference:arachnids,106; classtype:misc-activity; sid:201; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100"; reference:arachnids,106; classtype:misc-activity; sid:202; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117"; reference:arachnids,106; classtype:misc-activity; sid:203; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118"; reference:arachnids,106; classtype:misc-activity; sid:204; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199"; reference:arachnids,106; classtype:misc-activity; sid:205; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; classtype:misc-activity; sid:206; rev:5;) +alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; classtype:misc-activity; sid:207; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:arachnids,277; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:7;) +alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:148; rev:5;) + +# The following ftp rules look for specific exploits, which are not needed now +# that initial protocol decoding is available. + +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:338; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:339; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"PWD|0A|/i"; classtype:attempted-admin; sid:340; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"XXXXX/"; classtype:attempted-admin; sid:341; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:342; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:343; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:344; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:346; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:349; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|C0|1|DB B0 17 CD 80|1|C0 B0 17 CD 80|"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:350; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|DB 89 D8 B0 17 CD 80 EB|,"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:351; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 EC 04|^|83 C6|p|83 C6 28 D5 E0 C0|"; reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352; rev:6;) + +# duplicate of 475 +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:455; rev:7;) + + +# not needed thanks to 1964 and 1965 +alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:570; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:571; rev:8;) + +# dup of 589 +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;) +# dup of 1275 +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; flow:to_server,established; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297; rev:8;) + +# dup of 1280 +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:6;) + +# dup of 1281 +alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:6;) + +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:5;) + +# this has been replaced with sid 1905 and 1906 +alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content:"|80 00 04|,L|15|u[|00 00 00 00 00 00 00 02|"; depth:32; reference:arachnids,217; reference:cve,1999-0704; classtype:attempted-admin; sid:573; rev:8;) + +# these have been replaced by 1915, 1916, 1914, and 1913 +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:7;) +alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:5;) + +# duplicate of 1088 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi?page=../.."; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-attack; sid:1094; rev:10;) + + +# these are obsolete +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:293; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89 D8|@|CD 80 E8 C8 FF FF FF|/"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:295; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|4^|8D 1E 89|^|0B|1|D2 89|V|07|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:296; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|5^|80|F|01|0|80|F|02|0|80|F|03|0"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:297; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|8^|89 F3 89 D8 80|F|01| |80|F|02|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:298; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|X^1|DB 83 C3 08 83 C3 02 88|^&"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:6;) + +# what is this rule? we have no idea... +alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:4;) + +# These have been replaced by better rules (1915,1916,1913,1914) +alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:592; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:1278; rev:5;) + +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:1883; rev:5;) +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; classtype:bad-unknown; sid:1884; rev:5;) +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:1885; rev:5;) +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:1886; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; reference:nessus,11110; sid:2102; rev:9;) + +# specific example for sid:1549 +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|EB|S|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,895; reference:cve,2000-0042; classtype:attempted-admin; sid:656; rev:8;) + +# this is properly caught by sid:527 +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; flags:S; id:3868; seq:3868; flow:stateless; reference:bugtraq,2666; reference:cve,1999-0016; classtype:attempted-dos; sid:269; rev:9;) + +# duplicate of 1546 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Web DOS attempt"; flow:to_server,established; content:" /%%"; depth:16; reference:arachnids,275; classtype:attempted-dos; sid:1138; rev:7;) + +# these are obsoleted by cleaning up 663 +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3A| |7C| sed '1,/^|24|/d'|7C|"; nocase; reference:arachnids,120; classtype:attempted-user; sid:666; rev:7;) + +# dup of 588 +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:15;) +# dup of 1274 +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:14;) + +# these virus rules suck. +alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; flow:established; content:"Suddlently"; classtype:misc-activity; sid:720; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; flow:established; content:"NAVIDAD.EXE"; nocase; classtype:misc-activity; sid:722; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc-activity; sid:723; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myjuliet.chm"; nocase; classtype:misc-activity; sid:724; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"ble bla"; nocase; classtype:misc-activity; sid:725; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"I Love You"; classtype:misc-activity; sid:726; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Sorry... Hey you !"; classtype:misc-activity; sid:727; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"my picture from shake-beer"; classtype:misc-activity; sid:728; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:731; rev:7;) +alert tcp any any -> any 25 (msg:"Virus - Possible QAZ Worm Calling Home"; flow:established; content:"nongmin_cn"; reference:MCAFEE,98775; classtype:misc-activity; sid:733; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; flow:established; content:"Software provide by [MATRiX]"; nocase; classtype:misc-activity; sid:734; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Matrix has you..."; classtype:misc-activity; sid:735; rev:6;) +alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; flow:established; content:"funguscrack@hotmail.com"; nocase; classtype:misc-activity; sid:736; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; flow:established; content:"filename="; content:"eurocalculator.exe"; nocase; classtype:misc-activity; sid:737; rev:6;) +alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; flow:established; content:"Pikachu Pokemon"; reference:MCAFEE,98696; classtype:misc-activity; sid:738; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; flow:established; content:"filename=|22|666TEST.VBS|22|"; nocase; reference:MCAFEE,10389; classtype:misc-activity; sid:739; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; flow:established; content:"filename=|22|tune.vbs|22|"; nocase; reference:MCAFEE,10497; classtype:misc-activity; sid:740; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Market share tipoff"; reference:MCAFEE,10109; classtype:misc-activity; sid:741; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"name =|22|WWIII!"; reference:MCAFEE,10109; classtype:misc-activity; sid:742; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"New Developments"; reference:MCAFEE,10109; classtype:misc-activity; sid:743; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Good Times"; reference:MCAFEE,10109; classtype:misc-activity; sid:744; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; flow:established; content:"filename=|22|XPASS.XLS|22|"; nocase; reference:MCAFEE,10145; classtype:misc-activity; sid:745; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; flow:established; content:"LINKS.VBS"; reference:MCAFEE,10225; classtype:misc-activity; sid:746; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; flow:established; content:"filename=|22|SETUP.EXE|22|"; nocase; classtype:misc-activity; sid:747; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; flow:established; content:"name =|22|BADASS.EXE|22|"; reference:MCAFEE,10388; classtype:misc-activity; sid:748; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; flow:established; content:"name =|22|File_zippati.exe|22|"; reference:MCAFEE,10471; classtype:misc-activity; sid:749; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; flow:established; content:"filename=|22|KAK.HTA|22|"; nocase; reference:MCAFEE,10509; classtype:misc-activity; sid:751; rev:7;) +alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm"; flow:established; content:"filename=|22|Suppl.doc|22|"; nocase; reference:MCAFEE,10361; classtype:misc-activity; sid:752; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; flow:established; content:"filename=|22|THEOBBQ.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:753; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|MONEY.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:754; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; flow:established; content:"filename=|22|irok.exe|22|"; nocase; reference:MCAFEE,98552; classtype:misc-activity; sid:755; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; flow:established; content:"filename=|22|Fix2001.exe|22|"; nocase; reference:MCAFEE,10355; classtype:misc-activity; sid:756; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; flow:established; content:"filename=|22|Y2K.EXE|22|"; nocase; reference:MCAFEE,10505; classtype:misc-activity; sid:757; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; flow:established; content:"filename=|22|THE_FLY.CHM|22|"; nocase; reference:MCAFEE,10478; classtype:misc-activity; sid:758; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|DINHEIRO.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:759; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; flow:established; content:"filename=|22|ICQ_GREETINGS.EXE|22|"; nocase; reference:MCAFEE,10467; classtype:misc-activity; sid:760; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; flow:established; content:"filename=|22|COOLER3.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:761; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; flow:established; content:"filename=|22|PARTY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:762; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; flow:established; content:"filename=|22|HOG.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:763; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; flow:established; content:"filename=|22|GOAL1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:764; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; flow:established; content:"filename=|22|PIRATE.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:765; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; flow:established; content:"filename=|22|VIDEO.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:766; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; flow:established; content:"filename=|22|BABY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:767; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; flow:established; content:"filename=|22|COOLER1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:768; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; flow:established; content:"filename=|22|BOSS.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:769; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; flow:established; content:"filename=|22|G-ZILLA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:770; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; flow:established; content:"filename=|22|Toadie.exe|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:771; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; flow:established; content:"|5C|CoolProgs|5C|"; depth:750; offset:300; reference:MCAFEE,10175; classtype:misc-activity; sid:772; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; flow:established; content:"X-Spanska|3A|Yes"; reference:MCAFEE,10144; classtype:misc-activity; sid:773; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; flow:established; content:"name =|22|links.vbs|22|"; classtype:misc-activity; sid:774; rev:5;) +alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; flow:established; content:"BubbleBoy is back!"; reference:MCAFEE,10418; classtype:misc-activity; sid:775; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; flow:established; content:"filename=|22|COPIER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:776; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; flow:established; content:"name =|22|pics4you.exe|22|"; reference:MCAFEE,10467; classtype:misc-activity; sid:777; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; flow:established; content:"name =|22|X-MAS.EXE|22|"; reference:MCAFEE,10461; classtype:misc-activity; sid:778; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; flow:established; content:"filename=|22|GADGET.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:779; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; flow:established; content:"filename=|22|IRNGLANT.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:780; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; flow:established; content:"filename=|22|CASPER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:781; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; flow:established; content:"filename=|22|FBORFW.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:782; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; flow:established; content:"filename=|22|SADDAM.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:783; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; flow:established; content:"filename=|22|BBOY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:784; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; flow:established; content:"filename=|22|MONICA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:785; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; flow:established; content:"filename=|22|GOAL.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:786; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; flow:established; content:"filename=|22|PANTHER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:787; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; flow:established; content:"filename=|22|CHESTBURST.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:788; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; flow:established; content:"name =|22|THE_FLY.CHM|22|"; classtype:misc-activity; sid:790; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; flow:established; content:"filename=|22|CUPID2.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:791; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|RESUME1.DOC|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:792; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|Explorer.doc|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:794; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Worm - txt.vbs file"; flow:established; content:"filename="; content:".txt.vbs"; nocase; classtype:misc-activity; sid:795; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; flow:established; content:"filename="; content:".xls.vbs"; nocase; classtype:misc-activity; sid:796; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; flow:established; content:"filename="; content:".jpg.vbs"; nocase; classtype:misc-activity; sid:797; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible Worm - gif.vbs file"; flow:established; content:"filename="; content:".gif.vbs"; nocase; classtype:misc-activity; sid:798; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; flow:established; content:"filename=|22|TIMOFONICA.TXT.vbs|22|"; nocase; reference:MCAFEE,98674; classtype:misc-activity; sid:799; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|NORMAL.DOT|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:800; rev:7;) +alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; flow:established; content:"filename="; content:".doc.vbs"; nocase; classtype:misc-activity; sid:801; rev:6;) +alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; flow:established; content:"filename=|22|FARTER.EXE|22|"; nocase; reference:MCAFEE,1054; classtype:misc-activity; sid:789; rev:7;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; dsize:>120; flow:to_server,established; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:4;) +# pcre makes this not needed +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2254; rev:3;) + +# historical reference... this used to be here... +alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; flow:established; content:"name =|22|Zipped_Files.EXE|22|"; reference:MCAFEE,10450; classtype:misc-activity; sid:802; rev:7;) + +# taken care of by http_inspect now +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS multiple decode attempt"; flow:to_server,established; uricontent:"%5c"; uricontent:".."; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-attack; reference:nessus,10671; sid:970; rev:11;) + +# better rule for 1054 caused these rules to not be needed +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".js%2570"; nocase; classtype:attempted-recon; sid:1236; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".j%2573p"; nocase; classtype:attempted-recon; sid:1237; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".%256Asp"; nocase; classtype:attempted-recon; sid:1238; rev:6;) + +# these rules are dumb. sid:857 looks for the access, and thats all we can do +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey attempt full path"; flow:to_server,established; uricontent:"/faxsurvey?/"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1647; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey arbitrary file read attempt"; flow:to_server,established; uricontent:"/faxsurvey?cat%20"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1609; rev:7;) + +# dup of 2061 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat directory traversal attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; classtype:web-application-attack; sid:1055; rev:9;) + + + +# squash all of the virus rules into one rule. go PCRE! +alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:732; rev:8;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".shs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:7;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".exe|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:4;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".doc|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:4;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vbs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:7;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hta|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:4;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .chm file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".chm|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2163; rev:4;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .reg file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".reg|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2164; rev:4;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .ini file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".ini|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2165; rev:4;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .bat file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".bat|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2166; rev:4;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .diz file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".diz|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2167; rev:4;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .cpp file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".cpp|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2168; rev:4;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .dll file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".dll|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2169; rev:4;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vxd file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vxd|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2170; rev:4;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .sys file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".sys|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2171; rev:4;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .com file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".com|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2172; rev:4;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .scr file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".scr|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:729; rev:7;) +alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hsq file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hsq|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2173; rev:4;) + +# uh, yeah this happens quite a bit. +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?open access"; flow:to_server,established; uricontent:"?open"; nocase; classtype:web-application-activity; sid:1561; rev:5;) + +# dup of 1485 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1665; rev:6;) + +# dup of 2339 +alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2336; rev:3;) + +# these happen. more research = more better rules +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2503; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2506; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2499; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; reference:nessus,12204; sid:2498; rev:8;) + + +#nmap is no longer as dumb as it once was... +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:6;) + +# dup of 553 +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:1449; rev:7;) + +# dup of 2417, which is a better rule anyways +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; classtype:attempted-admin; reference:nessus,10452; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,2000-0573; reference:cve,1999-0997; sid:1530; rev:12;) + +# ans1 goodness takes care of this one for us +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2385; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; reference:nessus,12065; sid:2384; rev:10;) + + +# because this rule sucks +alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA,12; flow:stateless; reference:arachnids,129; reference:bugtraq,705; reference:cve,1999-0430; classtype:bad-unknown; sid:513; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:620; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:618; rev:9;) + + +# http inspect does a better job than these rules do +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:981; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:982; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:983; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:web-application-attack; reference:nessus,10537; sid:1945; rev:6;) + +# dup of 1672 +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:1728; rev:7;) + +# dup of 1229 +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:1779; rev:3;) + +# dup of 1757 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC b2 access"; flow:to_server,established; uricontent:"/b2/b2-include/"; content:"b2inc"; content:"http|3A|//"; classtype:web-application-attack; reference:bugtraq,4673; reference:cve,2002-0734; sid:1758; rev:6;) + +# dup of 653 +alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2314; rev:2;) + +# converted to a dup by 1437 moving to regex +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1438; rev:7;) + +# handled by 1212 +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC order.log access"; flow:to_server,established; uricontent:"/admin_files/order.log"; nocase; classtype:attempted-recon; sid:1176; rev:6;) + --- /dev/null +++ b/rules/ddos.rules @@ -0,0 +1,66 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: ddos.rules,v 1.23.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $ +#----------- +# DDOS RULES +#----------- + +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; icmp_id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:221; rev:4;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:222; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master PONG message detected"; content:"PONG"; reference:arachnids,187; classtype:attempted-recon; sid:223; rev:3;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:228; rev:3;) + + +alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client login to handler"; flow:from_server,established; content:"login|3A|"; reference:arachnids,254; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"DDOS shaft handler to agent"; content:"alive tijgu"; reference:arachnids,255; classtype:attempted-dos; sid:239; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"DDOS shaft agent to handler"; content:"alive"; reference:arachnids,256; classtype:attempted-dos; sid:240; rev:2;) +# alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flow:stateless; flags:S,12; seq:674711609; reference:arachnids,253; reference:cve,2000-0138; classtype:attempted-dos; sid:241; rev:10;) + + + + +alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186; classtype:attempted-dos; sid:231; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master *HELLO* message detected"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; classtype:attempted-dos; sid:234; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2;) +alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:6;) + + + +alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"DDOS mstream agent to handler"; content:"newserver"; classtype:attempted-dos; sid:243; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; content:"stream/"; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler ping to agent"; content:"ping"; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream agent pong to handler"; content:"pong"; classtype:attempted-dos; sid:246; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; flow:to_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:4;) +alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:to_client,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flow:stateless; flags:S,12; reference:arachnids,111; reference:cve,2000-0138; classtype:attempted-dos; sid:249; rev:8;) +alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:from_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:4;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:251; rev:3;) + + +alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:3;) +alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:6;) +alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:6;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:6;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:6;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:5;) +alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:7;) +alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:7;) +alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:7;) --- /dev/null +++ b/rules/community-misc.rules @@ -0,0 +1,48 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-misc.rules,v 1.25 2007/03/05 15:22:49 akirk Exp $ + +alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"COMMUNITY MISC Sentinel License Manager overflow attempt"; dsize:>1000; reference:cve,CAN-2005-0353; reference:bugtraq,12742; classtype:attempted-user; sid:100000125; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 2380 (msg:"COMMUNITY MISC GoodTech Telnet Server Buffer Overflow Attempt"; flow:to_server,established; pcre:"/[^\r\n]{1000,}/i"; reference:cve,2005-0768; reference:url,unsecure.altervista.org/security/goodtechtelnet.htm; classtype:attempted-dos; sid:100000126; rev:1;) +#Rule submitted by rmkml +alert tcp any any -> any !139 (msg:"COMMUNITY MISC BAD-SSL tcp detect"; flow:stateless; content:"|00 0E|"; depth:4; offset:0; classtype:misc-activity; sid:100000137; rev:1;) +#Rules submitted by Thierry Chich +alert tcp any any -> any any (msg:"COMMUNITY MISC streaming RTSP - realplayer"; flow:established; content:"PLAY rtsp|3A 2F 2F|"; depth: 12; classtype:policy-violation; reference:url,www.rtsp.org; sid:100000189; rev:2;) +alert tcp any any -> any any (msg:"COMMUNITY MISC streaming Windows Mediaplayer"; flow:established; content:"|01 00 00 00 ce fa 0b b0|"; depth: 8; content:"MMS"; distance:4; within:4; classtype:policy-violation; reference:url,www.microsoft.com; sid:100000190; rev:2;) +#alert udp $EXTERNAL_NET 1023: -> $HOME_NET 123 (msg:"COMMUNITY MISC Ntp fingerprint detect"; dsize:48; content:"|BE 78 2F 1D 19 BA 00 00|"; reference:url,www.arhont.com/ViewPage7422.html?siteNodeId=3&languageId=1&contentId=-1; classtype:attempted-dos; sid:100000198; rev:1;) +#Rule submitted by rmkml +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8008 (msg:"COMMUNITY MISC Novell eDirectory iMonitor access"; flow:to_server,established; uricontent:"/nds/"; nocase; reference:bugtraq,14548; reference:cve,2005-2551; reference:nessus,19248; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=18703; classtype:web-application-attack; sid:100000199; rev:1;) +#Rule submitted jointly by Romain Chartier, Sylvain Sarmejeanne, and Pierre Lalet +alert udp any any -> any 53 (msg:"COMMUNITY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "|00 10 00 01|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:100000208; rev:1;) +#Rules submitted by Crusoe Researches Team +alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"COMMUNITY MISC TFTP32 Get Format string attempt"; content:"|00 01 25 2E|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:100000222; rev:1;) +alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"COMMUNITY MISC SNMP trap Format String detected"; content:"%s"; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:100000227; rev:1;) +#Rule submitted by Nigel Houghton +alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"COMMUNITY MISC Lotus Domino LDAP attack"; flow:established; content:"|30 0c 02 01 01 60 07 02 00 03 04 00 80 00|"; reference:bugtraq,16523; reference:cve,2006-0580; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html; classtype:misc-attack; sid:100000229; rev:2;) + +#Jabber/Google Talk traffic from the client submitted by Steven Alexander +alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outgoing Traffic"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outgoing Auth"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Google Talk Logon"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Outoing Message"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Jabber/Google Talk Log Out"; flow:to_server,established; content:" $HOME_NET any (msg:"COMMUNITY MISC Jabber/Google Talk Logon Success"; flow:to_client,established; content:" $HOME_NET any (msg:"COMMUNITY MISC Jabber/Google Talk Incoming Message"; flow:to_client,established; content:" $HOME_NET 1364 (msg:"COMMUNITY MISC Connect Direct Server - Session Terminated Invalid Credentials"; flow:stateless; content:"SVTM056I"; nocase; classtype:bad-unknown; sid:100000281; rev:2;) + +# TOR Rules by Dan Ramaswami +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY MISC DLR-TOR Directory server response"; flow:established,to_client; content:"|54 4f 52|"; offset:109; depth:3; content:"|06 03 55 04 03|"; distance:4; within:5; content:"|20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:2; within:30; reference:url,tor.eff.org; classtype:policy-violation; sid:100000874; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY MISC DLR-TOR Client Traffic"; flow:established,to_server;content:"|54 4f 52|"; content:"|06 03 55 04 03 14|"; distance:4; within:6; content:"|63 6c 69 65 6e 74 20 3C 69 64 65 6E 74 69 74 79 3E|"; distance:1; within:17; classtype:policy-violation; reference:url,tor.eff.org; sid:100000875; rev:1;) + +# Additional GoogleTalk Rules by Will Young +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY MISC Google Talk Version Check"; flow: established,to_server; uricontent:"/googletalk/google-talk-versioncheck.txt?"; nocase; classtype: policy-violation; sid:100000876; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"COMMUNITY MISC Google Talk Startup"; flow: established,to_server; content:"google.com"; nocase; content:"jabber|3A|client"; nocase; classtype:policy-violation; threshold: type limit, track by_src, count 1, seconds 300; sid:100000877; rev:1;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"COMMUNITY MISC Q.931 Invalid Call Reference Length Buffer Overflow"; flow:established; content:"|08|"; depth:1; byte_test:1,>,4,1; classtype:attempted-dos; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.elook.org/internet/126.html; sid:100000892; rev:1;) + +# Rule submitted by dprotich@sagonet.com +alert udp $EXTERNAL_NET any <> $HOME_NET 1025:1026 (msg:"COMMUNITY MISC Microsoft Messenger phishing attempt - corrupted registry"; content:"FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!"; classtype:misc-activity; reference:url,www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx; sid:100000927; rev:1;) --- /dev/null +++ b/rules/chat.rules @@ -0,0 +1,63 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: chat.rules,v 1.25.2.2.2.4 2005/07/22 19:19:54 mwatchinski Exp $ +#------------- +# CHAT RULES +#------------- +# These signatures look for people using various types of chat programs (for +# example: AIM, ICQ, and IRC) which may be against corporate policy + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:541; rev:9;) +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type|3A| application/x-icq"; nocase; content:"[ICQ User]"; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:7;) + +alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; classtype:policy-violation; sid:1986; rev:6;) +alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; classtype:policy-violation; sid:1988; rev:5;) +alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"CHAT MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; classtype:policy-violation; sid:1989; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:1990; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; threshold:type limit, track by_src, count 1, seconds 60; classtype:policy-violation; sid:1991; rev:2;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC nick change"; flow:to_server,established; content:"NICK "; offset:0; nocase; classtype:policy-violation; sid:542; rev:11;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC SEND"; nocase; classtype:policy-violation; sid:1639; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC CHAT chat"; nocase; classtype:policy-violation; sid:1640; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flow:to_server,established; content:"JOIN |3A| |23|"; offset:0; nocase; classtype:policy-violation; sid:1729; rev:5;) +alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:established; content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC dns request"; flow:to_server,established; content:"USERHOST "; offset:0; nocase; classtype:policy-violation; sid:1789; rev:3;) +alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CHAT IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; sid:1790; rev:4;) + +alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 17 00 06|"; within:8; distance:4; classtype:policy-violation; sid:1631; rev:8;) +alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:1632; rev:6;) +alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:1633; rev:6;) + + + +alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; classtype:policy-violation; sid:2450; rev:3;) +alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2451; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2452; rev:4;) + +alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2453; rev:3;) +alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2454; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2455; rev:3;) + +alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2456; rev:4;) +alert tcp any any <> any 5101 (msg:"CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; nocase; classtype:policy-violation; sid:2457; rev:2;) + +alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2458; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2459; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"CHAT Yahoo IM conference request"; flow:to_server,established; content:" $HOME_NET any (msg:"CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2461; rev:4;) --- /dev/null +++ b/rules/community-web-attacks.rules @@ -0,0 +1,10 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-web-attacks.rules,v 1.6 2005/12/13 14:24:48 akirk Exp $ + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Hydra Activity Detected"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"Hydra"; nocase; distance:0; pcre:"/^User-Agent\s*\x3A\s*Mozilla\x2f4\.0 (Hydra)/smi"; nocase; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000168; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Amap fingerprint attempt"; flow:to_server,established; content:"|80 80 01 03 01 00 57 00 00 00 20 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 00 07 00 00 05 00 00 04 05 00 80 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00 80 63 b9 b9 19 c0 2b ae 90 74 4c 73 eb 8b cf d8 55 ea d0 69 82 1b ef 23 c3 39 9b 8e b2 49 3c 5a 79|"; depth:130; classtype:web-application-activity; reference:url,www.thc.org/releases.php; sid:100000169; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter"; flow:to_server,established; content:"Host"; nocase; pcre:"/^Host[^\r\n]{100,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000170; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter"; flow:to_server,established; content:"Accept"; nocase; pcre:"/^Accept[^\r\n]{200,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000171; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS SAP WAS syscmd access"; flow:to_server,established; uricontent:"/sap/bc/BSp/sap/menu/frameset.htm"; nocase; uricontent:"sap-syscmd"; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:100000183; rev:1;) --- /dev/null +++ b/rules/web-frontpage.rules @@ -0,0 +1,58 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: web-frontpage.rules,v 1.32.2.2.2.2 2005/06/29 15:35:05 mwatchinski Exp $ +#-------------------- +# WEB-FRONTPAGE RULES +#-------------------- + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad fp30reg.dll access"; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-activity; sid:1248; rev:13;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE frontpage rad fp4areg.dll access"; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-activity; sid:1249; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_rpc access"; flow:to_server,established; uricontent:"/_vti_rpc"; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE posting"; flow:to_server,established; content:"POST"; uricontent:"/author.dll"; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,www.microsoft.com/technet/security/bulletin/MS00-100.mspx; classtype:web-application-activity; sid:939; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.dll access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.dll"; nocase; reference:arachnids,292; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx; classtype:web-application-activity; sid:940; rev:15;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE contents.htm access"; flow:to_server,established; uricontent:"/admcgi/contents.htm"; nocase; classtype:web-application-activity; sid:941; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.htm access"; flow:to_server,established; uricontent:"/_private/orders.htm"; nocase; classtype:web-application-activity; sid:942; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpsrvadm.exe access"; flow:to_server,established; uricontent:"/fpsrvadm.exe"; nocase; classtype:web-application-activity; sid:943; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpremadm.exe access"; flow:to_server,established; uricontent:"/fpremadm.exe"; nocase; classtype:web-application-activity; sid:944; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmin.htm access"; flow:to_server,established; uricontent:"/admisapi/fpadmin.htm"; nocase; classtype:web-application-activity; sid:945; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE fpadmcgi.exe access"; flow:to_server,established; uricontent:"/scripts/Fpadmcgi.exe"; nocase; classtype:web-application-activity; sid:946; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE orders.txt access"; flow:to_server,established; uricontent:"/_private/orders.txt"; nocase; classtype:web-application-activity; sid:947; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results access"; flow:to_server,established; uricontent:"/_private/form_results.txt"; nocase; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.htm access"; flow:to_server,established; uricontent:"/_private/registrations.htm"; nocase; classtype:web-application-activity; sid:949; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE cfgwiz.exe access"; flow:to_server,established; uricontent:"/cfgwiz.exe"; nocase; classtype:web-application-activity; sid:950; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE authors.pwd access"; flow:to_server,established; uricontent:"/authors.pwd"; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE author.exe access"; flow:to_server,established; uricontent:"/_vti_bin/_vti_aut/author.exe"; nocase; classtype:web-application-activity; sid:952; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE administrators.pwd access"; flow:to_server,established; uricontent:"/administrators.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE form_results.htm access"; flow:to_server,established; uricontent:"/_private/form_results.htm"; nocase; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE access.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/access.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.txt access"; flow:to_server,established; uricontent:"/_private/register.txt"; nocase; classtype:web-application-activity; sid:956; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE registrations.txt access"; flow:to_server,established; uricontent:"/_private/registrations.txt"; nocase; classtype:web-application-activity; sid:957; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/service.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.pwd"; flow:to_server,established; uricontent:"/service.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE service.stp access"; flow:to_server,established; uricontent:"/_vti_pvt/service.stp"; nocase; classtype:web-application-activity; sid:960; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE services.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/services.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE shtml.exe access"; flow:to_server,established; uricontent:"/_vti_bin/shtml.exe"; nocase; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:13;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE svcacl.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/svcacl.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE users.pwd access"; flow:to_server,established; uricontent:"/users.pwd"; nocase; classtype:web-application-activity; sid:964; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE writeto.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/writeto.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE .... request"; flow:to_server,established; uricontent:"..../"; nocase; reference:arachnids,248; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE dvwssr.dll access"; flow:to_server,established; uricontent:"/dvwssr.dll"; nocase; reference:arachnids,271; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx; classtype:web-application-activity; sid:967; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE register.htm access"; flow:to_server,established; uricontent:"/_private/register.htm"; nocase; classtype:web-application-activity; sid:968; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE /_vti_bin/ access"; flow:to_server,established; uricontent:"/_vti_bin/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_inf.html access"; flow:to_server,established; uricontent:"/_vti_inf.html"; nocase; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:9;) + --- /dev/null +++ b/rules/community-exploit.rules @@ -0,0 +1,11 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-exploit.rules,v 1.17 2006/08/18 19:38:06 akirk Exp $ + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Flowbit"; flow:to_server,established; pcre:"/.{1050,}/U"; flowbits:set,community_uri.size.1050; flowbits:noalert; reference:cve,2004-0629; reference: bugtraq,10947; classtype:attempted-user; sid: 100000100; rev:2;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY EXPLOIT Windows Acrobat Reader Activex Overflow Exploit"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2f(pdf|vnd\x2efdf|vnd\x2eadobe\x2exfdf|vnd\x2eadobe\x2exdp+xml|vnd\x2e\ adobe\x2exfd+xml)/smi"; flowbits:isset,community_uri.size.1050; reference:cve,2004-0629; reference:bugtraq,10947; classtype:attempted-user; sid:100000101; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 5093 (msg:"COMMUNITY EXPLOIT Sentinel LM exploit"; dsize:2048; reference:bugtraq,12742; reference:cve,2005-0353; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=14605; reference:nessus,17326; classtype:attempted-dos; sid:100000165; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"COMMUNITY EXPLOIT HPUX LPD overflow attempt"; flow:to_server,established; content:"|24 7B 49 46 53 7D|"; reference:cve,2005-3277; reference:bugtraq,15136; classtype:attempted-dos; sid:100000176; rev:1;) +alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"COMMUNITY EXPLOIT SIP UDP spoof attempt"; content:"|3B|branch|3D 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0A|"; nocase; reference:bugtraq,14174; reference:cve,2005-2182; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17838; classtype:attempted-dos; sid:100000180; rev:1;) +alert udp $EXTERNAL_NET any -> $HOME_NET 65535 (msg:"COMMUNITY EXPLOIT LANDesk Management Suite Alerting Service buffer overflow"; dsize:>268; reference: bugtraq,23483; reference: cve,2007-1674; classtype: attempted-admin; sid:100000928; rev:1;) --- /dev/null +++ b/rules/community-smtp.rules @@ -0,0 +1,14 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-smtp.rules,v 1.9 2006/07/14 13:36:01 akirk Exp $ + +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Hydra Activity Detected"; flow:to_server,established; content:"hydra"; nocase; pcre:"/^(EH|HE)LO\s+hydra\x0D\x0A/smi"; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000167; rev:1;) +#Rule submitted by rmkml +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Gnu Mailman utf8 attachement access"; flow:to_server,established; content:"Content-Disposition|3A 20|attachement"; nocase; content:"filename|2A 3D|utf|2D|8"; nocase; content:"Content-Transfer-Encoding|3A 20|base64"; nocase; reference:bugtraq,15408; reference:cve,2005-3573; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20819; classtype:attempted-dos; sid:100000191; rev:1;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP MIME-Type ms-tnef access"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"application/ms-tnef"; nocase; reference:bugtraq,16197; reference:cve,2006-0002; reference:url,www.microsoft.com/technet/security/bulletin/MS06-003.mspx; classtype:attempted-admin; sid:100000219; rev:1;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Mozilla filename overflow attempt"; flow:to_server,established; content:"filename|3D 22|"; nocase; pcre:"/^\s*filename\=\"[^\n]{100,}\.(exe|lnk)/smi"; reference:bugtraq,16271; classtype:attempted-admin; sid:100000224; rev:1;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"COMMUNITY SMTP Incoming WAB attachment"; flow:to_server, established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=\s*.*\x2ewab/smi"; reference:cve,2006-0014; reference:url,www.microsoft.com/technet/security/bulletin/MS06-016.mspx; classtype:suspicious-filename-detect; sid:100000279; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"COMMUNITY SMTP McAfee WebShield SMTP bounce message format string attempt"; flow:to_server,established; content:"RCPT"; nocase; pcre:"/^RCPT\s+TO\x3a\s+[^\r\n]*\x25/smi"; reference:bugtraq,16742; reference:cve,2006-0559; classtype:attempted-admin; sid:100000301; rev:1;) +# Enable only if SMTP_SERVERS is not any +# alert tcp !$SMTP_SERVERS any -> any 25 (msg:"COMMUNITY SMTP Mytob MAIL FROM Attempt"; flow:established,to_server; content:"MAIL FROM|3A|"; nocase; pcre:"/MAIL\s+FROM\s*\x3A\s*\x3C?(spm|fcnz|www|secur|abuse)@/i"; reference:url,www.symantec.com/avcenter/venc/data/w32.mytob@mm.html; classtype:misc-attack; sid:100000689; rev:1;) --- /dev/null +++ b/rules/VRT-License.txt @@ -0,0 +1,326 @@ + SOURCEFIRE, INC. + VRT CERTIFIED RULES LICENSE AGREEMENT + VERSION 1.1 + +THE VRT CERTIFIED RULES ARE LICENSED TO YOU BY SOURCEFIRE, INC. +("SOURCEFIRE") UNDER THE TERMS OF THIS VRT CERTIFIED RULES LICENSE +AGREEMENT (THE "AGREEMENT"). BY CLICKING THE "ACCEPT" BUTTON BELOW, OR +BY INSTALLING OR USING THE VRT CERTIFIED RULES, YOU ARE CONSENTING TO BE +BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS AND +CONDITIONS OF THIS AGREEMENT, DO NOT CLICK THE "ACCEPT" BUTTON, AND DO +NOT INSTALL OR USE ANY PART OF THE VRT CERTIFIED RULES. + +1. Definitions. + + 1.1. "Commercial Purpose" means the use, reproduction or distribution of + (i) the VRT Certified Rules or any Modification, or any portion of the + foregoing, or (ii) a Compilation that includes, in whole or in part, the + VRT Certified Rules or any Modification that in either case is intended + to result in a direct or indirect pecuniary gain or any other + consideration or economic benefit to any person or entity involved in + such use, reproduction or distribution. Examples of a Commercial + Purpose, include without limitation, (v) integrating the VRT Certified + Rules with other software or hardware for sale, (w) licensing the VRT + Certified Rules for a fee, (x) using the VRT Certified Rules to provide + a service to a third party, (y) selling the VRT Certified Rules, or (z) + distributing the VRT Certified Rules for use with other products or + other services. + + 1.2. "Compilation" means a work which combines the VRT Certified Rules + or any Modification or portions thereof with any services, programs, + code or other products not governed by the terms of this Agreement. + + 1.3. "Improvements" shall mean a Modification to a VRT Certified Rule + (or to a modified VRT Certified Rule) that corrects a bug, defect, or + error in such rule without affecting the overall functionality of such + VRT Certified Rule (or Modification thereof). + + 1.4. "Modifications" means any alteration, addition to or deletion from + the substance or structure of the VRT Certified Rules or any + Modifications of such, including, without limitation, + + (a) any addition to or deletion from the contents of a file + containing a VRT Certified Rule or a Modification; + (b) any derivative of the VRT Certified Rule or of any Modification; + or + (c) any new file that contains any part of the VRT Certified Rule or + Modifications. + + 1.5. "Permitted Use" shall have the meaning given such term in Section 2.1. + + 1.6. "Restricted Activities" shall have the meaning given such term in + Section 2.1. + + 1.7. "Snort(r) Registered User" shall mean an individual who has + registered or subscribed on www.snort.org to use the VRT Certified Rules. + + 1.8. "VRT Certified Rules" means those Snort(r) rules (in text form, + source code form, object code form and all documentation related + thereto) that have been created, developed, tested and officially + approved by Sourcefire. These rules are designated with SIDs of 3465 - + 1,000,000, except as otherwise noted in the license file. + + 1.9. "You" (or "your") means an individual exercising rights under this + Agreement. For legal entities, "you'' includes any entity which + controls, is controlled by, or is under common control with you or any + such entity you are acting on behalf of. For purposes of this + definition, "control'' means (a) the power, direct or indirect, to cause + the direction or management of such entity, whether by contract or + otherwise, or (b) ownership of more than forty percent (40%) of the + outstanding shares or beneficial ownership of such entity. + +2. Sourcefire License Grant. + + 2.1. Grant of License; Permitted Use. Subject to the terms and + conditions of this Agreement, Sourcefire hereby grants you a world-wide, + non-exclusive license to do any of the following with respect to the VRT + Certified Rules: + + (a) use and deploy the VRT Certified Rules on management consoles and + sensors that you manage (over which you have administrative control); + + (b) use and deploy the VRT Certified Rules on behalf of your employer + on its internal management consoles and sensors (e.g., where a valid + employer-employee relationship exists between you and a legal entity); + + (c) modify the VRT Certified Rules and use those Modifications + consistent with paragraphs (a) and (b) above; + + (d) distribute those VRT Certified Rules and any Modifications + generally available to Snort(r) Registered Users on a limited basis + to other Snort(r) Registered Users; + + (e) distribute any Improvement generally available to Snort(r) + Registered Users on mailing lists commonly used by the Snort(r) user + community as a whole; + + (f) reproduce the VRT Certified Rules as strictly necessary in + exercising your rights under this Section 2.1; and + + (g) Make the VRT Certified Rules (or any Modification) available to + your or your employer's consultants, agents and subcontractors for + the limited purpose of exercising your rights under this Section 2.1 + provided that such use is in compliance with this Agreement. + + Paragraphs (a) though (g) of this Section 2.1 are collectively referred + to as the "Permitted Uses". All rights not granted under this Agreement + are reserved by Sourcefire. + + 2.2. Limitations on License; Restricted Activities. You recognize and + agree that the VRT Certified Rules are the property of Sourcefire, + contain valuable assets and proprietary information and property of + Sourcefire, and are provided to you under the terms and conditions of + this Agreement. Notwithstanding anything to the contrary in this + Agreement, You agree that you shall NOT do any of the following without + Sourcefire's prior written consent: + + (a) use, deploy, perform, modify, license, display, reproduce or + distribute the VRT Certified Rules or Modifications (even if merged + with other materials as a Compilation) other than as allowed under a + Permitted Use; + + (b) sell, license, transfer, rent, loan, use, modify, reproduce or + disclose the VRT Certified Rules or any Modifications (in whole or in + part and whether done independently or as part of a Compilation) for + a Commercial Purpose; + + (c) post or make generally available any VRT Certified Rule (in whole + or in part or any Modifications thereto) to individuals or a group of + individuals who have not agreed to the terms and conditions of this + Agreement, provided, however, that nothing in this Section 2.2(c) + shall preclude the Permitted Use in Section 2.1(e); + + (d) share any user authentication information and/or password + provided to you by Sourcefire with any third party to allow such + party access your snort.org account or to otherwise access the VRT + Certified Rules; + + (e) alter or remove any copyright notice or proprietary legend + contained in or on the VRT Certified Rules. + + Paragraphs (a) though (e) of this Section 2.2 are collectively referred + to as the "Restricted Activities"). + + 2.3. Reproduction Obligations. You agree that any embodiment of the VRT + Certified Rules permitted under this Agreement will contain the notices + set forth in Exhibit A. In addition, to the extent you make any copies + of or distribute the VRT Certified Rules or any Modifications under this + Agreement, you agree to ensure that any and all such copies shall contain: + + (a) a copy of an appropriate copyright notice and all other + applicable proprietary legends; + + (b) a disclaimer of any warranty consistent with this Agreement; and + + (c) any and all notices referencing this Agreement and absence of warranties. + +3. Modifications; Derivative Works. In the event you create a +Modification, the use, reproduction and distribution of such +Modifications shall be governed by the terms and conditions of this +Agreement. Additionally, you hereby grant Sourcefire and any other +licensee of the VRT Certified Rules an irrevocable, perpetual, fully +paid-up, world-wide, royalty-free, non-exclusive license to use, +reproduce, modify, display, perform and distribute such Modifications +(and the source code thereto), provided, however, that you and any +recipient of such Modifications must include: + + (a) the original copyright notice and all other applicable + proprietary legends; + + (b) the original warranty disclaimer; + + (c) the original notices referencing this Agreement and absence of + warranties; and + + (d) a prominent notice stating that you changed the VRT Certified + Rule (or any Modification thereto) and the date of any change. + +4. Distribution Obligations. + + 4.1. General. The source code version of the VRT Certified Rules (or + any Modification thereof) may be distributed only under the terms of + this Agreement, and you must include a copy of this Agreement with every + copy of the VRT Certified Rules you distribute. + + 4.2. Required Notices. You must duplicate the notice in Exhibit A in + each file of the source code. If it is not possible to put such notice + in a particular source code file due to its structure, then you must + include such notice in a location (such as a relevant directory) where a + user would be likely to look for such a notice. If you created one or + more Modification(s) you may add your name as a contributor to the + notice described in Exhibit A. You must also duplicate this Agreement in + any documentation for the source code where you describe recipients' + rights or ownership rights relating to the VRT Certified Rules. To the + extent you offer additional warranty, support, indemnity or liability + obligations, you may do so only on your own behalf, and not on behalf of + Sourcefire. You must make it absolutely clear that any such warranty, + support, indemnity or liability obligation is offered by you alone, and + you hereby agree to indemnify and hold Sourcefire harmless for any + liability incurred by Sourcefire as a result of any warranty, support, + indemnity or liability terms you offer. + +5. Inability to Comply Due to Statute or Regulation. If it is +impossible for you to comply with any of the terms of this Agreement +with respect to some or all of the VRT Certified Rules due to statute, +judicial order, or regulation then you must: (a) comply with the terms +of this Agreement to the maximum extent possible; and (b) describe the +limitations and the code they affect. Such description must be included +with all distributions of the source code. Except to the extent +prohibited by statute or regulation, such description must be +sufficiently detailed for a recipient of ordinary skill to be able to +understand it. + +6. Application of this Agreement. This Agreement also applies to code +to which Sourcefire has attached the notice in Exhibit A and to related +Modifications created under Section 3. + +7. Versions of the Agreement. + + 7.1. New Versions. Sourcefire may publish revised and/or new versions + of the Agreement from time to time. Each version will be given a + distinguishing version number. + + 7.2. Effect of New Versions. Once a VRT Certified Rule has been + published under a particular version of the Agreement, you may always + continue to use it under the terms of that version. You may also choose + to use such VRT Certified Rule under the terms of any subsequent version + of the Agreement published by Sourcefire. No one other than Sourcefire + has the right to modify the terms applicable to a VRT Certified Rule. + +8. DISCLAIMER OF WARRANTY. THE VRT CERTIFIED RULES AND MODIFICATIONS IS +ARE PROVIDED UNDER THIS AGREEMENT ON AN "AS IS" BASIS, WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, +WARRANTIES THAT THE VRT CERTIFIED RULES OR THE MODIFICATIONS ARE FREE OF +DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. +THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE VRT CERTIFIED +RULES AND MODIFICATIONS IS WITH YOU. SHOULD THE VRT CERTIFIED RULES OR +MODIFICATIONS PROVE DEFECTIVE IN ANY RESPECT, YOU (NOT SOURCEFIRE) +ASSUME THE COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS +DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT. +NO USE OF ANY VRT CERTIFIED RULE OR ANY MODIFICATION IS AUTHORIZED +HEREUNDER EXCEPT UNDER THIS DISCLAIMER. + +9. Termination. This Agreement and the rights granted hereunder will +terminate automatically if you fail to comply with any or all of the +terms herein and fail to cure such breach within 30 days of becoming +aware of the breach. All sublicenses to the VRT Certified Rules, which +are properly granted, shall survive any termination of this Agreement. +Provisions which, by their nature, must remain in effect beyond the +termination of this Agreement shall survive. + +10. LIMITATION OF LIABILITY. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL +THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, +SHALL YOU OR SOURCEFIRE BE LIABLE TO ANY PERSON FOR ANY INDIRECT, +SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER +INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK +STOPPAGE, SECURITY BREACHES OR FAILURES, COMPUTER FAILURE OR +MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR LOSSES, EVEN IF SUCH PARTY +SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS +LIMITATION OF LIABILITY SHALL NOT APPLY TO THE EXTENT APPLICABLE LAW +PROHIBITS SUCH LIMITATIONS. SOME JURISDICTIONS DO NOT ALLOW THE +EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS +EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. + +11. Audit Rights. You will, from time to time and as requested by +Sourcefire, provide assurances to Sourcefire that you are using the VRT +Certified Rules consistent with a Permitted Use, and you grant +Sourcefire access, at reasonable times and in a reasonable manner, to +the VRT Certified Rules in your possession or control, and to your +books, records and facilities to permit Sourcefire to verify appropriate +use of the VRT Certified Rules and compliance with this Agreement. +Sourcefire's non-exercise of this right, or its failure to discover or +object to any inappropriate use or other breach of this Agreement by +you, shall not constitute its consent thereto or waiver of Sourcefire's +rights hereunder or under law. In the event your use of the VRT +Certified Rules is not in compliance with a Permitted Use, or if you +otherwise violate the terms of this Agreement, Sourcefire may, since +remedies at law may be inadequate, in addition to its other remedies: +(a) demand return of the VRT Certified Rules; (b) forbid and enjoin your +further use of the VRT Certified Rules; (c) assess you the cost of +Sourcefire's inspection and enforcement efforts (including attorney +fees); and/or (d) assess you a use fee appropriate to your actual use of +the VRT Certified Rules. + +12. United States Government Users. If the VRT Certified Rules or +Modifications are being acquired by or on behalf of the U.S. Government +or by a U.S. Government prime contractor or subcontractor (at any tier), +then the Government's rights in the VRT Certified Rules and +Modifications shall be subject to Sourcefire's standard commercial terms +and only as set forth in this Agreement; and only with "Limited Rights" +and "Restricted Rights" as defined the federal regulations if the +commercial terms are deemed not to apply.. + +13. Miscellaneous. This Agreement represents the complete agreement +concerning subject matter hereof. If any provision of this Agreement is +held to be unenforceable, such provision shall be reformed only to the +extent necessary to make it enforceable. This Agreement shall be +governed by Maryland law provisions (except to the extent applicable +law, if any, provides otherwise), excluding its conflict-of-law +provisions. Any litigation relating to this Agreement shall be subject +to the jurisdiction of the state and Federal Courts serving Greenbelt, +Maryland, with the losing party responsible for costs, including without +limitation, court costs and reasonable attorneys' fees and expenses. +You hereby submit to jurisdiction and venue in such courts. The +application of the United Nations Convention on Contracts for the +International Sale of Goods is expressly excluded. Any law or regulation +which provides that the language of a contract shall be construed +against the drafter shall not apply to this Agreement. Headings and +section references are used for reference only and shall not be used +define, limit or describe such section. + +EXHIBIT A - VRT Certified Rules License Agreement +The contents of this file are subject to the VRT Certified Rules License +Agreement 1.1 (the "Agreement"). You may not use this file except in +compliance with the Agreement. You may obtain a copy of the Agreement +at www.snort.org. +Software distributed under the Agreement is distributed on an "AS IS" +basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the +Agreement for the specific language governing rights and limitations +under the Agreement. +The developer of the VRT Certified Rules is Sourcefire, Inc., a Delaware +corporation. +Contributor: +2005(c) Sourcefire, Inc. All Rights Reserved. Snort(r), Sourcefire(tm), +the Snort(r) logo and the Sourcefire logo are trademarks of Sourcefire. + +Note: A printer friendly version of this Agreement is available in PDF format. --- /dev/null +++ b/rules/community-inappropriate.rules @@ -0,0 +1,8 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-inappropriate.rules,v 1.8 2005/04/01 17:16:23 akirk Exp $ + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE lolita sex"; content:"lolita"; nocase; content:"sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:100000105; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE preteen sex"; content:"teen"; nocase; pcre:"/pre-?teen/i"; flow:to_client,established; classtype:kickass-porn; sid:100000123; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"COMMUNITY INAPPROPRIATE girls gone wild"; content:"girls"; nocase; content:"gone"; nocase; content:"wild"; nocase; flow:to_client,established; classtype:kickass-porn; sid:100000124; rev:1;) --- /dev/null +++ b/rules/misc.rules @@ -0,0 +1,119 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: misc.rules,v 1.53.2.7.2.4 2005/07/22 19:19:54 mwatchinski Exp $ +#----------- +# MISC RULES +#----------- + +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:500; rev:5;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:bad-unknown; sid:501; rev:5;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2;) +alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:7;) +alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"MISC Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; reference:arachnids,229; classtype:bad-unknown; sid:505; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"MISC gopher proxy"; flow:to_server,established; content:"ftp|3A|"; nocase; content:"@/"; reference:arachnids,409; classtype:bad-unknown; sid:508; rev:7;) +alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; reference:arachnids,461; classtype:bad-unknown; sid:514; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"MISC SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; reference:arachnids,476; classtype:attempted-recon; sid:517; rev:1;) + +# once we get response, check for content:"|00 01 00|"; offset:0; depth:3; +alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:1;) +# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize:>4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:2;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments"; dsize:< 25; fragbits:M; classtype:bad-unknown; sid:522; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:1384; rev:8;) +alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"Location|3A|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:1388; rev:12;) +alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1393; rev:12;) +alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1752; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"MISC AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; flow:to_server,established; dsize:>500; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:1636; rev:10;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"MISC OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:3;) +alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:5;) + + +# once we get response, check for content:"|03|"; offset:0; depth:1; +alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request RDP"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1447; rev:12;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; reference:bugtraq,3099; reference:cve,2001-0540; reference:url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx; classtype:protocol-command-decode; sid:1448; rev:12;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server no encryption session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2418; rev:4;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"MISC Alcatel PABX 4400 connection attempt"; flow:established,to_server; content:"|00 01|C"; depth:3; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:6;) +alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Disclosure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"MISC xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:7;) + +alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"MISC xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2041; rev:2;) +alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"MISC isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2043; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2047; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2048; rev:6;) + + +# This rule needs some work since you don't have to pass BEGIN and END +# anywhere near each other. +# +#! alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( \ +#! msg:"MISC CVS username overflow attempt"; flow:to_server,established; \ +#! content:"BEGIN AUTH REQUEST|0A|"; content:!"|0A|END AUTH REQUEST|0A|"; \ +#! within:255; classtype:misc-attack;) + + +# normally Idon't like using 3a for :, but in this case... I'd like to remove the false positives stemming from someone using anoncvs to checkout snort rules :) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2008; rev:4;) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2009; rev:2;) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2010; rev:4;) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2011; rev:4;) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2012; rev:2;) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2013; rev:2;) +alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2317; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2318; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; nocase; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:2;) + + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; dsize:>156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; reference:bugtraq,5807; reference:cve,2002-1214; reference:url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx; classtype:attempted-admin; sid:2126; rev:8;) + +# this rule is specificly not looking for flow, since tcpdump handles lengths wrong +alert tcp any any <> any 179 (msg:"MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:8;) +alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2159; rev:11;) + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:5;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:12;) + + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2532; rev:6;) +alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2533; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2534; rev:6;) + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9978; classtype:web-application-activity; sid:2547; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2548; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:1;) + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2561; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"MISC distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:3061; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"MISC Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:3453; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup generic info probe"; flow:established,to_server; content:"ARKFS|00|root|00|root"; nocase; reference:bugtraq,12594; classtype:attempted-recon; sid:3454; rev:1;) --- /dev/null +++ b/rules/exploit.rules @@ -0,0 +1,121 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: exploit.rules,v 1.63.2.7.2.7 2005/07/22 19:19:54 mwatchinski Exp $ +#-------------- +# EXPLOIT RULES +#-------------- + +alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:6;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;) +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,215; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 Solaris overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; reference:bugtraq,2319; classtype:attempted-admin; sid:300; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; flow:to_server,established; dsize:>1000; content:"whois|3A|//"; nocase; reference:arachnids,267; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; reference:cve,2000-0766; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:9;) +alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"EXPLOIT NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:8;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT sniffit overflow"; flow:stateless; dsize:>512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; reference:arachnids,273; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:10;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,214; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:11;) +alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:312; rev:6;) +alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 Linux overflow"; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:6;) +alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:6;) +alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; reference:bugtraq,1252; reference:cve,2000-0446; classtype:attempted-admin; sid:1240; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"EXPLOIT rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:1323; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; flow:to_server,established; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:1751; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1812; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:7;) + +alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:1838; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:9;) +alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; nocase; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:1;) +alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:9;) +alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:9;) +alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:9;) +alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,128,18,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2443; rev:4;) +alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2444; rev:4;) +alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"; content:"|05 00|"; depth:2; byte_test:2,>,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2445; rev:4;) +alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:6;) + +alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:7;) +alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:7;) +alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:""; nocase; isdataat:1024,relative; content:!""; within:1054; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2489; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:""; nocase; isdataat:1024,relative; content:!""; within:1052; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2490; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"EXPLOIT AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:4;) +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT winamp XM module name overflow"; flow:established,from_server; content:"Extended module|3A|"; nocase; isdataat:20,relative; content:!"|1A|"; within:21; reference:url,www.nextgenss.com/advisories/winampheap.txt; classtype:attempted-user; sid:2550; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2551; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2552; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2553; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2554; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2555; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2556; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2557; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2558; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2559; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2560; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2578; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2579; rev:2;) +alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"EXPLOIT eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:3017; rev:6;) +alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"EXPLOIT Volition Freespace 2 buffer overflow attempt"; content:"|00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:2;) +alert tcp $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"EXPLOIT AIM goaway message buffer overflow attempt"; flow:established,from_server; content:"goaway?message="; nocase; isdataat:500,relative; pcre:"/goaway\?message=[^\s]{500}/smi"; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:3085; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 6101 (msg:"EXPLOIT Veritas backup overflow attempt"; flow:established,to_server; content:"|02 00|"; depth:2; content:"|00|"; depth:1; offset:3; isdataat:60; content:!"|00|"; depth:66; offset:6; reference:bugtraq,11974; reference:cve,2004-1172; classtype:misc-attack; sid:3084; rev:3;) +alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"EXPLOIT MSN Messenger png overflow"; flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:bugtraq,10872; reference:cve,2004-0957; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3130; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3200; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 84 overflow attempt"; flow:established,to_server; content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|00|"; depth:255; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3458; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 5001 (msg:"EXPLOIT Bontago Game Server Nickname Buffer Overflow"; flow:to_server,established; content:"|FF 01 00 00 00 00 01|"; isdataat:512,relative; reference:bugtraq,12603; reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt; classtype:attempted-user; sid:3455; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3199; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 77 overflow attempt"; flow:established,to_server; content:"|00|M"; depth:2; byte_test:2,>,23,6; isdataat:31; content:!"|00|"; depth:23; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3457; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client domain overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3475; rev:2;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow"; content:"|9C|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3485; rev:3;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3479; rev:2;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve discovery service overflow"; dsize:>966; reference:bugtraq,12491; reference:can,2005-0260; classtype:attempted-admin; sid:3472; rev:2;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow"; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3484; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3476; rev:2;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client domain overflow"; content:"|98|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3481; rev:3;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow"; content:"|9B|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3483; rev:3;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3477; rev:2;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client name overflow"; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3480; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client name overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3474; rev:2;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow"; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3482; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3478; rev:2;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow"; content:"|99|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3531; rev:2;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client name overflow"; content:"|99|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3530; rev:2;) --- /dev/null +++ b/rules/sid @@ -0,0 +1 @@ +3827 --- /dev/null +++ b/rules/dos.rules @@ -0,0 +1,45 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: dos.rules,v 1.39.2.4.2.3 2005/06/29 15:35:04 mwatchinski Exp $ +#---------- +# DOS RULES +#---------- + +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6;) +# alert udp any 19 <> any 7 (msg:"DOS UDP echo+chargen bomb"; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:5;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:272; rev:10;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:273; rev:8;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; itype:8; content:"+++ath"; nocase; reference:arachnids,264; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:5;) +# alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flow:stateless; flags:S; id:413; seq:6060842; reference:bugtraq,2022; reference:cve,2000-1039; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; classtype:attempted-dos; sid:275; rev:12;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server"; flow:to_server,established; content:"|FF F4 FF FD 06|"; reference:arachnids,411; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:276; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:277; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:5;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; dsize:0; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:arachnids,262; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup"; flow:to_server,established; dsize:>1445; reference:arachnids,261; reference:bugtraq,662; reference:cve,1999-0788; classtype:attempted-dos; sid:282; rev:8;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"DOS Winnuke attack"; flow:stateless; flags:U+; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flow:to_server,established; dsize:>1023; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"DOS iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; reference:bugtraq,6844; reference:cve,1999-1566; classtype:misc-attack; sid:1605; rev:6;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"DOS DB2 dos attempt"; flow:to_server,established; dsize:1; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DOS Cisco attempt"; flow:to_server,established; dsize:1; content:"|13|"; classtype:web-application-attack; sid:1545; rev:8;) +alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:5;) +alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:7;) + +alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"DOS squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:2;) +# alert tcp $EXTERNAL_NET !721:731 -> $HOME_NET 515 (msg:"DOS WIN32 TCP print service denial of service attempt"; flow:to_server,established; dsize:>600; reference:bugtraq,1082; reference:cve,2000-0232; reference:url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx; classtype:attempted-dos; sid:3442; rev:3;) --- /dev/null +++ b/rules/LICENSE @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) 19yy + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. --- /dev/null +++ b/rules/smtp.rules @@ -0,0 +1,94 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: smtp.rules,v 1.44.2.4.2.6 2005/07/22 19:19:54 mwatchinski Exp $ +#----------- +# SMTP RULES +#----------- + +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:654; rev:14;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; reference:arachnids,266; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:12;) +alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:8;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP exchange mime DOS"; flow:to_server,established; content:"charset = |22 22|"; nocase; reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558; reference:url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx; classtype:attempted-dos; sid:658; rev:11;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:9;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:10;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:5;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; reference:arachnids,143; reference:bugtraq,2310; reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:9;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|"; nocase; reference:arachnids,119; reference:cve,1999-0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:8;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:14;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s*decode/smi"; reference:arachnids,121; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:15;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; nocase; reference:arachnids,122; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665; rev:8;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; reference:arachnids,123; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667; rev:8;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; reference:arachnids,124; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668; rev:8;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog"; reference:arachnids,142; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:8;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; reference:arachnids,139; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:7;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; reference:arachnids,141; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:8;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:9;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:1446; rev:6;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:631; rev:6;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:632; rev:5;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO"; nocase; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:17;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; nocase; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; reference:bugtraq,1297; reference:bugtraq,7515; reference:cve,2000-0490; reference:nessus,10438; classtype:attempted-admin; sid:1550; rev:15;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From|3A|"; nocase; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1; reference:bugtraq,6991; reference:cve,2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:8;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding|3A|"; nocase; isdataat:100,relative; content:!"|0A|"; within:100; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:6;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2253; rev:7;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; pcre:"/^EXPN[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:5;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; pcre:"/^VRFY[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:5;) + +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2262; rev:4;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2264; rev:4;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2266; rev:4;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2268; rev:4;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*? $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2270; rev:5;) +alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-type buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2487; rev:7;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-disposition buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2488; rev:7;) + + +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:9;) + +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:9;) + +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2538; rev:5;) +alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2539; rev:5;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2540; rev:5;) + + +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP STARTTLS attempt"; flow:to_server,established; content:"STARTTLS|0D 0A|"; within:10; flowbits:set,starttls.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2527; rev:3;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2541; rev:7;) + +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2528; rev:13;) + +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2542; rev:6;) +alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP TLS SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2543; rev:6;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2544; rev:6;) + + +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"MAIL FROM"; nocase; isdataat:260; content:!"|0A|"; within:256; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2590; rev:4;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From command overflow attempt"; flow:to_server,established; content:"From"; nocase; pcre:"/^From\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2591; rev:2;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ReplyTo command overflow attempt"; flow:to_server,established; content:"ReplyTo"; nocase; pcre:"/^ReplyTo\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2592; rev:2;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Sender command overflow attempt"; flow:to_server,established; content:"Sender"; nocase; pcre:"/^Sender\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2593; rev:2;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP To command overflow attempt"; flow:to_server,established; content:"To"; nocase; pcre:"/^To\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2594; rev:2;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP CC command overflow attempt"; flow:to_server,established; content:"CC"; nocase; pcre:"/^CC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2595; rev:2;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP BCC command overflow attempt"; flow:to_server,established; content:"BCC"; nocase; pcre:"/^BCC\s{65,}\x3a/smi"; reference:bugtraq,10291; reference:cve,2004-0400; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2596; rev:2;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Encoding overflow attempt"; flow:to_server,established; content:"Content-Encoding|3A|"; nocase; pcre:"/Content-Encoding\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3462; rev:2;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Type overflow attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; pcre:"/Content-Type\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3461; rev:2;) --- /dev/null +++ b/rules/community-deleted.rules @@ -0,0 +1,7 @@ +# Copyright 2006 Sourcefire, Inc. All Rights Reserved. # These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-deleted.rules,v 1.3 2006/12/05 20:32:48 akirk Exp $ + +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED PhpWebGallery XSS attempt"; content:"GET"; nocase; depth:3; uricontent:"comments.php"; nocase; uricontent:"keyword="; nocase; classtype:web-application-attack; sid:100000819; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED PhpWebGallery XSS attempt"; content:"GET"; nocase; depth:3; uricontent:"comments"; nocase; uricontent:"|2E|php"; nocase; uricontent:"|3F|keyword"; nocase; reference:bugtraq,18798; classtype:web-application-attack; sid:100000848; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY DELETED phpNuke admin_ug_auth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ug_auth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000381; rev:3;) --- /dev/null +++ b/rules/info.rules @@ -0,0 +1,32 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: info.rules,v 1.27.2.3.2.2 2005/05/31 17:13:02 mwatchinski Exp $ +#----------- +# INFO RULES +#----------- + +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login incorrect"; flow:from_server,established; content:"Login incorrect"; reference:arachnids,127; classtype:bad-unknown; sid:718; rev:9;) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:716; rev:13;) +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:488; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:7;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INFO battle-mail traffic"; flow:to_server,established; content:"BattleMail"; classtype:policy-violation; sid:490; rev:7;) +alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login"; flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:8;) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"INFO TELNET login failed"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:492; rev:9;) +alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; classtype:bad-unknown; sid:1251; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; flow:from_server,established; content:"Welcome!psyBNC@lam3rz.de"; classtype:bad-unknown; sid:493; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INFO web bug 0x0 gif attempt"; flow:from_server,established; content:"Content-type|3A| image/gif"; nocase; content:"GIF"; distance:0; nocase; content:"|01 00 01 00|"; within:4; distance:3; content:","; distance:0; content:"|01 00 01 00|"; within:4; distance:4; classtype:misc-activity; sid:2925; rev:3;) --- /dev/null +++ b/rules/web-iis.rules @@ -0,0 +1,167 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: web-iis.rules,v 1.78.2.5.2.6 2005/07/22 19:19:54 mwatchinski Exp $ +#-------------- +# WEB-IIS RULES +#-------------- + + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; content:"Content-Type|3A|"; nocase; isdataat:50,relative; content:!"|0A|"; within:50; pcre:"/^POST\s/smi"; reference:bugtraq,6214; reference:cve,2002-1142; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; reference:url,www.microsoft.com/technet/security/bulletin/MS02-065.mspx; reference:url,www.microsoft.com/technet/security/bulletin/MS98-004.mspx; classtype:web-application-attack; sid:1970; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS repost.asp access"; flow:to_server,established; uricontent:"/scripts/repost.asp"; nocase; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr chunked Transfer-Encoding"; flow:to_server,established; uricontent:".htr"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4855; reference:bugtraq,5003; reference:cve,2002-0364; classtype:web-application-attack; sid:1806; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp chunked Transfer-Encoding"; flow:to_server,established; uricontent:".asp"; nocase; content:"Transfer-Encoding|3A|"; nocase; content:"chunked"; distance:0; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071; reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack; sid:1618; rev:16;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /StoreCSVS/InstantOrder.asmx request"; flow:to_server,established; uricontent:"/StoreCSVS/InstantOrder.asmx"; nocase; classtype:web-application-activity; sid:1626; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS users.xml access"; flow:to_server,established; uricontent:"/users.xml"; nocase; classtype:web-application-activity; sid:1750; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web.exe access"; flow:to_server,established; uricontent:"/as_web.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1753; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS as_web4.exe access"; flow:to_server,established; uricontent:"/as_web4.exe"; nocase; reference:bugtraq,4670; classtype:web-application-activity; sid:1754; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NewsPro administration authentication attempt"; flow:to_server,established; content:"logged,true"; reference:bugtraq,4672; classtype:web-application-activity; sid:1756; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS pbserver access"; flow:to_server,established; uricontent:"/pbserver/pbserver.dll"; nocase; reference:cve,2000-1089; reference:url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx; classtype:web-application-activity; sid:1772; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS trace.axd access"; flow:to_server,established; uricontent:"/trace.axd"; nocase; reference:nessus,10993; classtype:web-application-activity; sid:1660; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /isapi/tstisapi.dll access"; flow:to_server,established; uricontent:"/isapi/tstisapi.dll"; nocase; reference:bugtraq,2381; reference:cve,2001-0302; classtype:web-application-activity; sid:1484; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; reference:nessus,10359; reference:url,www.osvdb.org/274; classtype:web-application-activity; sid:1485; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ctss.idc access"; flow:to_server,established; uricontent:"/ctss.idc"; nocase; reference:nessus,10359; classtype:web-application-activity; sid:1486; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/aexp2.htr"; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK "; depth:5; reference:bugtraq,2736; classtype:web-application-activity; sid:969; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .printer access"; flow:to_server,established; uricontent:".printer"; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:971; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1243; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida access"; flow:to_server,established; uricontent:".ida"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq attempt"; flow:to_server,established; uricontent:".idq?"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:14;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .idq access"; flow:to_server,established; uricontent:".idq"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS %2E-asp access"; flow:to_server,established; content:"%2easp"; nocase; reference:bugtraq,1814; reference:cve,1999-0253; classtype:web-application-activity; sid:972; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS *.idc attempt"; flow:to_server,established; uricontent:"/*.idc"; nocase; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:10;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Directory transversal attempt"; flow:to_server,established; content:"..|5C|.."; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; uricontent:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; classtype:web-application-attack; sid:975; rev:12;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat? access"; flow:to_server,established; uricontent:".bat?"; nocase; reference:bugtraq,2023; reference:cve,1999-0233; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cnf access"; flow:to_server,established; uricontent:".cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; nocase; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; reference:url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx; classtype:web-application-attack; sid:978; rev:12;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ASP contents view"; flow:to_server,established; uricontent:".htw?CiWebHitsFile"; reference:bugtraq,1861; reference:cve,2000-0942; reference:url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx; classtype:web-application-attack; sid:979; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CGImail.exe access"; flow:to_server,established; uricontent:"/scripts/CGImail.exe"; nocase; reference:bugtraq,1623; reference:cve,2000-0726; classtype:web-application-activity; sid:980; rev:7;) + +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/ctguestb.idc"; nocase; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-activity; sid:984; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS JET VBA access"; flow:to_server,established; uricontent:"/scripts/samples/details.idc"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MSProxy access"; flow:to_server,established; uricontent:"/scripts/proxy/w3proxy.dll"; nocase; reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-activity; sid:986; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS +.htr code fragment attempt"; flow:to_server,established; uricontent:"+.htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; reference:url,www.microsoft.com/technet/security/bulletin/MS00-044.mspx; classtype:web-application-attack; sid:1725; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .htr access"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:987; rev:14;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SAM Attempt"; flow:to_server,established; content:"sam._"; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:988; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS achg.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/achg.htr"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:8;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS adctest.asp access"; flow:to_server,established; uricontent:"/msadc/samples/adctest.asp"; nocase; classtype:web-application-activity; sid:992; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; uricontent:"/scripts/iisadmin/default.htm"; nocase; classtype:web-application-attack; sid:994; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll access"; flow:to_server,established; uricontent:"/scripts/iisadmin/ism.dll?http/dir"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS anot.htr access"; flow:to_server,established; uricontent:"/iisadmpwd/anot"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-dot attempt"; flow:to_server,established; uricontent:".asp."; nocase; reference:bugtraq,1814; reference:nessus,10363; classtype:web-application-attack; sid:997; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS asp-srch attempt"; flow:to_server,established; uricontent:"|23|filename=*.asp"; nocase; classtype:web-application-attack; sid:998; rev:7;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir access"; flow:to_server,established; uricontent:"/scripts/iisadmin/bdir.htr"; nocase; reference:bugtraq,2280; classtype:web-application-activity; sid:999; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS bdir.htr access"; flow:to_server,established; uricontent:"/bdir.htr"; nocase; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:1661; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; uricontent:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; classtype:web-application-attack; sid:1003; rev:7;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser Exair access"; flow:to_server,established; uricontent:"/iissamples/exair/howitworks/codebrws.asp"; nocase; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:8;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS codebrowser SDK access"; flow:to_server,established; uricontent:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_JScript.asp"; nocase; reference:bugtraq,119; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,www.microsoft.com/technet/security/bulletin/MS00-028.mspx; classtype:web-application-attack; sid:1007; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cross-site scripting attempt"; flow:to_server,established; uricontent:"/Form_VBScript.asp"; nocase; reference:bugtraq,119; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; classtype:web-application-attack; sid:1380; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; nocase; classtype:web-application-attack; sid:1008; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS directory listing"; flow:to_server,established; uricontent:"/ServerVariables_Jscript.asp"; nocase; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS encoding access"; flow:to_server,established; content:"%1u"; reference:arachnids,200; reference:bugtraq,886; reference:cve,2000-0024; reference:url,http//www.microsoft.com/technet/security/bulletin/MS99-061.mspx; classtype:web-application-activity; sid:1010; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe"; nocase; classtype:web-application-activity; sid:1011; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount attempt"; flow:to_server,established; uricontent:"/fpcount.exe"; content:"Digits="; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS fpcount access"; flow:to_server,established; uricontent:"/fpcount.exe"; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS getdrvs.exe access"; flow:to_server,established; uricontent:"/scripts/tools/getdrvs.exe"; nocase; classtype:web-application-activity; sid:1015; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS global.asa access"; flow:to_server,established; uricontent:"/global.asa"; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:1016; rev:12;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc"; nocase; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmpwd attempt"; flow:to_server,established; uricontent:"/iisadmpwd/aexp"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:1018; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"IIS Malformed Hit-Highlighting Argument File Access Attempt"; flow:to_server,established; uricontent:"CiWebHitsFile="; nocase; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; uricontent:"CiRestriction=none"; nocase; uricontent:"ciHiliteType=Full"; nocase; reference:bugtraq,950; reference:cve,2000-0097; reference:url,www.microsoft.com/technet/security/bulletin/ms00-006.mspx; reference:url,www.securityfocus.com/archive/1/43762; classtype:web-application-attack; sid:1019; rev:15;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS isc$data attempt"; flow:to_server,established; uricontent:".idc|3A 3A 24|data"; nocase; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-attack; sid:1020; rev:12;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ism.dll attempt"; flow:to_server,established; uricontent:" .htr"; nocase; reference:bugtraq,1193; reference:cve,2000-0457; reference:nessus,10680; reference:url,www.microsoft.com/technet/security/bulletin/MS00-031.mspx; classtype:web-application-attack; sid:1021; rev:14;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS jet vba access"; flow:to_server,established; uricontent:"/advworks/equipment/catalog_type.asp"; nocase; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:1022; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msadcs.dll access"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; classtype:web-application-activity; sid:1023; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS newdsn.exe access"; flow:to_server,established; uricontent:"/scripts/tools/newdsn.exe"; nocase; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl access"; flow:to_server,established; uricontent:"/scripts/perl"; nocase; classtype:web-application-activity; sid:1025; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse newline attempt"; flow:to_server,established; uricontent:"|0A|.pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1026; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS perl-browse space attempt"; flow:to_server,established; uricontent:" .pl"; nocase; reference:bugtraq,6833; classtype:web-application-attack; sid:1027; rev:8;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS query.asp access"; flow:to_server,established; uricontent:"/issamples/query.asp"; nocase; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts-browse access"; flow:to_server,established; uricontent:"/scripts/ "; nocase; reference:nessus,11032; classtype:web-application-attack; sid:1029; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS search97.vts access"; flow:to_server,established; uricontent:"/search97.vts"; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:7;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; uricontent:"/SiteServer/Publishing/viewcode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:8;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1032; rev:7;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1033; rev:7;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1034; rev:7;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1035; rev:7;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode access"; flow:to_server,established; uricontent:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; reference:nessus,10576; classtype:web-application-activity; sid:1036; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS showcode.asp access"; flow:to_server,established; uricontent:"/showcode.asp"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; reference:url,www.microsoft.com/technet/security/bulletin/MS99-013.mspx; classtype:web-application-activity; sid:1037; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site server config access"; flow:to_server,established; uricontent:"/adsamples/config/site.csc"; nocase; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srch.htm access"; flow:to_server,established; uricontent:"/samples/isapi/srch.htm"; nocase; classtype:web-application-activity; sid:1039; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS srchadm access"; flow:to_server,established; uricontent:"/srchadm"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1040; rev:12;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS uploadn.asp access"; flow:to_server,established; uricontent:"/scripts/uploadn.asp"; nocase; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1041; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; nocase; reference:arachnids,305; reference:bugtraq,1578; reference:cve,2000-0778; classtype:web-application-activity; sid:1042; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS viewcode.asp access"; flow:to_server,established; uricontent:"/viewcode.asp"; nocase; reference:cve,1999-0737; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS webhits access"; flow:to_server,established; uricontent:".htw"; reference:arachnids,237; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1044; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS doctodep.btr access"; flow:to_server,established; uricontent:"doctodep.btr"; classtype:web-application-activity; sid:1726; rev:4;) +# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-IIS Unauthorized IP Access Attempt"; flow:to_server,established; content:"403"; content:"Forbidden|3A|"; classtype:web-application-attack; sid:1045; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS site/iisamples access"; flow:to_server,established; uricontent:"/site/iisamples"; nocase; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS CodeRed v2 root.exe access"; flow:to_server,established; uricontent:"/root.exe"; nocase; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS outlook web dos"; flow:to_server,established; uricontent:"/exchange/LogonFrm.asp?"; nocase; content:"mailbox="; nocase; content:"%%%"; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /scripts/samples/ access"; flow:to_server,established; uricontent:"/scripts/samples/"; nocase; reference:nessus,10370; classtype:web-application-attack; sid:1400; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /msadc/samples/ access"; flow:to_server,established; uricontent:"/msadc/samples/"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iissamples access"; flow:to_server,established; uricontent:"/iissamples/"; nocase; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS iisadmin access"; flow:to_server,established; uricontent:"/iisadmin"; nocase; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS msdac access"; flow:to_server,established; uricontent:"/msdac/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1285; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS _mem_bin access"; flow:to_server,established; uricontent:"/_mem_bin/"; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1286; rev:8;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts access"; flow:to_server,established; uricontent:"/scripts/"; nocase; classtype:web-application-activity; sid:1287; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS htimage.exe access"; flow:to_server,established; uricontent:"/htimage.exe"; nocase; reference:bugtraq,1117; reference:bugtraq,964; reference:cve,2000-0122; reference:cve,2000-0256; reference:nessus,10376; classtype:web-application-activity; sid:1595; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server default login attempt"; flow:to_server,established; uricontent:"/SiteServer/Admin/knowledge/persmbr/"; nocase; pcre:"/^Authorization|3A|\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; reference:nessus,11018; classtype:web-application-attack; sid:1817; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS Site Server admin attempt"; flow:to_server,established; uricontent:"/Site Server/Admin/knowledge/persmbr/"; nocase; reference:nessus,11018; classtype:web-application-attack; sid:1818; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS postinfo.asp access"; flow:to_server,established; uricontent:"/scripts/postinfo.asp"; nocase; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp attempt"; flow:to_server,established; uricontent:"/exchange/root.asp?acs=anon"; nocase; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; reference:url,www.microsoft.com/technet/security/bulletin/MS01-047.mspx; classtype:web-application-attack; sid:1567; rev:12;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /exchange/root.asp access"; flow:to_server,established; uricontent:"/exchange/root.asp"; nocase; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; classtype:web-application-activity; sid:1568; rev:11;) + +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asa HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asa"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1802; rev:8;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cer HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cer"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1803; rev:9;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cdx HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".cdx"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1804; rev:9;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .asp HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; uricontent:".asp"; nocase; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; reference:url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx; classtype:web-application-attack; sid:1801; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2090; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2091; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Battleaxe Forum login.asp access"; flow:to_server,established; uricontent:"myaccount/login.asp"; nocase; reference:bugtraq,7416; reference:cve,2003-0215; classtype:web-application-activity; sid:2117; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS nsiislog.dll access"; flow:to_server,established; uricontent:"/nsiislog.dll"; nocase; reference:bugtraq,8035; reference:cve,2003-0227; reference:cve,2003-0349; reference:nessus,11664; reference:url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx; classtype:web-application-activity; sid:2129; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect siteadmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/SiteAdmin.asp"; nocase; reference:bugtraq,7675; reference:cve,2003-0377; reference:nessus,11662; classtype:web-application-activity; sid:2130; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect globaladmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/GlobalAdmin.asp"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2157; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS IISProtect access"; flow:to_server,established; uricontent:"/iisprotect/admin/"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2131; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS Synchrologic Email Accelerator userid list access attempt"; flow:to_server,established; uricontent:"/en/admin/aggregate.asp"; nocase; reference:nessus,11657; classtype:web-application-activity; sid:2132; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS BizTalk server access"; flow:to_server,established; uricontent:"/biztalkhttpreceive.dll"; nocase; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,2003-0117; reference:cve,2003-0118; reference:nessus,11638; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; classtype:web-application-activity; sid:2133; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS register.asp access"; flow:to_server,established; uricontent:"/register.asp"; nocase; reference:nessus,11621; classtype:web-application-activity; sid:2134; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS UploadScript11.asp access"; flow:to_server,established; uricontent:"/UploadScript11.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2247; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS DirectoryListing.asp access"; flow:to_server,established; uricontent:"/DirectoryListing.asp"; nocase; reference:cve,2001-0938; classtype:web-application-activity; sid:2248; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /pcadmin/login.asp access"; flow:to_server,established; uricontent:"/pcadmin/login.asp"; nocase; reference:bugtraq,8103; reference:nessus,11785; classtype:web-application-activity; sid:2249; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.exe access"; flow:to_server,established; uricontent:"/foxweb.exe"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2321; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.dll access"; flow:to_server,established; uricontent:"/foxweb.dll"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2322; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP shopsearch.asp access"; flow:to_server,established; uricontent:"/shopsearch.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2324; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established; uricontent:"/ShopDisplayProducts.asp"; nocase; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2325; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS sgdynamo.exe access"; flow:to_server,established; uricontent:"/sgdynamo.exe"; nocase; reference:bugtraq,4720; reference:cve,2002-0375; reference:nessus,11955; classtype:web-application-activity; sid:2326; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2386; rev:9;) + + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"; flow:to_server,established; uricontent:"/frmGetAttachment.aspx"; nocase; reference:bugtraq,9805; classtype:web-application-activity; sid:2571; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"; flow:to_server,established; uricontent:"/login.aspx"; nocase; content:"txtusername="; isdataat:980,relative; content:!"|0A|"; within:980; nocase; reference:bugtraq,9805; classtype:web-application-attack; sid:2572; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SmarterTools SmarterMail frmCompose.asp access"; flow:to_server,established; uricontent:"/frmCompose.aspx"; reference:bugtraq,9805; classtype:web-application-activity; sid:2573; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ping.asp access"; flow:to_server,established; uricontent:"/ping.asp"; nocase; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS w3who.dll buffer overflow attempt"; flow:to_server,established; uricontent:"/w3who.dll?"; nocase; pcre:"/w3who.dll\x3F[^\r\n]{519}/i"; reference:bugtraq,11820; reference:cve,2004-1134; classtype:attempted-admin; sid:3087; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .cmd executable file parsing attack"; flow:established,to_server; uricontent:".cmd|22|"; nocase; pcre:"/.cmd\x22.*\x26.*/smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3193; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS .bat executable file parsing attack"; flow:established,to_server; uricontent:".bat|22|"; nocase; pcre:"/.bat\x22.*\x26.*/smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3194; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS httpodbc.dll access - nimda"; flow:to_server,established; uricontent:"/httpodbc.dll"; nocase; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-activity; sid:3201; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS SQLXML content type overflow"; flow:to_server,established; pcre:"/\.x[sm]l/Ui"; uricontent:"contenttype="; pcre:"/contenttype=[^\r\n\x3b\x38]{100}/smiU"; reference:bugtraq,5004; reference:cve,2002-0186; reference:url,www.microsoft.com/technet/security/bulletin/MS02-030.mspx; reference:url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt; classtype:attempted-admin; sid:3150; rev:4;) --- /dev/null +++ b/rules/web-client.rules @@ -0,0 +1,54 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: web-client.rules,v 1.20.2.8.2.7 2005/07/22 19:19:54 mwatchinski Exp $ +#--------------- +# WEB-CLIENT RULES +#--------------- +# +# These signatures look for two things: +# * bad things coming from our users +# * attacks against our web users + +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Outlook EML access"; flow:from_client,established; uricontent:".eml"; reference:nessus,10767; classtype:attempted-user; sid:1233; rev:11;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft emf metafile access"; flow:from_client,established; uricontent:".emf"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-user; sid:2435; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft wmf metafile access"; flow:from_client,established; uricontent:".wmf"; reference:bugtraq,10120; reference:bugtraq,9707; reference:cve,2003-0906; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-user; sid:2436; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:1735; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT readme.eml download attempt"; flow:from_client,established; uricontent:"/readme.eml"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:10;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT readme.eml autoload attempt"; flow:to_client,established; content:"window.open|28 22|readme.eml|22|"; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:10;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript document.domain attempt"; flow:to_client,established; content:"document.domain|28|"; nocase; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:1840; rev:7;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Javascript URL host spoofing attempt"; flow:to_client,established; content:"javascript|3A|//"; nocase; reference:bugtraq,5293; classtype:attempted-user; sid:1841; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2fsmi.*? $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist file URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2438; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist http URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2439; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2440; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2485; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; nocase; pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]*\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smi"; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx; classtype:attempted-user; sid:2589; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libpng tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2673; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; pcre:"/^BM/sm"; byte_test:4,>,2147480000,8,relative,little; reference:bugtraq,9663; reference:cve,2004-0566; classtype:attempted-user; sid:2671; rev:4;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser heap overflow attempt"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2705; rev:4;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG transfer"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g/smi"; flowbits:set,http.jpeg; flowbits:noalert; classtype:protocol-command-decode; sid:2706; rev:2;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|"; pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2707; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:3079; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winamp .cda file name overflow attempt"; flow:from_server,established; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; reference:bugtraq,11730; classtype:attempted-user; sid:3088; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image width download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,0,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3132; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large colour depth download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3134; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image height download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,4,relative; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3133; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT object type overflow attempt"; flow:from_server,established; content:"]*type\s*=[\x22\x27]\x2f{32}/smi"; reference:cve,2003-0344; reference:url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx; classtype:attempted-user; sid:3149; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x2e\x2e|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:3192; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winhelp clsid attempt"; flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,4857; reference:cve,2002-0823; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:4;) --- /dev/null +++ b/rules/unicode.map @@ -0,0 +1,104 @@ +# Windows Version: 5.00.2195 +# OEM codepage: 437 +# ACP codepage: 1252 + +# INSTALLED CODEPAGES +10000 (MAC - Roman) + + +10079 (MAC - Icelandic) + + +1250 (ANSI - Central Europe) +00a1:21 00a2:63 00a3:4c 00a5:59 00aa:61 00b2:32 00b3:33 00b9:31 00ba:6f 00bc:31 00bd:31 00be:33 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1251 (ANSI - Cyrillic) +00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221a:76 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2552:2d 2558:4c 2559:4c 255a:4c 255b:2d 255c:2d 255d:2d 2564:54 2565:54 2566:54 256a:2b 256b:2b 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1252 (ANSI - Latin I) +0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c8:27 02cb:60 02cd:5f 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 0398:54 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2017:3d 2032:27 2035:60 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 207f:6e 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2212:2d 2215:2f 2216:5c 2217:2a 221a:76 221e:38 2223:7c 2229:6e 2236:3a 223c:7e 2261:3d 2264:3d 2265:3d 2303:5e 2320:28 2321:29 2329:3c 232a:3e 2500:2d 250c:2b 2510:2b 2514:2b 2518:2b 251c:2b 252c:2d 2534:2d 253c:2b 2550:2d 2552:2b 2553:2b 2554:2b 2555:2b 2556:2b 2557:2b 2558:2b 2559:2b 255a:2b 255b:2b 255c:2b 255d:2b 2564:2d 2565:2d 2566:2d 2567:2d 2568:2d 2569:2d 256a:2b 256b:2b 256c:2b 2584:5f 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1253 (ANSI - Greek) +00b4:2f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 037e:3b 203c:21 2190:3c 2191:5e 2192:3e 2193:76 2194:2d 221f:4c 2500:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1254 (ANSI - Turkish) +00dd:59 00fd:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c7:5e 02c8:27 02cb:60 02cd:5f 02d8:5e 02d9:27 0300:60 0302:5e 0331:5f 0332:5f 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2032:27 2035:60 203c:21 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2081:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2191:5e 2193:76 2194:2d 2195:7c 21a8:7c 2212:2d 2215:2f 2216:5c 2217:2a 221f:4c 2223:7c 2236:3a 223c:7e 2303:5e 2329:3c 232a:3e 2502:2d 250c:2d 2514:4c 2518:2d 251c:2b 2524:2b 252c:54 2534:2b 253c:2b 2550:3d 2554:2d 255a:4c 255d:2d 2566:54 256c:2b 2580:2d 2584:2d 2588:2d 2591:2d 2592:2d 2593:2d 25ac:2d 25b2:5e 25ba:3e 25c4:3c 25cb:30 25d9:30 263a:4f 263b:4f 263c:30 2640:2b 2642:3e 266a:64 266b:64 2758:7c 3000:20 3008:3c 3009:3e 301a:5b 301b:3d 301d:22 301e:22 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1255 (ANSI - Hebrew) +0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1256 (ANSI - Arabic) +00c0:41 00c2:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00ce:49 00cf:49 00d4:4f 00d9:55 00db:55 00dc:55 0191:46 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1257 (ANSI - Baltic) +ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +1258 (ANSI/OEM - Viet Nam) +ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +#INVALID CODEPAGE: 1361 +20127 (US-ASCII) +00a0:20 00a1:21 00a2:63 00a4:24 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ad:2d 00ae:52 00b2:32 00b3:33 00b7:2e 00b8:2c 00b9:31 00ba:6f 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +20261 (T.61) +f8dd:5c f8de:5e f8df:60 f8e0:7b f8fc:7d f8fd:7e f8fe:7f + +20866 (Russian - KOI8) +00a7:15 00ab:3c 00ad:2d 00ae:52 00b1:2b 00b6:14 00bb:3e 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2026:3a 2030:25 2039:3c 203a:3e 203c:13 2122:54 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e + +28591 (ISO 8859-1 Latin I) +0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +28592 (ISO 8859-2 Central Europe) +00a1:21 00a2:63 00a5:59 00a6:7c 00a9:43 00aa:61 00ab:3c 00ae:52 00b2:32 00b3:33 00b7:2e 00b9:31 00ba:6f 00bb:3e 00c0:41 00c3:41 00c5:41 00c6:41 00c8:45 00ca:45 00cc:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d5:4f 00d8:4f 00d9:55 00db:55 00e0:61 00e3:61 00e5:61 00e6:61 00e8:65 00ea:65 00ec:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f8:6f 00f9:75 00fb:75 00ff:79 0100:41 0101:61 0108:43 0109:63 010a:43 010b:63 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 013b:4c 013c:6c 0145:4e 0146:6e 014c:4f 014d:6f 014e:4f 014f:6f 0152:4f 0153:6f 0156:52 0157:72 015c:53 015d:73 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +#INVALID CODEPAGE: 28595 +#INVALID CODEPAGE: 28597 +28605 (ISO 8859-15 Latin 9) +00a6:7c 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0138:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014a:4e 014b:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:54 0169:74 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0179:5a 017b:5a 017c:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:2e 2026:2e 2032:27 2035:60 2039:3c 203a:3e 2122:54 ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +37 (IBM EBCDIC - U.S./Canada) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:5a 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005f:6d 0060:79 007c:4f 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a2:4a 00a6:6a 00ac:5f 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:5a ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3f:6d ff40:79 ff5c:4f + +437 (OEM - United States) +00a4:0f 00a7:15 00a8:22 00a9:63 00ad:2d 00ae:72 00af:5f 00b3:33 00b4:27 00b6:14 00b8:2c 00b9:31 00be:5f 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:78 00d8:4f 00d9:55 00da:55 00db:55 00dd:59 00de:5f 00e3:61 00f0:64 00f5:6f 00f8:6f 00fd:79 00fe:5f 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02ca:27 02cb:60 02cd:5f 02dc:7e 0300:60 0301:27 0302:5e 0303:7e 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:60 2019:27 201a:2c 201c:22 201d:22 201e:2c 2020:2b 2022:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2082:32 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:09 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2212:2d 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2758:7c 3000:20 3007:09 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +500 (IBM EBCDIC - International) +0004:37 0005:2d 0006:2e 0007:2f 0008:16 0009:05 000a:25 0014:3c 0015:3d 0016:32 0017:26 001a:3f 001b:27 0020:40 0021:4f 0022:7f 0023:7b 0024:5b 0025:6c 0026:50 0027:7d 0028:4d 0029:5d 002a:5c 002b:4e 002c:6b 002d:60 002e:4b 002f:61 003a:7a 003b:5e 003c:4c 003d:7e 003e:6e 003f:6f 0040:7c 005b:4a 005d:5a 005e:5f 005f:6d 0060:79 007f:07 0080:20 0081:21 0082:22 0083:23 0084:24 0085:15 0086:06 0087:17 0088:28 0089:29 008a:2a 008b:2b 008c:2c 008d:09 008e:0a 008f:1b 0090:30 0091:31 0092:1a 0093:33 0094:34 0095:35 0096:36 0097:08 0098:38 0099:39 009a:3a 009b:3b 009c:04 009d:14 009e:3e 00a0:41 00a6:6a 00c0:64 00c1:65 00c2:62 00c3:66 00c4:63 00c5:67 00c7:68 00c8:74 00c9:71 00ca:72 00cb:73 00cc:78 00cd:75 00ce:76 00cf:77 00d1:69 00df:59 00e0:44 00e1:45 00e2:42 00e3:46 00e4:43 00e5:47 00e7:48 00e8:54 00e9:51 00ea:52 00eb:53 00ec:58 00ed:55 00ee:56 00ef:57 00f1:49 00f8:70 ff01:4f ff02:7f ff03:7b ff04:5b ff05:6c ff06:50 ff07:7d ff08:4d ff09:5d ff0a:5c ff0b:4e ff0c:6b ff0d:60 ff0e:4b ff0f:61 ff1a:7a ff1b:5e ff1c:4c ff1d:7e ff1e:6e ff20:7c ff3b:4a ff3d:5a ff3e:5f ff3f:6d ff40:79 + +850 (OEM - Multilingual Latin I) +0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01a9:53 01ab:74 01ae:54 01af:55 01b0:75 01b6:5a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02cb:27 02cd:5f 02dc:7e 0300:27 0302:5e 0303:7e 030e:22 0331:5f 0332:5f 037e:3b 0393:47 03a3:53 03a6:46 03a9:4f 03b1:61 03b4:64 03b5:65 03c0:70 03c3:73 03c4:74 03c6:66 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:39 207f:6e 2080:30 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:50 2119:50 211a:51 211b:52 211c:52 211d:52 2122:54 2124:5a 2126:4f 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2211:53 2212:2d 2215:2f 2216:2f 2217:2a 2219:07 221a:56 221e:38 221f:1c 2229:6e 2236:3a 223c:7e 2248:7e 2261:3d 2264:3d 2265:3d 2302:7f 2303:5e 2320:28 2321:29 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 2713:56 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +860 (OEM - Portuguese) +00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00be:33 00c4:41 00c5:41 00c6:41 00cb:45 00ce:49 00cf:49 00d0:44 00d6:4f 00d7:58 00d8:4f 00db:55 00dd:59 00de:54 00e4:61 00e5:61 00e6:61 00eb:65 00ee:69 00ef:69 00f0:64 00f6:6f 00f8:6f 00fb:75 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:5c 0161:7c 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0191:46 0192:66 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c0:7c 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:5f 2011:5f 2013:5f 2014:5f 2017:5f 2018:27 2019:27 201a:2c 201c:22 201d:22 201e:22 2022:07 2024:07 2026:2e 2030:25 2032:27 2035:60 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 + +861 (OEM - Icelandic) +00a2:63 00a4:0f 00a5:59 00a7:15 00a8:22 00a9:63 00aa:61 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00ba:6f 00be:33 00c0:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00db:55 00e3:61 00ec:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f5:6f 00f9:75 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 0278:66 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 + +863 (OEM - Canadian French) +00a1:21 00a5:59 00a9:63 00aa:61 00ad:16 00ae:72 00b9:33 00ba:6f 00c1:41 00c3:41 00c4:41 00c5:41 00c6:41 00cc:49 00cd:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d5:4f 00d6:4f 00d7:58 00d8:4f 00da:55 00dd:59 00de:54 00e1:61 00e3:61 00e4:61 00e5:61 00e6:61 00ec:69 00ed:69 00f0:64 00f1:6e 00f2:6f 00f5:6f 00f6:6f 00f8:6f 00fd:79 00fe:74 00ff:79 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:22 02ba:27 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02cb:60 02cd:5f 02dc:7e 0300:60 0302:5e 0303:7e 0304:16 0305:16 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20a7:50 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212b:41 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 301a:5b 301b:5d 30fb:07 + +865 (OEM - Nordic) +00a2:63 00a5:59 00a7:15 00a8:22 00a9:63 00ad:5f 00ae:72 00af:16 00b3:33 00b4:2f 00b6:14 00b8:2c 00b9:31 00bb:3e 00be:33 00c0:41 00c1:41 00c2:41 00c3:41 00c8:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d7:58 00d9:55 00da:55 00db:55 00dd:59 00de:54 00e3:61 00f0:64 00f5:6f 00fd:79 00fe:74 0100:41 0101:61 0102:41 0103:61 0104:41 0105:61 0106:43 0107:63 0108:43 0109:63 010a:43 010b:63 010c:43 010d:63 010e:44 010f:64 0110:44 0111:64 0112:45 0113:65 0114:45 0115:65 0116:45 0117:65 0118:45 0119:65 011a:45 011b:65 011c:47 011d:67 011e:47 011f:67 0120:47 0121:67 0122:47 0123:67 0124:48 0125:68 0126:48 0127:68 0128:49 0129:69 012a:49 012b:69 012c:49 012d:69 012e:49 012f:69 0130:49 0131:69 0134:4a 0135:6a 0136:4b 0137:6b 0139:4c 013a:6c 013b:4c 013c:6c 013d:4c 013e:6c 0141:4c 0142:6c 0143:4e 0144:6e 0145:4e 0146:6e 0147:4e 0148:6e 014c:4f 014d:6f 014e:4f 014f:6f 0150:4f 0151:6f 0152:4f 0153:6f 0154:52 0155:72 0156:52 0157:72 0158:52 0159:72 015a:53 015b:73 015c:53 015d:73 015e:53 015f:73 0160:53 0161:73 0162:54 0163:74 0164:54 0165:74 0166:54 0167:74 0168:55 0169:75 016a:55 016b:75 016c:55 016d:75 016e:55 016f:75 0170:55 0171:75 0172:55 0173:75 0174:57 0175:77 0176:59 0177:79 0178:59 0179:5a 017b:5a 017c:7a 017d:5a 017e:7a 0180:62 0189:44 0197:49 019a:6c 019f:4f 01a0:4f 01a1:6f 01ab:74 01ae:54 01af:55 01b0:75 01b6:7a 01c3:21 01cd:41 01ce:61 01cf:49 01d0:69 01d1:4f 01d2:6f 01d3:55 01d4:75 01d5:55 01d6:75 01d7:55 01d8:75 01d9:55 01da:75 01db:55 01dc:75 01de:41 01df:61 01e4:47 01e5:67 01e6:47 01e7:67 01e8:4b 01e9:6b 01ea:4f 01eb:6f 01ec:4f 01ed:6f 01f0:6a 0261:67 02b9:27 02ba:22 02bc:27 02c4:5e 02c6:5e 02c8:27 02c9:16 02ca:2f 02cb:60 02cd:5f 02dc:7e 0300:60 0301:2f 0302:5e 0303:7e 0304:16 0305:16 0308:22 030e:22 0327:2c 0331:5f 0332:5f 037e:3b 04bb:68 0589:3a 066a:25 2000:20 2001:20 2002:20 2003:20 2004:20 2005:20 2006:20 2010:2d 2011:2d 2013:2d 2014:2d 2017:5f 2018:27 2019:27 201a:27 201c:22 201d:22 201e:22 2022:07 2024:07 2026:07 2030:25 2032:27 2035:27 2039:3c 203a:3e 203c:13 2044:2f 2070:30 2074:34 2075:35 2076:36 2077:37 2078:38 2080:30 2081:31 2083:33 2084:34 2085:35 2086:36 2087:37 2088:38 2089:39 20dd:4f 2102:43 2107:45 210a:67 210b:48 210c:48 210d:48 210e:68 2110:49 2111:49 2112:4c 2113:6c 2115:4e 2118:70 2119:50 211a:51 211b:52 211c:52 211d:52 2122:74 2124:5a 2128:5a 212a:4b 212c:42 212d:43 212e:65 212f:65 2130:45 2131:46 2133:4d 2134:6f 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 2205:4f 2212:5f 2215:2f 2216:5c 2217:2a 221f:1c 2223:7c 2236:3a 223c:7e 226b:3c 22c5:07 2302:7f 2303:5e 2329:3c 232a:3e 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e 3000:20 3007:4f 3008:3c 3009:3e 300b:3e 301a:5b 301b:5d 30fb:07 + +874 (ANSI/OEM - Thai) +00a7:15 00b6:14 203c:13 2190:1b 2191:18 2192:1a 2193:19 2194:1d 2195:12 21a8:17 221f:1c 2302:7f 25ac:16 25b2:1e 25ba:10 25bc:1f 25c4:11 25cb:09 25d8:08 25d9:0a 263a:01 263b:02 263c:0f 2640:0c 2642:0b 2660:06 2663:05 2665:03 2666:04 266a:0d 266b:0e ff01:21 ff02:22 ff03:23 ff04:24 ff05:25 ff06:26 ff07:27 ff08:28 ff09:29 ff0a:2a ff0b:2b ff0c:2c ff0d:2d ff0e:2e ff0f:2f ff10:30 ff11:31 ff12:32 ff13:33 ff14:34 ff15:35 ff16:36 ff17:37 ff18:38 ff19:39 ff1a:3a ff1b:3b ff1c:3c ff1d:3d ff1e:3e ff20:40 ff21:41 ff22:42 ff23:43 ff24:44 ff25:45 ff26:46 ff27:47 ff28:48 ff29:49 ff2a:4a ff2b:4b ff2c:4c ff2d:4d ff2e:4e ff2f:4f ff30:50 ff31:51 ff32:52 ff33:53 ff34:54 ff35:55 ff36:56 ff37:57 ff38:58 ff39:59 ff3a:5a ff3b:5b ff3c:5c ff3d:5d ff3e:5e ff3f:5f ff40:60 ff41:61 ff42:62 ff43:63 ff44:64 ff45:65 ff46:66 ff47:67 ff48:68 ff49:69 ff4a:6a ff4b:6b ff4c:6c ff4d:6d ff4e:6e ff4f:6f ff50:70 ff51:71 ff52:72 ff53:73 ff54:74 ff55:75 ff56:76 ff57:77 ff58:78 ff59:79 ff5a:7a ff5b:7b ff5c:7c ff5d:7d ff5e:7e + +932 (ANSI/OEM - Japanese Shift-JIS) +00a1:21 00a5:5c 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:64 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 + +936 (ANSI/OEM - Simplified Chinese GBK) +00a6:7c 00aa:61 00ad:2d 00b2:32 00b3:33 00b9:31 00ba:6f 00d0:44 00dd:59 00de:54 00e2:61 00f0:65 00fd:79 00fe:74 + +949 (ANSI/OEM - Korean) +00a6:7c 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00ff:79 20a9:5c + +950 (ANSI/OEM - Traditional Chinese Big5) +00a1:21 00a6:7c 00a9:63 00aa:61 00ad:2d 00ae:52 00b2:32 00b3:33 00b9:31 00ba:6f 00c0:41 00c1:41 00c2:41 00c3:41 00c4:41 00c5:41 00c6:41 00c7:43 00c8:45 00c9:45 00ca:45 00cb:45 00cc:49 00cd:49 00ce:49 00cf:49 00d0:44 00d1:4e 00d2:4f 00d3:4f 00d4:4f 00d5:4f 00d6:4f 00d8:4f 00d9:55 00da:55 00db:55 00dc:55 00dd:59 00de:54 00df:73 00e0:61 00e1:61 00e2:61 00e3:61 00e4:61 00e5:61 00e6:61 00e7:63 00e8:65 00e9:65 00ea:65 00eb:65 00ec:69 00ed:69 00ee:69 00ef:69 00f0:65 00f1:6e 00f2:6f 00f3:6f 00f4:6f 00f5:6f 00f6:6f 00f8:6f 00f9:75 00fa:75 00fb:75 00fc:75 00fd:79 00fe:74 00ff:79 + +65000 (UTF-7) + + +65001 (UTF-8) + + --- /dev/null +++ b/rules/community-web-misc.rules @@ -0,0 +1,215 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-web-misc.rules,v 1.45 2007/04/20 13:28:50 akirk Exp $ + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Test Script Access"; flow:to_server,established; uricontent:"/test"; nocase; pcre:"/test\.(pl|php|cgi|asp|jsp)/Ui"; classtype:web-application-activity; sid:100000121; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY WEB-MISC mod_jrun overflow attempt"; flow:to_server,established; content:"|3A|"; pcre:"/^.*\x3a[^\n]{1000}/sm"; reference:bugtraq,11245; reference:cve,2004-0646; classtype:web-application-attack; sid:100000122; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS"; flow:to_server,established; uricontent:"?/ "; reference:bugtraq,10014; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; classtype:successful-dos; sid:100000129; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS"; flow:to_server,established; uricontent:"/Filelist.html"; nocase; reference:bugtraq,12778; classtype:attempted-dos; sid:100000130; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access"; flow:to_server,established; uricontent:"/A|3A|"; nocase; pcre:"/A\x3A[^\r\n]?\.[^\r\n]?[\r\n]/Ui"; reference:bugtraq,12778; classtype:attempted-dos; sid:100000131; rev:1;) +# Following rule submitted by Alexandru Ionica , and revised by Jason Haar +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC Proxy Server Access"; flow:established,from_server; content:"Proxy-Connection"; nocase; content:"Via"; nocase; content:"HTTP"; nocase; content: !"ERR_ACCESS_DENIED"; nocase; classtype:misc-activity; sid:100000132; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request"; flow:to_server,established; pcre:"/GET \/\?{250,}/i"; reference:bugtraq,7398; reference:url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1; classtype:attempted-dos; sid:100000133; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow"; flow:to_server,established; content:"GET"; nocase; depth:3; content:"/%"; distance:0; pcre:"/^GET\s+\/\%[^\r\n]{215,}/smi"; reference:cve,2005-0684; reference:url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities; classtype:attempted-admin; sid:100000140; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt"; flow:to_server,established; content:".jsp"; pcre:"/.jsp\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000141; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt"; flow:to_server,established; content:".jpg"; pcre:"/.jpg\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000142; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt"; flow:to_server,established; content:".gif"; pcre:"/.gif\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000143; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt"; flow:to_server,established; content:".wav"; pcre:"/.wav\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252;classtype:attempted-recon; sid:100000144; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt"; flow:to_server,established; content:".css"; pcre:"/.css\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000145; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt"; flow:to_server,established; content:".htm"; pcre:"/.htm\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000146; rev:1;) +#Rules submitted by rmkml +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000 (msg:"COMMUNITY WEB-MISC Barracuda img.pl attempt"; flow:to_server,established; uricontent:"/cgi-bin/img.pl?f=.."; reference:bugtraq,14712; reference:bugtraq,14710; reference:cve,2005-2848; classtype:web-application-attack; sid:100000148; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC Jboss % attempt"; flow:to_server,established; content:"GET %"; reference:bugtraq,13985; reference:cve,2005-2006; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17403; classtype:attempted-recon; sid:100000149; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; content:"chunked"; content:"Content-Length|3A|"; nocase; reference:bugtraq,13873; reference:bugtraq,14106; reference:cve,2005-2088; reference:cve,2005-2089; reference:cve,2005-2090; reference:cve,2005-2091; reference:cve,2005-2092; reference:cve,2005-2093; reference:cve,2005-2094; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17738; reference:nessus,18337; classtype:attempted-admin; sid:100000150; rev:1;) +alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt"; flow:to_server,established; uricontent:"/apply.cgi"; content:"Content-Length|3A|"; pcre:"/Content-Length\x3A\s*[^\r\n]{1000,}/smi"; reference:bugtraq,14822; reference:cve,2005-2799; reference:nessus,20096; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19389; classtype:web-application-attack; sid:100000177; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt"; flow:to_server,established; uricontent:"..\:..\:..\:.."; reference:bugtraq,15225; reference:nessus,20097; classtype:attempted-dos; sid:100000178; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 898 (msg:"COMMUNITY WEB-MISC SMC TRACE access"; flow:to_server,established; content:"TRACE"; depth:5; reference:url,www.kb.cert.org/vuls/id/867593; classtype:attempted-recon; sid:100000179; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"COMMUNITY WEB-MISC JBoss JMXInvokerServlet access"; flow:to_server,established; uricontent:"/invoker/JMXInvokerServlet"; reference:url,online.securityfocus.com/archive/1/415707; classtype:misc-activity; sid:100000184; rev:1;) +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC apache directory list attempt"; flow:to_client,established; content:"HTTP/1.1 200 OK"; depth:15; content:"Index of /"; nocase; within:200; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:100000185; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 41080 (msg:"COMMUNITY WEB-MISC Symantec Brightmail Antispam default login attempt"; flow:to_server,established; uricontent:"/brightmail/viewLogin.do"; nocase; uricontent:"user|3D|admin"; nocase; uricontent:"pass|3D|symantec"; nocase; reference:nessus,19598; reference:url,securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html; classtype:web-application-attack; sid:100000200; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC FtpLocate flsearch.pl possible command execution attempt"; flow:to_server,established; uricontent:"/flsearch.pl"; nocase; uricontent:"cmd|3D|exec_flsearch"; nocase; reference:bugtraq,14367; reference:cve,2005-2420; reference:nessus,19300; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=18305; classtype:web-application-attack; sid:100000209; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC generic cmd pipe after = attempt"; flow:to_server,established; uricontent:"|3D 7C|"; nocase; classtype:web-application-attack; sid:100000210; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access"; flow:to_server,established; content:"POST"; nocase; depth:4; uricontent:"/ControlManager/cgi-bin/VA/isaNVWRequest.dll"; nocase; reference:cve,2005-1929; reference:url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities; classtype:web-application-attack; sid:100000216; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC man2web cmd exec attempt"; flow:to_server,established; uricontent:"/man2web"; nocase; uricontent:"|2D|P"; reference:cve,2005-2812; reference:bugtraq,14747; reference:nessus,19591; classtype:web-application-attack; sid:100000217; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASPSurvey Login_Validate.asp Password param access"; flow:to_server,established; uricontent:"/Login_Validate.asp"; nocase; uricontent:"Password|3D|"; nocase; reference:cve,2006-0192; classtype:web-application-activity; sid:100000225; rev:1;) + +#Rule to detect use of Google's translation feature to bypass content monitor submitted by David Bianco +alert tcp any any -> any $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Proxy Bypass Via Google Translation Same To And From Language"; flow:established, to_server; uricontent:"/translate?"; pcre:"/translate\?.*langpair=([a-zA-Z]+)(%7C|\|)\1\&/Ui"; classtype: policy-violation; reference:url,www.boingboing.net/2006/02/22/argonne_national_lab.html; sid:100000237; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sRedirectUrl parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sRedirectUrl="; nocase; pcre:"/sRedirectUrl=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000302; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DeviceSelection.asp sCancelURL parameter access"; flow:to_server,established; uricontent:"DeviceSelection.asp"; nocase; uricontent:"sCancelURL="; nocase; pcre:"/sCancelURL=(https?|ftp)/Ui"; reference:bugtraq,17964; classtype:web-application-attack; sid:100000303; rev:1;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 21700 (msg:"COMMUNITY WEB-MISC 3Com Network Supervisor directory traversal"; flow:to_server,established; content:"GET"; nocase; pcre:"/GET[^\r\n]*?\x2e\x2e(\x2f|\x5c)[^\r\n]*?HTTP[^\r\n]*?\r\n/msi"; reference:bugtraq,14715; reference:cve,2005-2020; classtype:web-application-attack; sid:100000313; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MediaWiki parser script insertion attempt"; flow:to_server,established; content:"POST"; nocase; content:"|7B 7B 7B|"; pcre:"/\x7B\x7B\x7B[^\r\n]*\x3C[^\r\n]*\x7C[^\r\n]*\x3E[^\r\n]*\x7D\x7D\x7D/"; reference:cve,2006-2611; classtype:attempted-user; sid:100000314; rev:1;) + +#Rules for detecting HTTP PUT requests, successful or not, submitted by David Bianco; enable only after reading the rule documentation for these two SIDs +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP PUT Request"; flow:to_server,established; content:"PUT "; depth:4; flowbits:set,http.put; flowbits:noalert; classtype:misc-activity; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000315; rev:1;) +#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC HTTP PUT Request Successful"; flow:from_server,established; flowbits:isset,http.put; content:"HTTP/"; nocase; depth:5; content:"200"; within:7; classtype:web-application-attack; reference:url,infosecpotpourri.blogspot.com/2006/06/http-put-defacement-attempts.html; sid:100000316; rev:1;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar classified_right.php remote file include"; flow:to_server,established; uricontent:"/classified_right.php"; nocase; uricontent:"language_dir="; nocase; pcre:"/language_dir=(https?|ftp)/Ui"; reference:bugtraq,18052; classtype:web-application-attack; sid:100000317; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBazar admin.php unauthorized administrative access"; flow:to_server,established; uricontent:"/admin/admin.php"; nocase; uricontent:"action=edit_member&value=1"; nocase; reference:bugtraq,18053; reference:cve,2006-2527; classtype:web-application-attack; sid:100000318; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ActualScripts direct.php remote file include"; flow:to_server,established; uricontent:"/direct.php"; nocase; uricontent:"rf="; nocase; pcre:"/rf=(https?|ftp)/Ui"; reference:bugtraq,17597; classtype:web-application-attack; sid:100000319; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews functions.php remote file include"; flow:to_server,established; uricontent:"/functions.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000320; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews help.php remote file include"; flow:to_server,established; uricontent:"/help.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000321; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews mail.php remote file include"; flow:to_server,established; uricontent:"/mail.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000322; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews news.php remote file include"; flow:to_server,established; uricontent:"/news.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000323; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000324; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_cats.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_cats.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000325; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_edit.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_edit.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000326; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_import.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_import.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000327; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ScozNet ScozNews admin_templates.php remote file include"; flow:to_server,established; uricontent:"/Admin/admin_templates.php"; nocase; uricontent:"main_path="; nocase; pcre:"/main_path=(https?|ftp)/Ui"; reference:bugtraq,18027; classtype:web-application-attack; sid:100000328; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board class_post.php remote file include"; flow:to_server,established; uricontent:"/classes/post/class_post.php"; nocase; uricontent:"post_icon="; nocase; pcre:"/post_icon=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000329; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Invision Power Board moderate.php remote file include"; flow:to_server,established; uricontent:"/action_public/moderate.php"; nocase; uricontent:"df="; nocase; pcre:"/df=(https?|ftp)/Ui"; reference:bugtraq,18040; classtype:web-application-attack; sid:100000330; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ZixForum settings.asp access"; flow:to_server,established; uricontent:"/settings.asp"; nocase; uricontent:"layid="; nocase; reference:bugtraq,18043; classtype:web-application-attack; sid:100000331; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"email="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000332; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Artmedic Newsletter log.php access"; flow:to_server,established; uricontent:"/log.php"; nocase; uricontent:"logfile="; nocase; reference:bugtraq,18047; classtype:web-application-attack; sid:100000333; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars reconfig.php remote file include"; flow:to_server,established; uricontent:"/reconfig.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000334; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CaLogic Calendars srxclr.php remote file include"; flow:to_server,established; uricontent:"/srxclr.php"; nocase; uricontent:"CLPath="; nocase; pcre:"/CLPath=(https?|ftp)/Ui"; reference:bugtraq,18076; classtype:web-application-attack; sid:100000335; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory footer.php remote file include"; flow:to_server,established; uricontent:"/footer.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000336; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory defaults_setup.php remote file include"; flow:to_server,established; uricontent:"/defaults_setup.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000337; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpMyDirectory header.php remote file include"; flow:to_server,established; uricontent:"/header.php"; nocase; uricontent:"ROOT_PATH="; nocase; pcre:"/ROOT_PATH=(https?|ftp)/Ui"; reference:cve,2006-2521; classtype:web-application-attack; sid:100000338; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail core.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3/core.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000339; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC V-Webmail pop3.php remote file include"; flow:to_server,established; uricontent:"/includes/mailaccess/pop3.php"; nocase; uricontent:"CONFIG[pear_dir]="; nocase; pcre:"/CONFIG[pear_dir]=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20297/; classtype:web-application-attack; sid:100000340; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS help.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/help.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000341; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS business.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/business.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000342; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DoceboLMS credits.php remote file include"; flow:to_server,established; uricontent:"/modules/credits/credits.php"; nocase; uricontent:"lang="; nocase; pcre:"/lang=(https?|ftp)/Ui"; reference:bugtraq,18110; classtype:web-application-attack; sid:100000343; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000344; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SocketMail inc-common.php remote file include"; flow:to_server,established; uricontent:"/inc-common.php"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20273/; classtype:web-application-attack; sid:100000345; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Plume CMS prepend.php remote file include"; flow:to_server,established; uricontent:"/manager/frontinc/prepend.php"; nocase; uricontent:"_PX_config[manager_path]="; nocase; pcre:"/_PX_config[manager_path]=(https?|ftp)/Ui"; reference:bugtraq,16662; classtype:web-application-attack; sid:100000346; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro form.php remote file include"; flow:to_server,established; uricontent:"/form.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000347; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro customize.php remote file include"; flow:to_server,established; uricontent:"/customize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000348; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ezupload Pro initialize.php remote file include"; flow:to_server,established; uricontent:"/initialize.php"; nocase; uricontent:"path="; nocase; pcre:"/path=(https?|ftp)/Ui"; reference:bugtraq,18135; classtype:web-application-attack; sid:100000349; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads ubbt.inc.php remote file include"; flow:to_server,established; uricontent:"/ubbt.inc.php"; nocase; uricontent:"GLOBALS[thispath]="; nocase; pcre:"/GLOBALS[thispath]=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000350; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC UBBThreads config[cookieprefix] remote file include"; flow:to_server,established; uricontent:"/includepollresults.php?config[cookieprefix]"; nocase; uricontent:"w3t_language="; nocase; pcre:"/w3t_language=(https?|ftp)/Ui"; reference:url,www.nukedx.com/?viewdoc=40; classtype:web-application-attack; sid:100000351; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Blend Portal blend_common.php remote file include"; flow:to_server,established; uricontent:"/blend_data/blend_common.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18153; reference:url,www.nukedx.com/?viewdoc=41; classtype:web-application-attack; sid:100000352; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC tinyBB footers.php remote file include"; flow:to_server,established; uricontent:"/footers.php"; nocase; uricontent:"tinybb_footers="; nocase; pcre:"/tinybb_footers=(https?|ftp)/Ui"; reference:bugtraq,18147; classtype:web-application-attack; sid:100000353; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB-Amod lang_activity.php remote file include"; flow:to_server,established; uricontent:"/lang_activity.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18155; classtype:web-application-attack; sid:100000354; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC eSyndiCat cron.php remote file include"; flow:to_server,established; uricontent:"/admin/cron.php"; nocase; uricontent:"path_to_config="; nocase; pcre:"/path_to_config=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20218/; classtype:web-application-attack; sid:100000355; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_qry_common.php remote file include"; flow:to_server,established; uricontent:"/base_qry_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000356; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_stat_common.php remote file include"; flow:to_server,established; uricontent:"/base_stat_common.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000357; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BASE base_include.inc.php remote file include"; flow:to_server,established; uricontent:"/base_include.inc.php"; nocase; uricontent:"BASE_path="; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000358; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken.php remote file include"; flow:to_server,established; uricontent:"/drucken.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000359; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS drucken2.php remote file include"; flow:to_server,established; uricontent:"/drucken2.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000360; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS email_an_benutzer.php remote file include"; flow:to_server,established; uricontent:"/email_an_benutzer.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000361; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS rechnung.php remote file include"; flow:to_server,established; uricontent:"/rechnung.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000362; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS search.php remote file include"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000363; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Fastpublish CMS admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"config[fsBase]="; nocase; pcre:"/config[fsBase]=(https?|ftp)/Ui"; reference:bugtraq,18163; classtype:web-application-attack; sid:100000364; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke index.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/index.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000365; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ug_auth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ug_auth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000366; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_board.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_board.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000367; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_disallow.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_disallow.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000368; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forumauth.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forumauth.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000369; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_groups.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_groups.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000370; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_ranks.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_ranks.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000371; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_styles.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_styles.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000372; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_user_ban.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_user_ban.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000373; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_words.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_words.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000374; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_avatar.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_avatar.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000375; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_db_utilities.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_db_utilities.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000376; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forum_prune.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forum_prune.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000377; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_forums.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_forums.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000378; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_mass_email.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_mass_email.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000379; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_smilies.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_smilies.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000380; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpNuke admin_users.php remote file include"; flow:to_server,established; uricontent:"/modules/Forums/admin/admin_users.php"; nocase; uricontent:"phpbb_root_path="; nocase; pcre:"/phpbb_root_path=(https?|ftp)/Ui"; reference:bugtraq,18186; classtype:web-application-attack; sid:100000382; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OsTicket open_form.php remote file include"; flow:to_server,established; uricontent:"/open_form.php"; nocase; uricontent:"include_path="; nocase; pcre:"/include_path=(https?|ftp)/Ui"; reference:bugtraq,18190; classtype:web-application-attack; sid:100000383; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000384; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman error.php remote file include"; flow:to_server,established; uricontent:"/error.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000385; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ottoman main_class.php remote file include"; flow:to_server,established; uricontent:"/classes/main_class.php"; nocase; uricontent:"default_path="; nocase; pcre:"/default_path=(https?|ftp)/Ui"; reference:bugtraq,18208; classtype:web-application-attack; sid:100000386; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia index.php remote file include"; flow:to_server,established; uricontent:"/orid/index.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000387; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia topman.php remote file include"; flow:to_server,established; uricontent:"/orid/topman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000388; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/orid/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000389; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadmb.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadmb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000390; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadma.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadma.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000391; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia vacadm.php remote file include"; flow:to_server,established; uricontent:"/orid/vacadm.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000392; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia start.php remote file include"; flow:to_server,established; uricontent:"/orid/start.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000393; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia search.php remote file include"; flow:to_server,established; uricontent:"/orid/search.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000394; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia posts.php remote file include"; flow:to_server,established; uricontent:"/orid/posts.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000395; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia options.php remote file include"; flow:to_server,established; uricontent:"/orid/options.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000396; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia login.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/login.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000397; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia frchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/frchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000398; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia flbchart.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/flbchart.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000399; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia fileman.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/fileman.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000400; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia faq.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/faq.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000401; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia event.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/event.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000402; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia directory.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/directory.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000403; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia articles.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/articles.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000404; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia artedit.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/artedit.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000405; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia approb.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/approb.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000406; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ovidentia calday.php remote file include"; flow:to_server,established; uricontent:"/ovidentia/calday.php"; nocase; uricontent:"babInstallPath="; nocase; pcre:"/babInstallPath=(https?|ftp)/Ui"; reference:bugtraq,18232; classtype:web-application-attack; sid:100000407; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD cache_mngt.php remote file include"; flow:to_server,established; uricontent:"/cache_mngt.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000408; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AssoCIateD gallery_functions.php remote file include"; flow:to_server,established; uricontent:"/gallery_functions.php"; nocase; uricontent:"root_path="; nocase; pcre:"/root_path=(https?|ftp)/Ui"; reference:bugtraq,18220; classtype:web-application-attack; sid:100000409; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/image_resize/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000410; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/simple_user/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000411; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/stats/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000412; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO index.inc.php remote file include"; flow:to_server,established; uricontent:"/include/addons/import_export/pages/index.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000413; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC REDAXO community.inc.php remote file include"; flow:to_server,established; uricontent:"/include/pages/community.inc.php"; nocase; uricontent:"REX[INCLUDE_PATH]="; nocase; pcre:"/REX[INCLUDE_PATH]=(https?|ftp)/Ui"; reference:bugtraq,18229; classtype:web-application-attack; sid:100000414; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Bytehoard server.php remote file include"; flow:to_server,established; uricontent:"/includes/webdav/server.php"; nocase; uricontent:"bhconfig[bhfilepath]="; nocase; pcre:"/bhconfig[bhfilepath]=(https?|ftp)/Ui"; reference:bugtraq,18234; classtype:web-application-attack; sid:100000415; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie admin.php remote file include"; flow:to_server,established; uricontent:"/admin.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000416; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MyBloggie scode.php remote file include"; flow:to_server,established; uricontent:"/scode.php"; nocase; uricontent:"mybloggie_root_path="; nocase; pcre:"/mybloggie_root_path=(https?|ftp)/Ui"; reference:bugtraq,18241; classtype:web-application-attack; sid:100000417; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashheadlines.php remote file include"; flow:to_server,established; uricontent:"/ashheadlines.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000418; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Ashwebstudio Ashnews ashnews.php remote file include"; flow:to_server,established; uricontent:"/ashnews.php"; nocase; uricontent:"pathtoashnews="; nocase; pcre:"/pathtoashnews=(https?|ftp)/Ui"; reference:bugtraq,18248; classtype:web-application-attack; sid:100000419; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Informium common-menu.php remote file include"; flow:to_server,established; uricontent:"/admin/common-menu.php"; nocase; uricontent:"CONF[local_path]="; nocase; pcre:"/CONF[local_path]=(https?|ftp)/Ui"; reference:bugtraq,18249; classtype:web-application-attack; sid:100000420; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Igloo wiki.php remote file include"; flow:to_server,established; uricontent:"/wiki.php"; nocase; uricontent:"c_node[class_path]="; nocase; pcre:"/c_node[class_path]=(https?|ftp)/Ui"; reference:bugtraq,18250; classtype:web-application-attack; sid:100000421; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC phpBB template.php remote file include"; flow:to_server,established; uricontent:"/template.php"; nocase; uricontent:"page="; nocase; pcre:"/page=(https?|ftp)/Ui"; reference:bugtraq,18255; classtype:web-application-attack; sid:100000422; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS index.php remote file include"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000423; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS feedback.php remote file include"; flow:to_server,established; uricontent:"/feedback.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000424; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotWidget CMS printfriendly.php remote file include"; flow:to_server,established; uricontent:"/printfriendly.php"; nocase; uricontent:"file_path="; nocase; pcre:"/file_path=(https?|ftp)/Ui"; reference:bugtraq,18258; classtype:web-application-attack; sid:100000425; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DotClear prepend.php remote file include"; flow:to_server,established; uricontent:"/prepend.php"; nocase; uricontent:"blog_dc_path="; nocase; pcre:"/blog_dc_path=(https?|ftp)/Ui"; reference:bugtraq,18259; classtype:web-application-attack; sid:100000426; rev:2;) + +# JBoss Rules from Jon Hart +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss jmx-console html adaptor access"; flow:to_server,established; uricontent:"/jmx-console/HtmlAdaptor"; reference:url,jboss.org/wiki/Wiki.jsp?page=JMXConsole; classtype:misc-activity; sid:100000427; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:100000428; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC JBoss web-console access"; flow:to_server,established; uricontent:"/web-console"; reference:url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole; classtype:misc-activity; sid:100000429; rev:1;) + + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Faq.class.php remote file include"; flow:to_server,established; uricontent:"/applications/faq/Bs_Faq.class.php"; nocase; uricontent:"APP[path][applications]="; nocase; pcre:"/APP\[path\]\[applications\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000430; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes fileBrowserInner.php remote file include"; flow:to_server,established; uricontent:"/applications/filebrowser/fileBrowserInner.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000431; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes file.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/file.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000432; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes viewer.php remote file include"; flow:to_server,established; uricontent:"/applications/filemanager/viewer.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000433; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_ImageArchive.class.php remote file include"; flow:to_server,established; uricontent:"/applications/imagearchive/Bs_ImageArchive.class.php"; nocase; uricontent:"APP[path][core]="; nocase; pcre:"/APP\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000434; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Ml_User.class.php remote file include"; flow:to_server,established; uricontent:"/applications/mailinglist/Bs_Ml_User.class.php"; nocase; uricontent:"GLOBALS[APP][path][core]="; nocase; pcre:"/GLOBALS\[APP\]\[path\]\[core\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000435; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BlueShoes Bs_Wse_Profile.class.php remote file include"; flow:to_server,established; uricontent:"/applications/websearchengine/Bs_Wse_Profile.class.php"; nocase; uricontent:"APP[path][plugins]="; nocase; pcre:"/APP\[path\]\[plugins\]=(https?|ftp)/Ui"; reference:bugtraq,18261; classtype:web-application-attack; sid:100000436; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CS-Cart class.cs_phpmailer.php remote file include"; flow:to_server,established; uricontent:"/class.cs_phpmailer.php"; nocase; uricontent:"classes_dir="; nocase; pcre:"/classes_dir=(https?|ftp)/Ui"; reference:bugtraq,18263; classtype:web-application-attack; sid:100000437; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline mambo.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/mambo.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000438; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Claroline postnuke.inc.php remote file include"; flow:to_server,established; uricontent:"/auth/extauth/drivers/postnuke.inc.php"; nocase; uricontent:"includepath="; nocase; pcre:"/includepath=(https?|ftp)/Ui"; reference:bugtraq,18265; classtype:web-application-attack; sid:100000439; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC CyBoards common.php remote file include"; flow:to_server,established; uricontent:"/include/common.php"; nocase; uricontent:"script_path="; nocase; pcre:"/script_path=(https?|ftp)/Ui"; reference:bugtraq,18272; classtype:web-application-attack; sid:100000440; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Wikiwig wk_lang.php remote file include"; flow:to_server,established; uricontent:"/wk_lang.php"; nocase; uricontent:"WK[wkpath]="; nocase; pcre:"/WK\[wkpath\]=(https?|ftp)/Ui"; reference:bugtraq,18291; classtype:web-application-attack; sid:100000441; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie pcltar.lib.php remote file include"; flow:to_server,established; uricontent:"/pcltar.lib.php"; nocase; uricontent:"g_pcltar_lib_dir="; nocase; pcre:"/g_pcltar_lib_dir=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000442; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galimage.lib.php remote file include"; flow:to_server,established; uricontent:"/galimage.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000443; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC MiraksGalerie galsecurity.lib.php remote file include"; flow:to_server,established; uricontent:"/galsecurity.lib.php"; nocase; uricontent:"listconfigfile[0]="; nocase; pcre:"/listconfigfile\[0\]=(https?|ftp)/Ui"; reference:bugtraq,18313; classtype:web-application-attack; sid:100000444; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"sqlType="; nocase; pcre:"/sqlType(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000448; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC OfficeFlow files.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/files.asp"; nocase; uricontent:"Project="; nocase; pcre:"/Project(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18367; classtype:web-application-attack; sid:100000449; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VanillaSoft Helpdesk default.asp xss attempt"; flow:to_server,established; uricontent:"/default.asp"; nocase; uricontent:"username="; nocase; pcre:"/username(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18368; classtype:web-application-attack; sid:100000450; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"cat="; nocase; pcre:"/cat(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000451; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice album.asp xss attempt"; flow:to_server,established; uricontent:"/album.asp"; nocase; uricontent:"albumid="; nocase; pcre:"/albumid(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000452; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"apage="; nocase; pcre:"/apage(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000453; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC KAPhotoservice edtalbum.asp xss attempt"; flow:to_server,established; uricontent:"/edtalbum.asp"; nocase; uricontent:"New Category="; nocase; pcre:"/New Category(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18379; classtype:web-application-attack; sid:100000454; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Axent Forum viewposts.cfm xss attempt"; flow:to_server,established; uricontent:"/viewposts.cfm"; nocase; uricontent:"startrow="; nocase; pcre:"/startrow(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18473; classtype:web-application-attack; sid:100000455; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC SSPwiz index.cfm xss attempt"; flow:to_server,established; uricontent:"/index.cfm"; nocase; uricontent:"message="; nocase; pcre:"/message(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18482; classtype:web-application-attack; sid:100000456; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC ASP Stats pages.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/pages.asp"; nocase; uricontent:"order="; nocase; pcre:"/order(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18512; classtype:web-application-attack; sid:100000457; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC DPVision Tradingeye Shop details.cfm xss attempt"; flow:to_server,established; uricontent:"/details.cfm"; nocase; uricontent:"image="; nocase; pcre:"/image(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18526; classtype:web-application-attack; sid:100000458; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WeBBoA yeni_host.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"host/yeni_host.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18564; classtype:web-application-attack; sid:100000459; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC AZureus index.tmpl xss attempt"; flow:to_server,established; uricontent:"/index.tmpl"; nocase; uricontent:"search="; nocase; pcre:"/search(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18596; classtype:web-application-attack; sid:100000460; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"To="; nocase; pcre:"/To(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000461; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Open WebMail openwebmail-read.pl xss attempt"; flow:to_server,established; uricontent:"/openwebmail-read.pl"; nocase; uricontent:"From="; nocase; pcre:"/From(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18598; classtype:web-application-attack; sid:100000462; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO gbrowse.php SQL injection attempt"; flow:to_server,established; uricontent:"/gbrowse.php"; nocase; uricontent:"cat_id="; nocase; pcre:"/cat_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000694; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO rating.php SQL injection attempt"; flow:to_server,established; uricontent:"/rating.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000695; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO create.php SQL injection attempt"; flow:to_server,established; uricontent:"/create.php"; nocase; uricontent:"card_id="; nocase; pcre:"/card_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000696; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC VCard PRO search.php SQL injection attempt"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"event_id="; nocase; pcre:"/event_id(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18699; classtype:web-application-attack; sid:100000697; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC BXCP index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"where="; nocase; pcre:"/where(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18765; classtype:web-application-attack; sid:100000698; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000699; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Vincent Leclercq News diver.php xss attempt"; flow:to_server,established; uricontent:"/divers.php"; nocase; uricontent:"disable="; nocase; pcre:"/disable(=|\x3f)\x3c[^\n]+\x3e/Ui"; reference:bugtraq,18775; classtype:web-application-attack; sid:100000700; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC WordPress index.php SQL injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"paged="; nocase; pcre:"/paged(=|\x3f)?\w*\x27/Ui"; reference:bugtraq,18779; classtype:web-application-attack; sid:100000701; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Webvizyon SayfalaAltList.asp MSSQL injection attempt"; flow:to_server,established; uricontent:"/SayfalaAltList.asp"; nocase; uricontent:"id="; nocase; pcre:"/id(=|\x3f)?exec(\s|\x2b)+(s|x)p\w+/Ui"; reference:bugtraq,18899; classtype:web-application-attack; sid:100000702; rev:1;) + +# Rules submitted by rmkml +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 10000 (msg:"COMMUNITY WEB-MISC Webmin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000890; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 20000 (msg:"COMMUNITY WEB-MISC Usermin null char attempt"; flow:to_server,established; uricontent:"miniserv.pl"; nocase; uricontent:"|00|"; reference:bugtraq,19820; reference:nessus,22300; classtype:web-application-attack; sid:100000891; rev:1;) + +# Rule submitted by Avinash Shenoi (Cenzic Inc. CIA Research Team) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-description xss attempt"; flow:to_server; content:"blog-category-description"; nocase; pcre:"/blog-category-description(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000895; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-entry-title xss attempt"; flow:to_server; content:"blog-entry-title"; nocase; pcre:"/blog-entry-title(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000896; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog rss-enclosure-url xss attempt"; flow:to_server; content:"rss-enclosure-url"; nocase; pcre:"/rss-enclosure-url(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000897; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog technorati-tags xss attempt"; flow:to_server; content:"technorati-tags"; nocase; pcre:"/technorati-tags(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000898; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "COMMUNITY WEB-MISC Blojsom Weblog blog-category-name xss attempt"; flow:to_server; content:"blog-category-name"; nocase; pcre:"/blog-category-name(=|\x3f)[^\r\n]*\x3c\script/smi"; reference:url,www.kb.cert.org/vuls/id/425861; classtype:web-application-activity; sid:100000899; rev:1;) --- /dev/null +++ b/rules/sid-msg.map @@ -0,0 +1,3544 @@ +103 || BACKDOOR subseven 22 || arachnids,485 || url,www.hackfix.org/subseven/ +104 || BACKDOOR - Dagger_1.4.0_client_connect || arachnids,483 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html +105 || BACKDOOR - Dagger_1.4.0 || arachnids,484 || url,www.tlsecurity.net/backdoor/Dagger.1.4.html +106 || BACKDOOR ACKcmdC trojan scan || arachnids,445 +107 || BACKDOOR subseven DEFCON8 2.1 access +108 || BACKDOOR QAZ Worm Client Login access || MCAFEE,98775 +109 || BACKDOOR netbus active || arachnids,401 +110 || BACKDOOR netbus getinfo || arachnids,403 +111 || BACKDOOR netbus getinfo || arachnids,403 +112 || BACKDOOR BackOrifice access || arachnids,400 +113 || BACKDOOR DeepThroat access || arachnids,405 +114 || BACKDOOR netbus active || arachnids,401 +115 || BACKDOOR NetBus Pro 2.0 connection established +116 || BACKDOOR BackOrifice access || arachnids,399 +117 || BACKDOOR Infector.1.x || arachnids,315 +118 || BACKDOOR SatansBackdoor.2.0.Beta || arachnids,316 +119 || BACKDOOR Doly 2.0 access || arachnids,312 +120 || BACKDOOR Infector 1.6 Server to Client || cve,1999-0660 || nessus,11157 +121 || BACKDOOR Infector 1.6 Client to Server Connection Request || cve,1999-0660 || nessus,11157 +122 || BACKDOOR DeepThroat 3.1 System Info Client Request || arachnids,106 +124 || BACKDOOR DeepThroat 3.1 FTP Status Client Request || arachnids,106 +125 || BACKDOOR DeepThroat 3.1 E-Mail Info From Server || arachnids,106 +126 || BACKDOOR DeepThroat 3.1 E-Mail Info Client Request || arachnids,106 +127 || BACKDOOR DeepThroat 3.1 Server Status From Server || arachnids,106 +128 || BACKDOOR DeepThroat 3.1 Server Status Client Request || arachnids,106 +129 || BACKDOOR DeepThroat 3.1 Drive Info From Server || arachnids,106 +130 || BACKDOOR DeepThroat 3.1 System Info From Server || arachnids,106 +131 || BACKDOOR DeepThroat 3.1 Drive Info Client Request || arachnids,106 +132 || BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server || arachnids,106 +133 || BACKDOOR DeepThroat 3.1 Cached Passwords Client Request || arachnids,106 +134 || BACKDOOR DeepThroat 3.1 RAS Passwords Client Request || arachnids,106 +135 || BACKDOOR DeepThroat 3.1 Server Password Change Client Request || arachnids,106 +136 || BACKDOOR DeepThroat 3.1 Server Password Remove Client Request || arachnids,106 +137 || BACKDOOR DeepThroat 3.1 Rehash Client Request || arachnids,106 +138 || BACKDOOR DeepThroat 3.1 Server Rehash Client Request || arachnids,106 +140 || BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request || arachnids,106 +141 || BACKDOOR HackAttack 1.20 Connect +142 || BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request || arachnids,106 +143 || BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request || arachnids,106 +144 || FTP ADMw0rm ftp login attempt || arachnids,01 +145 || BACKDOOR GirlFriendaccess || arachnids,98 +146 || BACKDOOR NetSphere access || arachnids,76 +147 || BACKDOOR GateCrasher || arachnids,99 +148 || BACKDOOR DeepThroat 3.1 Keylogger Active on Network || arachnids,106 +149 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106 +150 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106 +151 || BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network || arachnids,106 +152 || BACKDOOR BackConstruction 2.1 Connection +153 || BACKDOOR DonaldDick 1.53 Traffic || mcafee,98575 +154 || BACKDOOR DeepThroat 3.1 Wrong Password || arachnids,106 +155 || BACKDOOR NetSphere 1.31.337 access || arachnids,76 +156 || BACKDOOR DeepThroat 3.1 Visible Window List Client Request || arachnids,106 +157 || BACKDOOR BackConstruction 2.1 Client FTP Open Request +158 || BACKDOOR BackConstruction 2.1 Server FTP Open Reply +159 || BACKDOOR NetMetro File List || arachnids,79 +160 || BACKDOOR NetMetro Incoming Traffic || arachnids,79 +161 || BACKDOOR Matrix 2.0 Client connect || arachnids,83 +162 || BACKDOOR Matrix 2.0 Server access || arachnids,83 +163 || BACKDOOR WinCrash 1.0 Server Active || arachnids,36 +164 || BACKDOOR DeepThroat 3.1 Server Active on Network || arachnids,106 +165 || BACKDOOR DeepThroat 3.1 Keylogger on Server ON || arachnids,106 +166 || BACKDOOR DeepThroat 3.1 Show Picture Client Request || arachnids,106 +167 || BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request || arachnids,106 +168 || BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request || arachnids,106 +169 || BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request || arachnids,106 +170 || BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request || arachnids,106 +171 || BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request || arachnids,106 +172 || BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request || arachnids,106 +173 || BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request || arachnids,106 +174 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106 +175 || BACKDOOR DeepThroat 3.1 Resolution Change Client Request || arachnids,106 +176 || BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request || arachnids,106 +177 || BACKDOOR DeepThroat 3.1 Keylogger on Server OFF || arachnids,106 +179 || BACKDOOR DeepThroat 3.1 FTP Server Port Client Request || arachnids,106 +180 || BACKDOOR DeepThroat 3.1 Process List Client request || arachnids,106 +181 || BACKDOOR DeepThroat 3.1 Close Port Scan Client Request || arachnids,106 +182 || BACKDOOR DeepThroat 3.1 Registry Add Client Request || arachnids,106 +183 || BACKDOOR SIGNATURE - Q ICMP || arachnids,202 +184 || BACKDOOR Q access || arachnids,203 +185 || BACKDOOR CDK || arachnids,263 +186 || BACKDOOR DeepThroat 3.1 Monitor on/off Client Request || arachnids,106 +187 || BACKDOOR DeepThroat 3.1 Delete File Client Request || arachnids,106 +188 || BACKDOOR DeepThroat 3.1 Kill Window Client Request || arachnids,106 +189 || BACKDOOR DeepThroat 3.1 Disable Window Client Request || arachnids,106 +190 || BACKDOOR DeepThroat 3.1 Enable Window Client Request || arachnids,106 +191 || BACKDOOR DeepThroat 3.1 Change Window Title Client Request || arachnids,106 +192 || BACKDOOR DeepThroat 3.1 Hide Window Client Request || arachnids,106 +193 || BACKDOOR DeepThroat 3.1 Show Window Client Request || arachnids,106 +194 || BACKDOOR DeepThroat 3.1 Send Text to Window Client Request || arachnids,106 +195 || BACKDOOR DeepThroat 3.1 Server Response || arachnids,106 || mcafee,98574 || nessus,10053 +196 || BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request || arachnids,106 +197 || BACKDOOR DeepThroat 3.1 Create Directory Client Request || arachnids,106 +198 || BACKDOOR DeepThroat 3.1 All Window List Client Request || arachnids,106 +199 || BACKDOOR DeepThroat 3.1 Play Sound Client Request || arachnids,106 +200 || BACKDOOR DeepThroat 3.1 Run Program Normal Client Request || arachnids,106 +201 || BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request || arachnids,106 +202 || BACKDOOR DeepThroat 3.1 Get NET File Client Request || arachnids,106 +203 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106 +204 || BACKDOOR DeepThroat 3.1 Find File Client Request || arachnids,106 +205 || BACKDOOR DeepThroat 3.1 HUP Modem Client Request || arachnids,106 +206 || BACKDOOR DeepThroat 3.1 CD ROM Open Client Request || arachnids,106 +207 || BACKDOOR DeepThroat 3.1 CD ROM Close Client Request || arachnids,106 +208 || BACKDOOR PhaseZero Server Active on Network +209 || BACKDOOR w00w00 attempt || arachnids,510 +210 || BACKDOOR attempt +211 || BACKDOOR MISC r00t attempt +212 || BACKDOOR MISC rewt attempt +213 || BACKDOOR MISC Linux rootkit attempt +214 || BACKDOOR MISC Linux rootkit attempt lrkr0x +215 || BACKDOOR MISC Linux rootkit attempt +216 || BACKDOOR MISC Linux rootkit satori attempt || arachnids,516 +217 || BACKDOOR MISC sm4ck attempt +218 || BACKDOOR MISC Solaris 2.5 attempt +219 || BACKDOOR HidePak backdoor attempt +220 || BACKDOOR HideSource backdoor attempt +221 || DDOS TFN Probe || arachnids,443 +222 || DDOS tfn2k icmp possible communication || arachnids,425 +223 || DDOS Trin00 Daemon to Master PONG message detected || arachnids,187 +224 || DDOS Stacheldraht server spoof || arachnids,193 +225 || DDOS Stacheldraht gag server response || arachnids,195 +226 || DDOS Stacheldraht server response || arachnids,191 +227 || DDOS Stacheldraht client spoofworks || arachnids,192 +228 || DDOS TFN client command BE || arachnids,184 +229 || DDOS Stacheldraht client check skillz || arachnids,190 +230 || DDOS shaft client login to handler || arachnids,254 || url,security.royans.net/info/posts/bugtraq_ddos3.shtml +231 || DDOS Trin00 Daemon to Master message detected || arachnids,186 +232 || DDOS Trin00 Daemon to Master *HELLO* message detected || arachnids,185 || url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm +233 || DDOS Trin00 Attacker to Master default startup password || arachnids,197 +234 || DDOS Trin00 Attacker to Master default password +235 || DDOS Trin00 Attacker to Master default mdie password +236 || DDOS Stacheldraht client check gag || arachnids,194 +237 || DDOS Trin00 Master to Daemon default password attempt || arachnids,197 +238 || DDOS TFN server response || arachnids,182 +239 || DDOS shaft handler to agent || arachnids,255 +240 || DDOS shaft agent to handler || arachnids,256 +241 || DDOS shaft synflood || arachnids,253 || cve,2000-0138 +243 || DDOS mstream agent to handler +244 || DDOS mstream handler to agent || cve,2000-0138 +245 || DDOS mstream handler ping to agent || cve,2000-0138 +246 || DDOS mstream agent pong to handler +247 || DDOS mstream client to handler || cve,2000-0138 +248 || DDOS mstream handler to client || cve,2000-0138 +249 || DDOS mstream client to handler || arachnids,111 || cve,2000-0138 +250 || DDOS mstream handler to client || cve,2000-0138 +251 || DDOS - TFN client command LE || arachnids,183 +252 || DNS named iquery attempt || arachnids,277 || bugtraq,134 || cve,1999-0009 || url,www.rfc-editor.org/rfc/rfc1035.txt +253 || DNS SPOOF query response PTR with TTL of 1 min. and no authority +254 || DNS SPOOF query response with TTL of 1 min. and no authority +255 || DNS zone transfer TCP || arachnids,212 || cve,1999-0532 || nessus,10595 +256 || DNS named authors attempt || arachnids,480 || nessus,10728 +257 || DNS named version attempt || arachnids,278 || nessus,10028 +258 || DNS EXPLOIT named 8.2->8.2.1 || bugtraq,788 || cve,1999-0833 +259 || DNS EXPLOIT named overflow ADM || bugtraq,788 || cve,1999-0833 +260 || DNS EXPLOIT named overflow ADMROCKS || bugtraq,788 || cve,1999-0833 || url,www.cert.org/advisories/CA-1999-14.html +261 || DNS EXPLOIT named overflow attempt || url,www.cert.org/advisories/CA-1998-05.html +262 || DNS EXPLOIT x86 Linux overflow attempt +264 || DNS EXPLOIT x86 Linux overflow attempt +265 || DNS EXPLOIT x86 Linux overflow attempt ADMv2 +266 || DNS EXPLOIT x86 FreeBSD overflow attempt +267 || DNS EXPLOIT sparc overflow attempt +268 || DOS Jolt attack || cve,1999-0345 +269 || DOS Land attack || bugtraq,2666 || cve,1999-0016 +270 || DOS Teardrop attack || bugtraq,124 || cve,1999-0015 || nessus,10279 || url,www.cert.org/advisories/CA-1997-28.html +271 || DOS UDP echo+chargen bomb || cve,1999-0103 || cve,1999-0635 +272 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 || url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx +273 || DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 +274 || DOS ath || arachnids,264 || cve,1999-1228 +275 || DOS NAPTHA || bugtraq,2022 || cve,2000-1039 || url,razor.bindview.com/publish/advisories/adv_NAPTHA.html || url,www.cert.org/advisories/CA-2000-21.html || url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx +276 || DOS Real Audio Server || arachnids,411 || bugtraq,1288 || cve,2000-0474 +277 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474 +278 || DOS Real Server template.html || bugtraq,1288 || cve,2000-0474 +279 || DOS Bay/Nortel Nautica Marlin || bugtraq,1009 || cve,2000-0221 +281 || DOS Ascend Route || arachnids,262 || bugtraq,714 || cve,1999-0060 +282 || DOS arkiea backup || arachnids,261 || bugtraq,662 || cve,1999-0788 +283 || EXPLOIT Netscape 4.7 client overflow || arachnids,215 || bugtraq,822 || cve,1999-1189 || cve,2000-1187 +284 || POP2 x86 Linux overflow || bugtraq,283 || cve,1999-0920 || nessus,10130 +285 || POP2 x86 Linux overflow || bugtraq,283 || cve,1999-0920 || nessus,10130 +286 || POP3 EXPLOIT x86 BSD overflow || bugtraq,133 || cve,1999-0006 || nessus,10196 +287 || POP3 EXPLOIT x86 BSD overflow +288 || POP3 EXPLOIT x86 Linux overflow +289 || POP3 EXPLOIT x86 SCO overflow || bugtraq,156 || cve,1999-0006 +290 || POP3 EXPLOIT qpopper overflow || bugtraq,830 || cve,1999-0822 || nessus,10184 +291 || NNTP Cassandra Overflow || arachnids,274 || bugtraq,1156 || cve,2000-0341 +292 || EXPLOIT x86 Linux samba overflow || bugtraq,1816 || bugtraq,536 || cve,1999-0182 || cve,1999-0811 +293 || IMAP EXPLOIT overflow +295 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 +296 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 +297 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 +298 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 +299 || IMAP EXPLOIT x86 linux overflow || bugtraq,130 || cve,1999-0005 +300 || EXPLOIT nlps x86 Solaris overflow || bugtraq,2319 +301 || EXPLOIT LPRng overflow || bugtraq,1712 || cve,2000-0917 +302 || EXPLOIT Redhat 7.0 lprd overflow || bugtraq,1712 || cve,2000-0917 +303 || DNS EXPLOIT named tsig overflow attempt || arachnids,482 || bugtraq,2302 || cve,2001-0010 +304 || EXPLOIT SCO calserver overflow || bugtraq,2353 || cve,2000-0306 +305 || EXPLOIT delegate proxy overflow || arachnids,267 || bugtraq,808 || cve,2000-0165 +306 || EXPLOIT VQServer admin || bugtraq,1610 || cve,2000-0766 || url,www.vqsoft.com/vq/server/docs/other/control.html +307 || EXPLOIT CHAT IRC topic overflow || bugtraq,573 || cve,1999-0672 +308 || EXPLOIT NextFTP client overflow || bugtraq,572 || cve,1999-0671 +309 || EXPLOIT sniffit overflow || arachnids,273 || bugtraq,1158 || cve,2000-0343 +310 || EXPLOIT x86 windows MailMax overflow || bugtraq,2312 || cve,1999-0404 +311 || EXPLOIT Netscape 4.7 unsucessful overflow || arachnids,214 || bugtraq,822 || cve,1999-1189 || cve,2000-1187 +312 || EXPLOIT ntpdx overflow attempt || arachnids,492 || bugtraq,2540 || cve,2001-0414 +313 || EXPLOIT ntalkd x86 Linux overflow || bugtraq,210 +314 || DNS EXPLOIT named tsig overflow attempt || bugtraq,2303 || cve,2001-0010 +315 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 +316 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 +317 || EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 +318 || EXPLOIT bootp x86 bsd overfow || bugtraq,324 || cve,1999-0914 +319 || EXPLOIT bootp x86 linux overflow || cve,1999-0389 || cve,1999-0798 || cve,1999-0799 +320 || FINGER cmd_rootsh backdoor attempt || nessus,10070 || url,www.sans.org/y2k/TFN_toolkit.htm || url,www.sans.org/y2k/fingerd.htm +321 || FINGER account enumeration attempt || nessus,10788 +322 || FINGER search query || arachnids,375 || cve,1999-0259 +323 || FINGER root query || arachnids,376 +324 || FINGER null request || arachnids,377 +325 || FINGER probe 0 attempt || arachnids,378 +326 || FINGER remote command execution attempt || arachnids,379 || bugtraq,974 || cve,1999-0150 +327 || FINGER remote command pipe execution attempt || arachnids,380 || bugtraq,2220 || cve,1999-0152 +328 || FINGER bomb attempt || arachnids,381 || cve,1999-0106 +329 || FINGER cybercop redirection || arachnids,11 +330 || FINGER redirection attempt || arachnids,251 || cve,1999-0105 || nessus,10073 +331 || FINGER cybercop query || arachnids,132 || cve,1999-0612 +332 || FINGER 0 query || arachnids,131 || arachnids,378 || cve,1999-0197 || nessus,10069 +333 || FINGER . query || arachnids,130 || cve,1999-0198 || nessus,10072 +334 || FTP .forward || arachnids,319 +335 || FTP .rhosts || arachnids,328 +336 || FTP CWD ~root attempt || arachnids,318 || cve,1999-0082 +337 || FTP CEL overflow attempt || arachnids,257 || bugtraq,679 || cve,1999-0789 || nessus,10009 +338 || FTP EXPLOIT format string || arachnids,453 || bugtraq,1387 || cve,2000-0573 +339 || FTP EXPLOIT OpenBSD x86 ftpd || arachnids,446 || bugtraq,2124 || cve,2001-0053 +340 || FTP EXPLOIT overflow +341 || FTP EXPLOIT overflow +342 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8 || arachnids,451 || bugtraq,1387 || cve,2000-0573 +343 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD || arachnids,228 || bugtraq,1387 || cve,2000-0573 +344 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux || arachnids,287 || bugtraq,1387 || cve,2000-0573 +345 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic || arachnids,285 || bugtraq,1387 || cve,2000-0573 || nessus,10452 +346 || FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check || arachnids,286 || bugtraq,1387 || cve,2000-0573 +348 || FTP EXPLOIT wu-ftpd 2.6.0 || arachnids,440 || bugtraq,1387 +349 || FTP EXPLOIT MKD overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 +350 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 +351 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 +352 || FTP EXPLOIT x86 linux overflow || bugtraq,113 || cve,1999-0368 +353 || FTP adm scan || arachnids,332 +354 || FTP iss scan || arachnids,331 +355 || FTP pass wh00t || arachnids,324 +356 || FTP passwd retrieval attempt || arachnids,213 +357 || FTP piss scan +358 || FTP saint scan || arachnids,330 +359 || FTP satan scan || arachnids,329 +360 || FTP serv-u directory transversal || bugtraq,2052 || cve,2001-0054 +361 || FTP SITE EXEC attempt || arachnids,317 || bugtraq,2241 || cve,1999-0080 || cve,1999-0955 +362 || FTP tar parameters || arachnids,134 || bugtraq,2240 || cve,1999-0202 || cve,1999-0997 +363 || ICMP IRDP router advertisement || arachnids,173 || bugtraq,578 || cve,1999-0875 +364 || ICMP IRDP router selection || arachnids,174 || bugtraq,578 || cve,1999-0875 +365 || ICMP PING undefined code +366 || ICMP PING *NIX +368 || ICMP PING BSDtype || arachnids,152 +369 || ICMP PING BayRS Router || arachnids,438 || arachnids,444 +370 || ICMP PING BeOS4.x || arachnids,151 +371 || ICMP PING Cisco Type.x || arachnids,153 +372 || ICMP PING Delphi-Piette Windows || arachnids,155 +373 || ICMP PING Flowpoint2200 or Network Management Software || arachnids,156 +374 || ICMP PING IP NetMonitor Macintosh || arachnids,157 +375 || ICMP PING LINUX/*BSD || arachnids,447 +376 || ICMP PING Microsoft Windows || arachnids,159 +377 || ICMP PING Network Toolbox 3 Windows || arachnids,161 +378 || ICMP PING Ping-O-MeterWindows || arachnids,164 +379 || ICMP PING Pinger Windows || arachnids,163 +380 || ICMP PING Seer Windows || arachnids,166 +381 || ICMP PING Sun Solaris || arachnids,448 +382 || ICMP PING Windows || arachnids,169 +384 || ICMP PING +385 || ICMP traceroute || arachnids,118 +386 || ICMP Address Mask Reply +387 || ICMP Address Mask Reply undefined code +388 || ICMP Address Mask Request +389 || ICMP Address Mask Request undefined code +390 || ICMP Alternate Host Address +391 || ICMP Alternate Host Address undefined code +392 || ICMP Datagram Conversion Error +393 || ICMP Datagram Conversion Error undefined code +394 || ICMP Destination Unreachable Destination Host Unknown +395 || ICMP Destination Unreachable Destination Network Unknown +396 || ICMP Destination Unreachable Fragmentation Needed and DF bit was set +397 || ICMP Destination Unreachable Host Precedence Violation +398 || ICMP Destination Unreachable Host Unreachable for Type of Service +399 || ICMP Destination Unreachable Host Unreachable +400 || ICMP Destination Unreachable Network Unreachable for Type of Service +401 || ICMP Destination Unreachable Network Unreachable +402 || ICMP Destination Unreachable Port Unreachable +403 || ICMP Destination Unreachable Precedence Cutoff in effect +404 || ICMP Destination Unreachable Protocol Unreachable +405 || ICMP Destination Unreachable Source Host Isolated +406 || ICMP Destination Unreachable Source Route Failed +407 || ICMP Destination Unreachable cndefined code +408 || ICMP Echo Reply +409 || ICMP Echo Reply undefined code +410 || ICMP Fragment Reassembly Time Exceeded +411 || ICMP IPV6 I-Am-Here +412 || ICMP IPV6 I-Am-Here undefined code +413 || ICMP IPV6 Where-Are-You +414 || ICMP IPV6 Where-Are-You undefined code +415 || ICMP Information Reply +416 || ICMP Information Reply undefined code +417 || ICMP Information Request +418 || ICMP Information Request undefined code +419 || ICMP Mobile Host Redirect +420 || ICMP Mobile Host Redirect undefined code +421 || ICMP Mobile Registration Reply +422 || ICMP Mobile Registration Reply undefined code +423 || ICMP Mobile Registration Request +424 || ICMP Mobile Registration Request undefined code +425 || ICMP Parameter Problem Bad Length +426 || ICMP Parameter Problem Missing a Required Option +427 || ICMP Parameter Problem Unspecified Error +428 || ICMP Parameter Problem undefined Code +429 || ICMP Photuris Reserved +430 || ICMP Photuris Unknown Security Parameters Index +431 || ICMP Photuris Valid Security Parameters, But Authentication Failed +432 || ICMP Photuris Valid Security Parameters, But Decryption Failed +433 || ICMP Photuris undefined code! +436 || ICMP Redirect for TOS and Host +437 || ICMP Redirect for TOS and Network +438 || ICMP Redirect undefined code +439 || ICMP Reserved for Security Type 19 +440 || ICMP Reserved for Security Type 19 undefined code +441 || ICMP Router Advertisement || arachnids,173 +443 || ICMP Router Selection || arachnids,174 +445 || ICMP SKIP +446 || ICMP SKIP undefined code +448 || ICMP Source Quench undefined code +449 || ICMP Time-To-Live Exceeded in Transit +450 || ICMP Time-To-Live Exceeded in Transit undefined code +451 || ICMP Timestamp Reply +452 || ICMP Timestamp Reply undefined code +453 || ICMP Timestamp Request +454 || ICMP Timestamp Request undefined code +455 || ICMP Traceroute ipopts || arachnids,238 +456 || ICMP Traceroute +457 || ICMP Traceroute undefined code +458 || ICMP unassigned type 1 +459 || ICMP unassigned type 1 undefined code +460 || ICMP unassigned type 2 +461 || ICMP unassigned type 2 undefined code +462 || ICMP unassigned type 7 +463 || ICMP unassigned type 7 undefined code +465 || ICMP ISS Pinger || arachnids,158 +466 || ICMP L3retriever Ping || arachnids,311 +467 || ICMP Nemesis v1.1 Echo || arachnids,449 +469 || ICMP PING NMAP || arachnids,162 +471 || ICMP icmpenum v1.1.1 || arachnids,450 +472 || ICMP redirect host || arachnids,135 || cve,1999-0265 +473 || ICMP redirect net || arachnids,199 || cve,1999-0265 +474 || ICMP superscan echo +475 || ICMP traceroute ipopts || arachnids,238 +476 || ICMP webtrends scanner || arachnids,307 +477 || ICMP Source Quench +478 || ICMP Broadscan Smurf Scanner +480 || ICMP PING speedera +481 || ICMP TJPingPro1.1Build 2 Windows || arachnids,167 +482 || ICMP PING WhatsupGold Windows || arachnids,168 +483 || ICMP PING CyberKit 2.2 Windows || arachnids,154 +484 || ICMP PING Sniffer Pro/NetXRay network scan +485 || ICMP Destination Unreachable Communication Administratively Prohibited +486 || ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited +487 || ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited +488 || INFO Connection Closed MSG from Port 80 +489 || INFO FTP no password || arachnids,322 +490 || INFO battle-mail traffic +491 || INFO FTP Bad login +492 || INFO TELNET login failed +493 || INFO psyBNC access +494 || ATTACK-RESPONSES command completed || bugtraq,1806 +495 || ATTACK-RESPONSES command error +496 || ATTACK RESPONSES directory listing +497 || ATTACK-RESPONSES file copied ok || bugtraq,1806 || cve,2000-0884 +498 || ATTACK-RESPONSES id check returned root +499 || ICMP Large ICMP Packet || arachnids,246 +500 || MISC source route lssr || arachnids,418 || bugtraq,646 || cve,1999-0909 || url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx +501 || MISC source route lssre || arachnids,420 || bugtraq,646 || cve,1999-0909 || url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx +502 || MISC source route ssrr || arachnids,422 +503 || MISC Source Port 20 to <1024 || arachnids,06 +504 || MISC source port 53 to <1024 || arachnids,07 +505 || MISC Insecure TIMBUKTU Password || arachnids,229 +506 || MISC ramen worm incoming || arachnids,460 +507 || MISC PCAnywhere Attempted Administrator Login +508 || MISC gopher proxy || arachnids,409 +509 || WEB-MISC PCCS mysql database admin tool access || arachnids,300 || bugtraq,1557 || cve,2000-0707 || nessus,10783 +510 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245 +511 || MISC Invalid PCAnywhere Login +512 || MISC PCAnywhere Failed Login || arachnids,240 +513 || MISC Cisco Catalyst Remote Access || arachnids,129 || bugtraq,705 || cve,1999-0430 +514 || MISC ramen worm || arachnids,461 +516 || MISC SNMP NT UserList || nessus,10546 +517 || MISC xdmcp query || arachnids,476 +518 || TFTP Put || arachnids,148 || cve,1999-0183 +519 || TFTP parent directory || arachnids,137 || cve,1999-0183 || cve,2002-1209 +520 || TFTP root directory || arachnids,138 || cve,1999-0183 +521 || MISC Large UDP Packet || arachnids,247 +522 || MISC Tiny Fragments +523 || BAD-TRAFFIC ip reserved bit set +524 || BAD-TRAFFIC tcp port 0 traffic +525 || BAD-TRAFFIC udp port 0 traffic || bugtraq,576 || cve,1999-0675 || nessus,10074 +526 || BAD-TRAFFIC data in TCP SYN packet || url,www.cert.org/incident_notes/IN-99-07.html +527 || BAD-TRAFFIC same SRC/DST || bugtraq,2666 || cve,1999-0016 || url,www.cert.org/advisories/CA-1997-28.html +528 || BAD-TRAFFIC loopback traffic || url,rr.sans.org/firewall/egress.php +529 || NETBIOS DOS RFPoison || arachnids,454 +530 || NETBIOS NT NULL session || arachnids,204 || bugtraq,1163 || cve,2000-0347 +532 || NETBIOS SMB ADMIN$ share access +533 || NETBIOS SMB C$ share access +534 || NETBIOS SMB CD.. || arachnids,338 +535 || NETBIOS SMB CD... || arachnids,337 +536 || NETBIOS SMB D$ share access +537 || NETBIOS SMB IPC$ share access +538 || NETBIOS SMB IPC$ unicode share access +539 || NETBIOS Samba clientaccess || arachnids,341 +540 || CHAT MSN message +541 || CHAT ICQ access +542 || CHAT IRC nick change +543 || POLICY FTP 'STOR 1MB' possible warez site +544 || POLICY FTP 'RETR 1MB' possible warez site +545 || POLICY FTP 'CWD / ' possible warez site +546 || POLICY FTP 'CWD ' possible warez site +547 || POLICY FTP 'MKD ' possible warez site +548 || POLICY FTP 'MKD .' possible warez site +549 || P2P napster login +550 || P2P napster new user login +551 || P2P napster download attempt +552 || P2P napster upload request +553 || POLICY FTP anonymous login attempt +554 || POLICY FTP 'MKD / ' possible warez site +555 || POLICY WinGate telnet server response || arachnids,366 || cve,1999-0657 +556 || P2P Outbound GNUTella client request +557 || P2P GNUTella client request +558 || INFO Outbound GNUTella client request +559 || P2P Inbound GNUTella client request +560 || POLICY VNC server response +561 || P2P Napster Client Data +562 || P2P Napster Client Data +563 || P2P Napster Client Data +564 || P2P Napster Client Data +565 || P2P Napster Server Login +566 || POLICY PCAnywhere server response || arachnids,239 +567 || POLICY SMTP relaying denied || arachnids,249 || url,mail-abuse.org/tsi/ar-fix.html +568 || POLICY HP JetDirect LCD modification attempt || arachnids,302 || bugtraq,2245 +569 || RPC snmpXdmi overflow attempt TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html +570 || RPC EXPLOIT ttdbserv solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html +571 || RPC EXPLOIT ttdbserv Solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html +572 || RPC DOS ttdbserv Solaris || arachnids,241 || bugtraq,122 || cve,1999-0003 +573 || RPC AMD Overflow || arachnids,217 || cve,1999-0704 +574 || RPC mountd TCP export request || arachnids,26 +575 || RPC portmap admind request UDP || arachnids,18 +576 || RPC portmap amountd request UDP || arachnids,19 +577 || RPC portmap bootparam request UDP || arachnids,16 || cve,1999-0647 +578 || RPC portmap cmsd request UDP || arachnids,17 +579 || RPC portmap mountd request UDP || arachnids,13 +580 || RPC portmap nisd request UDP || arachnids,21 +581 || RPC portmap pcnfsd request UDP || arachnids,22 +582 || RPC portmap rexd request UDP || arachnids,23 +583 || RPC portmap rstatd request UDP || arachnids,10 +584 || RPC portmap rusers request UDP || arachnids,133 || cve,1999-0626 +585 || RPC portmap sadmind request UDP || arachnids,20 +586 || RPC portmap selection_svc request UDP || arachnids,25 +587 || RPC portmap status request UDP || arachnids,15 +588 || RPC portmap ttdbserv request UDP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html +589 || RPC portmap yppasswd request UDP || arachnids,14 +590 || RPC portmap ypserv request UDP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 +591 || RPC portmap ypupdated request TCP || arachnids,125 +592 || RPC rstatd query || arachnids,9 +593 || RPC portmap snmpXdmi request TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html +595 || RPC portmap espd request TCP || bugtraq,2714 || cve,2001-0331 +596 || RPC portmap listing || arachnids,429 +597 || RPC portmap listing || arachnids,429 +598 || RPC portmap listing TCP 111 || arachnids,428 +599 || RPC portmap listing TCP 32771 || arachnids,429 +600 || RPC EXPLOIT statdx || arachnids,442 +601 || RSERVICES rlogin LinuxNIS +602 || RSERVICES rlogin bin || arachnids,384 +603 || RSERVICES rlogin echo++ || arachnids,385 +604 || RSERVICES rsh froot || arachnids,387 +605 || RSERVICES rlogin login failure || arachnids,393 +606 || RSERVICES rlogin root || arachnids,389 +607 || RSERVICES rsh bin || arachnids,390 +608 || RSERVICES rsh echo + + || arachnids,388 +609 || RSERVICES rsh froot || arachnids,387 +610 || RSERVICES rsh root || arachnids,391 +611 || RSERVICES rlogin login failure || arachnids,392 +612 || RPC rusers query UDP || cve,1999-0626 +613 || SCAN myscan || arachnids,439 +614 || BACKDOOR hack-a-tack attempt || arachnids,314 +615 || SCAN SOCKS Proxy attempt || url,help.undernet.org/proxyscan/ +616 || SCAN ident version request || arachnids,303 +617 || SCAN ssh-research-scanner +618 || SCAN Squid Proxy attempt +619 || SCAN cybercop os probe || arachnids,146 +620 || SCAN Proxy Port 8080 attempt +621 || SCAN FIN || arachnids,27 +622 || SCAN ipEye SYN scan || arachnids,236 +623 || SCAN NULL || arachnids,4 +624 || SCAN SYN FIN || arachnids,198 +625 || SCAN XMAS || arachnids,144 +626 || SCAN cybercop os PA12 attempt || arachnids,149 +627 || SCAN cybercop os SFU12 probe || arachnids,150 +628 || SCAN nmap TCP || arachnids,28 +629 || SCAN nmap fingerprint attempt || arachnids,05 +630 || SCAN synscan portscan || arachnids,441 +631 || SMTP ehlo cybercop attempt || arachnids,372 +632 || SMTP expn cybercop attempt || arachnids,371 +634 || SCAN Amanda client version request +635 || SCAN XTACACS logout || arachnids,408 +636 || SCAN cybercop udp bomb || arachnids,363 +637 || SCAN Webtrends Scanner UDP Probe || arachnids,308 +638 || SHELLCODE SGI NOOP || arachnids,356 +639 || SHELLCODE SGI NOOP || arachnids,357 +640 || SHELLCODE AIX NOOP +641 || SHELLCODE Digital UNIX NOOP || arachnids,352 +642 || SHELLCODE HP-UX NOOP || arachnids,358 +643 || SHELLCODE HP-UX NOOP || arachnids,359 +644 || SHELLCODE sparc NOOP || arachnids,345 +645 || SHELLCODE sparc NOOP || arachnids,353 +646 || SHELLCODE sparc NOOP || arachnids,355 +647 || SHELLCODE sparc setuid 0 || arachnids,282 +648 || SHELLCODE x86 NOOP || arachnids,181 +649 || SHELLCODE x86 setgid 0 || arachnids,284 +650 || SHELLCODE x86 setuid 0 || arachnids,436 +651 || SHELLCODE x86 stealth NOOP || arachnids,291 +652 || SHELLCODE Linux shellcode || arachnids,343 +653 || SHELLCODE x86 0x90 unicode NOOP +654 || SMTP RCPT TO overflow || bugtraq,2283 || bugtraq,9696 || cve,2001-0260 +655 || SMTP sendmail 8.6.9 exploit || arachnids,140 || bugtraq,2311 || cve,1999-0204 +656 || SMTP EXPLOIT x86 windows CSMMail overflow || bugtraq,895 || cve,2000-0042 +657 || SMTP chameleon overflow || arachnids,266 || bugtraq,2387 || cve,1999-0261 +658 || SMTP exchange mime DOS || bugtraq,1869 || cve,2000-1006 || nessus,10558 || url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx +659 || SMTP expn decode || arachnids,32 || cve,1999-0096 || nessus,10248 +660 || SMTP expn root || arachnids,31 || cve,1999-0531 || nessus,10249 +661 || SMTP majordomo ifs || arachnids,143 || bugtraq,2310 || cve,1999-0207 +662 || SMTP sendmail 5.5.5 exploit || arachnids,119 || cve,1999-0203 || nessus,10258 +663 || SMTP rcpt to command attempt || arachnids,172 || bugtraq,1 || cve,1999-0095 +664 || SMTP RCPT TO decode attempt || arachnids,121 || bugtraq,2308 || cve,1999-0203 +665 || SMTP sendmail 5.6.5 exploit || arachnids,122 || bugtraq,2308 || cve,1999-0203 +666 || SMTP sendmail 8.4.1 exploit || arachnids,120 +667 || SMTP sendmail 8.6.10 exploit || arachnids,123 || bugtraq,2311 || cve,1999-0204 +668 || SMTP sendmail 8.6.10 exploit || arachnids,124 || bugtraq,2311 || cve,1999-0204 +669 || SMTP sendmail 8.6.9 exploit || arachnids,142 || bugtraq,2311 || cve,1999-0204 +670 || SMTP sendmail 8.6.9 exploit || arachnids,139 || bugtraq,2311 || cve,1999-0204 +671 || SMTP sendmail 8.6.9c exploit || arachnids,141 || bugtraq,2311 || cve,1999-0204 +672 || SMTP vrfy decode || arachnids,373 || bugtraq,10248 || cve,1999-0096 +673 || MS-SQL sp_start_job - program execution +674 || MS-SQL xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +675 || MS-SQL xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +676 || MS-SQL/SMB sp_start_job - program execution +677 || MS-SQL/SMB sp_password password change +678 || MS-SQL/SMB sp_delete_alert log file deletion +679 || MS-SQL/SMB sp_adduser database user creation +680 || MS-SQL/SMB sa login failed || bugtraq,4797 || cve,2000-1209 +681 || MS-SQL/SMB xp_cmdshell program execution +682 || MS-SQL xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +683 || MS-SQL sp_password - password change +684 || MS-SQL sp_delete_alert log file deletion +685 || MS-SQL sp_adduser - database user creation +686 || MS-SQL xp_reg* - registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034 +687 || MS-SQL xp_cmdshell - program execution +688 || MS-SQL sa login failed || bugtraq,4797 || cve,2000-1209 || nessus,10673 +689 || MS-SQL/SMB xp_reg* registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034 +690 || MS-SQL/SMB xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +691 || MS-SQL shellcode attempt +692 || MS-SQL/SMB shellcode attempt +693 || MS-SQL shellcode attempt +694 || MS-SQL/SMB shellcode attempt +695 || MS-SQL/SMB xp_sprintf possible buffer overflow || bugtraq,1204 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx +696 || MS-SQL/SMB xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +697 || MS-SQL/SMB xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +698 || MS-SQL/SMB xp_proxiedmetadata possible buffer overflow || bugtraq,2042 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +699 || MS-SQL xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +700 || MS-SQL/SMB xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +701 || MS-SQL xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +702 || MS-SQL/SMB xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +703 || MS-SQL/SMB xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +704 || MS-SQL xp_sprintf possible buffer overflow || bugtraq,1204 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx +705 || MS-SQL xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +706 || MS-SQL xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +707 || MS-SQL xp_proxiedmetadata possible buffer overflow || bugtraq,2024 || cve,1999-0287 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +708 || MS-SQL/SMB xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +709 || TELNET 4Dgifts SGI account attempt || cve,1999-0501 || nessus,11243 +710 || TELNET EZsetup account attempt || cve,1999-0501 || nessus,11244 +711 || TELNET SGI telnetd format bug || arachnids,304 || bugtraq,1572 || cve,2000-0733 +712 || TELNET ld_library_path || arachnids,367 || bugtraq,459 || cve,1999-0073 +713 || TELNET livingston DOS || arachnids,370 || bugtraq,2225 || cve,1999-0218 +714 || TELNET resolv_host_conf || arachnids,369 || bugtraq,2181 || cve,2001-0170 +715 || TELNET Attempted SU from wrong group +716 || INFO TELNET access || arachnids,08 || cve,1999-0619 || nessus,10280 +717 || TELNET not on console || arachnids,365 +718 || INFO TELNET login incorrect || arachnids,127 +719 || TELNET root login +720 || Virus - SnowWhite Trojan Incoming +721 || VIRUS OUTBOUND bad file attachment +722 || Virus - Possible NAVIDAD Worm +723 || Virus - Possible MyRomeo Worm +724 || Virus - Possible MyRomeo Worm +725 || Virus - Possible MyRomeo Worm +726 || Virus - Possible MyRomeo Worm +727 || Virus - Possible MyRomeo Worm +728 || Virus - Possible MyRomeo Worm +729 || VIRUS OUTBOUND .scr file attachment +730 || VIRUS OUTBOUND .shs file attachment +731 || Virus - Possible QAZ Worm || MCAFEE,98775 +732 || Virus - Possible QAZ Worm Infection || MCAFEE,98775 +733 || Virus - Possible QAZ Worm Calling Home || MCAFEE,98775 +734 || Virus - Possible Matrix worm +735 || Virus - Possible MyRomeo Worm +736 || Virus - Successful eurocalculator execution +737 || Virus - Possible eurocalculator.exe file +738 || Virus - Possible Pikachu Pokemon Virus || MCAFEE,98696 +739 || Virus - Possible Triplesix Worm || MCAFEE,10389 +740 || Virus - Possible Tune.vbs || MCAFEE,10497 +741 || Virus - Possible NAIL Worm || MCAFEE,10109 +742 || Virus - Possible NAIL Worm || MCAFEE,10109 +743 || Virus - Possible NAIL Worm || MCAFEE,10109 +744 || Virus - Possible NAIL Worm || MCAFEE,10109 +745 || Virus - Possible Papa Worm || MCAFEE,10145 +746 || Virus - Possible Freelink Worm || MCAFEE,10225 +747 || Virus - Possible Simbiosis Worm +748 || Virus - Possible BADASS Worm || MCAFEE,10388 +749 || Virus - Possible ExploreZip.B Worm || MCAFEE,10471 +751 || Virus - Possible wscript.KakWorm || MCAFEE,10509 +752 || Virus Possible Suppl Worm || MCAFEE,10361 +753 || Virus - Possible NewApt.Worm - theobbq.exe || MCAFEE,10540 +754 || Virus - Possible Word Macro - VALE || MCAFEE,10502 +755 || Virus - Possible IROK Worm || MCAFEE,98552 +756 || Virus - Possible Fix2001 Worm || MCAFEE,10355 +757 || Virus - Possible Y2K Zelu Trojan || MCAFEE,10505 +758 || Virus - Possible The_Fly Trojan || MCAFEE,10478 +759 || Virus - Possible Word Macro - VALE || MCAFEE,10502 +760 || Virus - Possible Passion Worm || MCAFEE,10467 +761 || Virus - Possible NewApt.Worm - cooler3.exe || MCAFEE,10540 +762 || Virus - Possible NewApt.Worm - party.exe || MCAFEE,10540 +763 || Virus - Possible NewApt.Worm - hog.exe || MCAFEE,10540 +764 || Virus - Possible NewApt.Worm - goal1.exe || MCAFEE,10540 +765 || Virus - Possible NewApt.Worm - pirate.exe || MCAFEE,10540 +766 || Virus - Possible NewApt.Worm - video.exe || MCAFEE,10540 +767 || Virus - Possible NewApt.Worm - baby.exe || MCAFEE,10540 +768 || Virus - Possible NewApt.Worm - cooler1.exe || MCAFEE,10540 +769 || Virus - Possible NewApt.Worm - boss.exe || MCAFEE,10540 +770 || Virus - Possible NewApt.Worm - g-zilla.exe || MCAFEE,10540 +771 || Virus - Possible ToadieE-mail Trojan || MCAFEE,10540 +772 || Virus - Possible PrettyPark Trojan || MCAFEE,10175 +773 || Virus - Possible Happy99 Virus || MCAFEE,10144 +774 || Virus - Possible CheckThis Trojan +775 || Virus - Possible Bubbleboy Worm || MCAFEE,10418 +776 || Virus - Possible NewApt.Worm - copier.exe || MCAFEE,10540 +777 || Virus - Possible MyPics Worm || MCAFEE,10467 +778 || Virus - Possible Babylonia - X-MAS.exe || MCAFEE,10461 +779 || Virus - Possible NewApt.Worm - gadget.exe || MCAFEE,10540 +780 || Virus - Possible NewApt.Worm - irnglant.exe || MCAFEE,10540 +781 || Virus - Possible NewApt.Worm - casper.exe || MCAFEE,10540 +782 || Virus - Possible NewApt.Worm - fborfw.exe || MCAFEE,10540 +783 || Virus - Possible NewApt.Worm - saddam.exe || MCAFEE,10540 +784 || Virus - Possible NewApt.Worm - bboy.exe || MCAFEE,10540 +785 || Virus - Possible NewApt.Worm - monica.exe || MCAFEE,10540 +786 || Virus - Possible NewApt.Worm - goal.exe || MCAFEE,10540 +787 || Virus - Possible NewApt.Worm - panther.exe || MCAFEE,10540 +788 || Virus - Possible NewApt.Worm - chestburst.exe || MCAFEE,10540 +789 || Virus - Possible NewApt.Worm - farter.exe || MCAFEE,1054 +790 || Virus - Possible Common Sense Worm +791 || Virus - Possible NewApt.Worm - cupid2.exe || MCAFEE,10540 +792 || Virus - Possible Resume Worm || MCAFEE,98661 +793 || VIRUS OUTBOUND .vbs file attachment +794 || Virus - Possible Resume Worm || MCAFEE,98661 +795 || Virus - Possible Worm - txt.vbs file +796 || Virus - Possible Worm - xls.vbs file +797 || Virus - Possible Worm - jpg.vbs file +798 || Virus - Possible Worm - gif.vbs file +799 || Virus - Possible Timofonica Worm || MCAFEE,98674 +800 || Virus - Possible Resume Worm || MCAFEE,98661 +801 || Virus - Possible Worm - doc.vbs file +802 || Virus - Possbile Zipped Files Trojan || MCAFEE,10450 +803 || WEB-CGI HyperSeek hsx.cgi directory traversal attempt || bugtraq,2314 || cve,2001-0253 || nessus,10602 +804 || WEB-CGI SWSoft ASPSeek Overflow attempt || bugtraq,2492 || cve,2001-0476 +805 || WEB-CGI webspeed access || arachnids,467 || bugtraq,969 || cve,2000-0127 || nessus,10304 +806 || WEB-CGI yabb directory traversal attempt || arachnids,462 || bugtraq,1668 || cve,2000-0853 +807 || WEB-CGI /wwwboard/passwd.txt access || arachnids,463 || bugtraq,649 || cve,1999-0953 || cve,1999-0954 || nessus,10321 +808 || WEB-CGI webdriver access || arachnids,473 || bugtraq,2166 || nessus,10592 +809 || WEB-CGI whois_raw.cgi arbitrary command execution attempt || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306 +810 || WEB-CGI whois_raw.cgi access || arachnids,466 || bugtraq,304 || cve,1999-1063 || nessus,10306 +811 || WEB-CGI websitepro path access || arachnids,468 || bugtraq,932 || cve,2000-0066 +812 || WEB-CGI webplus version access || arachnids,470 || bugtraq,1102 || cve,2000-0282 +813 || WEB-CGI webplus directory traversal || arachnids,471 || bugtraq,1102 || cve,2000-0282 +815 || WEB-CGI websendmail access || arachnids,469 || bugtraq,2077 || cve,1999-0196 || nessus,10301 +817 || WEB-CGI dcboard.cgi invalid user addition attempt || bugtraq,2728 || cve,2001-0527 || nessus,10583 +818 || WEB-CGI dcforum.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583 +819 || WEB-CGI mmstdod.cgi access || bugtraq,2063 || cve,2001-0021 || nessus,10566 +820 || WEB-CGI anaconda directory transversal attempt || bugtraq,2338 || bugtraq,2388 || cve,2000-0975 || cve,2001-0308 +821 || WEB-CGI imagemap.exe overflow attempt || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122 +823 || WEB-CGI cvsweb.cgi access || bugtraq,1469 || cve,2000-0670 || nessus,10465 +824 || WEB-CGI php.cgi access || arachnids,232 || bugtraq,2250 || bugtraq,712 || cve,1999-0238 || cve,1999-058 || nessus,10178 +825 || WEB-CGI glimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095 +826 || WEB-CGI htmlscript access || bugtraq,2001 || cve,1999-0264 || nessus,10106 +827 || WEB-CGI info2www access || bugtraq,1995 || cve,1999-0266 || nessus,10127 +828 || WEB-CGI maillist.pl access +829 || WEB-CGI nph-test-cgi access || arachnids,224 || bugtraq,686 || cve,1999-0045 || nessus,10165 +830 || WEB-CGI NPH-publish access || cve,1999-1177 || nessus,10164 +832 || WEB-CGI perl.exe access || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html +833 || WEB-CGI rguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467 +834 || WEB-CGI rwwwshell.pl access || url,www.itsecurity.com/papers/p37.htm +835 || WEB-CGI test-cgi access || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282 +836 || WEB-CGI textcounter.pl access || bugtraq,2265 || cve,1999-1479 || nessus,11451 +837 || WEB-CGI uploader.exe access || bugtraq,1611 || cve,1999-0177 || cve,2000-0769 || nessus,10291 +838 || WEB-CGI webgais access || arachnids,472 || bugtraq,2058 || cve,1999-0176 || nessus,10300 +839 || WEB-CGI finger access || arachnids,221 || cve,1999-0612 || nessus,10071 +840 || WEB-CGI perlshop.cgi access || cve,1999-1374 +841 || WEB-CGI pfdisplay.cgi access || bugtraq,64 || cve,1999-0270 || nessus,10174 +842 || WEB-CGI aglimpse access || bugtraq,2026 || cve,1999-0147 || nessus,10095 +843 || WEB-CGI anform2 access || arachnids,225 || bugtraq,719 || cve,1999-0066 +844 || WEB-CGI args.bat access || cve,1999-1180 || nessus,11465 +845 || WEB-CGI AT-admin.cgi access || cve,1999-1072 +846 || WEB-CGI bnbform.cgi access || bugtraq,2147 || cve,1999-0937 +847 || WEB-CGI campas access || bugtraq,1975 || cve,1999-0146 || nessus,10035 +848 || WEB-CGI view-source directory traversal || bugtraq,2251 || bugtraq,8883 || cve,1999-0174 +849 || WEB-CGI view-source access || bugtraq,2251 || bugtraq,8883 || cve,1999-0174 +850 || WEB-CGI wais.pl access +851 || WEB-CGI files.pl access || cve,1999-1081 +852 || WEB-CGI wguest.exe access || bugtraq,2024 || cve,1999-0287 || cve,1999-0467 +853 || WEB-CGI wrap access || arachnids,234 || bugtraq,373 || cve,1999-0149 || nessus,10317 +854 || WEB-CGI classifieds.cgi access || bugtraq,2020 || cve,1999-0934 +855 || WEB-CGI edit.pl access || bugtraq,2713 +856 || WEB-CGI environ.cgi access +857 || WEB-CGI faxsurvey access || bugtraq,2056 || cve,1999-0262 || nessus,10067 +858 || WEB-CGI filemail access || cve,1999-1154 +859 || WEB-CGI man.sh access || bugtraq,2276 || cve,1999-1179 +860 || WEB-CGI snork.bat access || arachnids,220 || bugtraq,1053 || cve,2000-0169 +861 || WEB-CGI w3-msql access || arachnids,210 || bugtraq,591 || bugtraq,898 || cve,1999-0276 || cve,1999-0753 || cve,2000-0012 || nessus,10296 +862 || WEB-CGI csh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html +863 || WEB-CGI day5datacopier.cgi access || cve,1999-1232 +864 || WEB-CGI day5datanotifier.cgi access || cve,1999-1232 +865 || WEB-CGI ksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html +866 || WEB-CGI post-query access || bugtraq,6752 || cve,2001-0291 +867 || WEB-CGI visadmin.exe access || bugtraq,1808 || cve,1999-0970 || cve,1999-1970 || nessus,10295 +868 || WEB-CGI rsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html +869 || WEB-CGI dumpenv.pl access || cve,1999-1178 || nessus,10060 +870 || WEB-CGI snorkerz.cmd access +871 || WEB-CGI survey.cgi access || bugtraq,1817 || cve,1999-0936 +872 || WEB-CGI tcsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html +873 || WEB-CGI scriptalias access || arachnids,227 || bugtraq,2300 || cve,1999-0236 +874 || WEB-CGI w3-msql solaris x86 access || arachnids,211 || cve,1999-0276 +875 || WEB-CGI win-c-sample.exe access || arachnids,231 || bugtraq,2078 || cve,1999-0178 || nessus,10008 +877 || WEB-CGI rksh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html +878 || WEB-CGI w3tvars.pm access +879 || WEB-CGI admin.pl access || bugtraq,3839 || url,online.securityfocus.com/archive/1/249355 +880 || WEB-CGI LWGate access || url,www.netspace.org/~dwb/lwgate/lwgate-history.html || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm +881 || WEB-CGI archie access +882 || WEB-CGI calendar access +883 || WEB-CGI flexform access || url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm +884 || WEB-CGI formmail access || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 +885 || WEB-CGI bash access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html +886 || WEB-CGI phf access || arachnids,128 || bugtraq,629 || cve,1999-0067 +887 || WEB-CGI www-sql access || url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2 +888 || WEB-CGI wwwadmin.pl access +889 || WEB-CGI ppdscgi.exe access || bugtraq,491 || nessus,10187 || url,online.securityfocus.com/archive/1/16878 +890 || WEB-CGI sendform.cgi access || bugtraq,5286 || cve,2002-0710 || url,www.scn.org/help/sendform.txt +891 || WEB-CGI upload.pl access +892 || WEB-CGI AnyForm2 access || bugtraq,719 || cve,1999-0066 || nessus,10277 +893 || WEB-CGI MachineInfo access || cve,1999-1067 +894 || WEB-CGI bb-hist.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025 +895 || WEB-CGI redirect access || bugtraq,1179 || cve,2000-0382 +896 || WEB-CGI way-board access || bugtraq,2370 || cve,2001-0214 || nessus,10610 +897 || WEB-CGI pals-cgi access || bugtraq,2372 || cve,2001-0216 || cve,2001-0217 || nessus,10611 +898 || WEB-CGI commerce.cgi access || bugtraq,2361 || cve,2001-0210 || nessus,10612 +899 || WEB-CGI Amaya templates sendtemp.pl directory traversal attempt || bugtraq,2504 || cve,2001-0272 +900 || WEB-CGI webspirs.cgi directory traversal attempt || bugtraq,2362 || cve,2001-0211 || nessus,10616 +901 || WEB-CGI webspirs.cgi access || bugtraq,2362 || cve,2001-0211 || nessus,10616 +902 || WEB-CGI tstisapi.dll access || bugtraq,2381 || cve,2001-0302 +903 || WEB-COLDFUSION cfcache.map access || bugtraq,917 || cve,2000-0057 +904 || WEB-COLDFUSION exampleapp application.cfm || bugtraq,1021 || cve,2000-0189 +905 || WEB-COLDFUSION application.cfm access || bugtraq,1021 || cve,2000-0189 +906 || WEB-COLDFUSION getfile.cfm access || bugtraq,229 || cve,1999-0800 +907 || WEB-COLDFUSION addcontent.cfm access +908 || WEB-COLDFUSION administrator access || bugtraq,1314 || cve,2000-0538 +909 || WEB-COLDFUSION datasource username attempt || bugtraq,550 +910 || WEB-COLDFUSION fileexists.cfm access || bugtraq,550 +911 || WEB-COLDFUSION exprcalc access || bugtraq,115 || bugtraq,550 || cve,1999-0455 +912 || WEB-COLDFUSION parks access || bugtraq,550 +913 || WEB-COLDFUSION cfappman access || bugtraq,550 +914 || WEB-COLDFUSION beaninfo access || bugtraq,550 +915 || WEB-COLDFUSION evaluate.cfm access || bugtraq,550 +916 || WEB-COLDFUSION getodbcdsn access || bugtraq,550 +917 || WEB-COLDFUSION db connections flush attempt || bugtraq,550 +918 || WEB-COLDFUSION expeval access || bugtraq,550 || cve,1999-0477 +919 || WEB-COLDFUSION datasource passwordattempt || bugtraq,550 +920 || WEB-COLDFUSION datasource attempt || bugtraq,550 +921 || WEB-COLDFUSION admin encrypt attempt || bugtraq,550 +922 || WEB-COLDFUSION displayfile access || bugtraq,550 +923 || WEB-COLDFUSION getodbcin attempt || bugtraq,550 +924 || WEB-COLDFUSION admin decrypt attempt || bugtraq,550 +925 || WEB-COLDFUSION mainframeset access || bugtraq,550 +926 || WEB-COLDFUSION set odbc ini attempt || bugtraq,550 +927 || WEB-COLDFUSION settings refresh attempt || bugtraq,550 +928 || WEB-COLDFUSION exampleapp access +929 || WEB-COLDFUSION CFUSION_VERIFYMAIL access || bugtraq,550 +930 || WEB-COLDFUSION snippets attempt || bugtraq,550 +931 || WEB-COLDFUSION cfmlsyntaxcheck.cfm access || bugtraq,550 +932 || WEB-COLDFUSION application.cfm access || arachnids,268 || bugtraq,550 || cve,2000-0189 +933 || WEB-COLDFUSION onrequestend.cfm access || arachnids,269 || bugtraq,550 || cve,2000-0189 +935 || WEB-COLDFUSION startstop DOS access || bugtraq,247 +936 || WEB-COLDFUSION gettempdirectory.cfm access || bugtraq,550 +937 || WEB-FRONTPAGE _vti_rpc access || bugtraq,2144 || cve,2001-0096 || nessus,10585 +939 || WEB-FRONTPAGE posting || bugtraq,2144 || cve,2001-0096 || nessus,10585 || url,www.microsoft.com/technet/security/bulletin/MS00-100.mspx +940 || WEB-FRONTPAGE shtml.dll access || arachnids,292 || bugtraq,1174 || bugtraq,1594 || bugtraq,1595 || cve,2000-0413 || cve,2000-0746 || nessus,11395 || url,www.microsoft.com/technet/security/bulletin/ms00-060.mspx +941 || WEB-FRONTPAGE contents.htm access +942 || WEB-FRONTPAGE orders.htm access +943 || WEB-FRONTPAGE fpsrvadm.exe access +944 || WEB-FRONTPAGE fpremadm.exe access +945 || WEB-FRONTPAGE fpadmin.htm access +946 || WEB-FRONTPAGE fpadmcgi.exe access +947 || WEB-FRONTPAGE orders.txt access +948 || WEB-FRONTPAGE form_results access || cve,1999-1052 +949 || WEB-FRONTPAGE registrations.htm access +950 || WEB-FRONTPAGE cfgwiz.exe access +951 || WEB-FRONTPAGE authors.pwd access || bugtraq,989 || cve,1999-0386 || nessus,10078 +952 || WEB-FRONTPAGE author.exe access +953 || WEB-FRONTPAGE administrators.pwd access || bugtraq,1205 +954 || WEB-FRONTPAGE form_results.htm access || cve,1999-1052 +955 || WEB-FRONTPAGE access.cnf access || bugtraq,4078 || nessus,10575 +956 || WEB-FRONTPAGE register.txt access +957 || WEB-FRONTPAGE registrations.txt access +958 || WEB-FRONTPAGE service.cnf access || bugtraq,4078 || nessus,10575 +959 || WEB-FRONTPAGE service.pwd || bugtraq,1205 +960 || WEB-FRONTPAGE service.stp access +961 || WEB-FRONTPAGE services.cnf access || bugtraq,4078 || nessus,10575 +962 || WEB-FRONTPAGE shtml.exe access || bugtraq,1174 || bugtraq,1608 || bugtraq,5804 || cve,2000-0413 || cve,2000-0709 || cve,2002-0692 || nessus,10405 || nessus,11311 +963 || WEB-FRONTPAGE svcacl.cnf access || bugtraq,4078 || nessus,10575 +964 || WEB-FRONTPAGE users.pwd access +965 || WEB-FRONTPAGE writeto.cnf access || bugtraq,4078 || nessus,10575 +966 || WEB-FRONTPAGE .... request || arachnids,248 || bugtraq,989 || cve,1999-0386 || cve,2000-0153 || nessus,10142 +967 || WEB-FRONTPAGE dvwssr.dll access || arachnids,271 || bugtraq,1108 || bugtraq,1109 || cve,2000-0260 || url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx +968 || WEB-FRONTPAGE register.htm access +969 || WEB-IIS WebDAV file lock attempt || bugtraq,2736 +970 || WEB-IIS multiple decode attempt || bugtraq,2708 || cve,2001-0333 || nessus,10671 +971 || WEB-IIS ISAPI .printer access || arachnids,533 || bugtraq,2674 || cve,2001-0241 || nessus,10661 || url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx +972 || WEB-IIS %2E-asp access || bugtraq,1814 || cve,1999-0253 +973 || WEB-IIS *.idc attempt || bugtraq,1448 || cve,1999-0874 || cve,2000-0661 +974 || WEB-IIS Directory transversal attempt || bugtraq,2218 || cve,1999-0229 +975 || WEB-IIS Alternate Data streams ASP file access attempt || bugtraq,149 || cve,1999-0278 || nessus,10362 || url,support.microsoft.com/default.aspx?scid=kb\ +976 || WEB-IIS .bat? access || bugtraq,2023 || cve,1999-0233 || url,support.microsoft.com/support/kb/articles/Q148/1/88.asp || url,support.microsoft.com/support/kb/articles/Q155/0/56.asp +977 || WEB-IIS .cnf access || bugtraq,4078 || nessus,10575 +978 || WEB-IIS ASP contents view || bugtraq,1084 || cve,2000-0302 || nessus,10356 || url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx +979 || WEB-IIS ASP contents view || bugtraq,1861 || cve,2000-0942 || url,www.microsoft.com/technet/security/bulletin/MS00-006.mspx +980 || WEB-IIS CGImail.exe access || bugtraq,1623 || cve,2000-0726 +981 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 +982 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 +983 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 +984 || WEB-IIS JET VBA access || bugtraq,307 || cve,1999-0874 || nessus,10116 +985 || WEB-IIS JET VBA access || bugtraq,286 || cve,1999-0874 +986 || WEB-IIS MSProxy access || url,support.microsoft.com/?kbid=331066 +987 || WEB-IIS .htr access || bugtraq,1488 || cve,2000-0630 || nessus,10680 +988 || WEB-IIS SAM Attempt || url,www.ciac.org/ciac/bulletins/h-45.shtml +989 || BACKDOOR sensepost.exe command shell attempt || nessus,11003 +990 || WEB-FRONTPAGE _vti_inf.html access || nessus,11455 +991 || WEB-IIS achg.htr access || bugtraq,2110 || cve,1999-0407 +992 || WEB-IIS adctest.asp access +993 || WEB-IIS iisadmin access || bugtraq,189 || cve,1999-1538 || nessus,11032 +994 || WEB-IIS /scripts/iisadmin/default.htm access +995 || WEB-IIS ism.dll access || bugtraq,189 || cve,1999-1538 || cve,2000-0630 +996 || WEB-IIS anot.htr access || bugtraq,2110 || cve,1999-0407 +997 || WEB-IIS asp-dot attempt || bugtraq,1814 || nessus,10363 +998 || WEB-IIS asp-srch attempt +999 || WEB-IIS bdir access || bugtraq,2280 +1000 || WEB-IIS bdir.htr access || bugtraq,2280 || nessus,10577 +1001 || WEB-MISC carbo.dll access || bugtraq,2126 || cve,1999-1069 +1002 || WEB-IIS cmd.exe access +1003 || WEB-IIS cmd? access +1004 || WEB-IIS codebrowser Exair access || cve,1999-0499 || cve,1999-0815 +1005 || WEB-IIS codebrowser SDK access || bugtraq,167 || cve,1999-0736 +1007 || WEB-IIS cross-site scripting attempt || bugtraq,119 || bugtraq,1594 || bugtraq,1595 || cve,2000-0746 || cve,2000-1104 || nessus,10572 || url,www.microsoft.com/technet/security/bulletin/MS00-028.mspx +1008 || WEB-IIS del attempt +1009 || WEB-IIS directory listing || nessus,10573 +1010 || WEB-IIS encoding access || arachnids,200 || bugtraq,886 || cve,2000-0024 || url,http//www.microsoft.com/technet/security/bulletin/MS99-061.mspx +1011 || WEB-IIS exec-src access +1012 || WEB-IIS fpcount attempt || bugtraq,2252 || cve,1999-1376 +1013 || WEB-IIS fpcount access || bugtraq,2252 || cve,1999-1376 +1015 || WEB-IIS getdrvs.exe access +1016 || WEB-IIS global.asa access || cve,2000-0778 || nessus,10491 || nessus,10991 +1017 || WEB-IIS idc-srch attempt || cve,1999-0874 +1018 || WEB-IIS iisadmpwd attempt || bugtraq,2110 || cve,1999-0407 +1019 || IIS Malformed Hit-Highlighting Argument File Access Attempt || bugtraq,950 || cve,2000-0097 || url,www.microsoft.com/technet/security/bulletin/ms00-006.mspx || url,www.securityfocus.com/archive/1/43762 +1020 || WEB-IIS isc$data attempt || bugtraq,307 || cve,1999-0874 || nessus,10116 +1021 || WEB-IIS ism.dll attempt || bugtraq,1193 || cve,2000-0457 || nessus,10680 || url,www.microsoft.com/technet/security/bulletin/MS00-031.mspx +1022 || WEB-IIS jet vba access || bugtraq,286 || cve,1999-0874 +1023 || WEB-IIS msadcs.dll access || bugtraq,529 || cve,1999-1011 || nessus,10357 +1024 || WEB-IIS newdsn.exe access || bugtraq,1818 || cve,1999-0191 || nessus,10360 +1025 || WEB-IIS perl access +1026 || WEB-IIS perl-browse newline attempt || bugtraq,6833 +1027 || WEB-IIS perl-browse space attempt || bugtraq,6833 +1028 || WEB-IIS query.asp access || bugtraq,193 || cve,1999-0449 +1029 || WEB-IIS scripts-browse access || nessus,11032 +1030 || WEB-IIS search97.vts access || bugtraq,162 +1031 || WEB-IIS /SiteServer/Publishing/viewcode.asp access || nessus,10576 +1032 || WEB-IIS showcode access || nessus,10576 +1033 || WEB-IIS showcode access || nessus,10576 +1034 || WEB-IIS showcode access || nessus,10576 +1035 || WEB-IIS showcode access || nessus,10576 +1036 || WEB-IIS showcode access || nessus,10576 +1037 || WEB-IIS showcode.asp access || bugtraq,167 || cve,1999-0736 || nessus,10007 || url,www.microsoft.com/technet/security/bulletin/MS99-013.mspx +1038 || WEB-IIS site server config access || bugtraq,256 || cve,1999-1520 +1039 || WEB-IIS srch.htm access +1040 || WEB-IIS srchadm access || nessus,11032 +1041 || WEB-IIS uploadn.asp access || bugtraq,1811 || cve,1999-0360 +1042 || WEB-IIS view source via translate header || arachnids,305 || bugtraq,1578 || cve,2000-0778 +1043 || WEB-IIS viewcode.asp access || cve,1999-0737 || nessus,10576 +1044 || WEB-IIS webhits access || arachnids,237 || bugtraq,950 || cve,2000-0097 +1045 || WEB-IIS Unauthorized IP Access Attempt +1046 || WEB-IIS site/iisamples access || nessus,10370 +1047 || WEB-MISC Netscape Enterprise DOS || bugtraq,2294 || cve,2001-0251 +1048 || WEB-MISC Netscape Enterprise directory listing attempt || bugtraq,2285 || cve,2001-0250 +1049 || WEB-MISC iPlanet ../../ DOS attempt || bugtraq,2282 || cve,2001-0252 +1050 || WEB-MISC iPlanet GETPROPERTIES attempt || bugtraq,2732 || cve,2001-0746 +1051 || WEB-CGI technote main.cgi file directory traversal attempt || bugtraq,2156 || cve,2001-0075 || nessus,10584 +1052 || WEB-CGI technote print.cgi directory traversal attempt || bugtraq,2156 || cve,2001-0075 || nessus,10584 +1053 || WEB-CGI ads.cgi command execution attempt || bugtraq,2103 || cve,2001-0025 || nessus,11464 +1054 || WEB-MISC weblogic/tomcat .jsp view source attempt || bugtraq,2527 +1055 || WEB-MISC Tomcat directory traversal attempt || bugtraq,2518 +1056 || WEB-MISC Tomcat view source attempt || bugtraq,2527 || cve,2001-0590 +1057 || WEB-MISC ftp attempt +1058 || WEB-MISC xp_enumdsn attempt +1059 || WEB-MISC xp_filelist attempt +1060 || WEB-MISC xp_availablemedia attempt +1061 || WEB-MISC xp_cmdshell attempt +1062 || WEB-MISC nc.exe attempt +1064 || WEB-MISC wsh attempt +1065 || WEB-MISC rcmd attempt +1066 || WEB-MISC telnet attempt +1067 || WEB-MISC net attempt +1068 || WEB-MISC tftp attempt +1069 || WEB-MISC xp_regread attempt +1070 || WEB-MISC WebDAV search access || arachnids,474 || bugtraq,1756 || cve,2000-0951 +1071 || WEB-MISC .htpasswd access +1072 || WEB-MISC Lotus Domino directory traversal || bugtraq,2173 || cve,2001-0009 || nessus,12248 +1073 || WEB-MISC webhits.exe access || bugtraq,950 || cve,2000-0097 +1075 || WEB-IIS postinfo.asp access || bugtraq,1811 || cve,1999-0360 +1076 || WEB-IIS repost.asp access || nessus,10372 +1077 || WEB-MISC queryhit.htm access || nessus,10370 +1078 || WEB-MISC counter.exe access || bugtraq,267 || cve,1999-1030 +1079 || WEB-MISC WebDAV propfind access || bugtraq,1656 || cve,2000-0869 +1080 || WEB-MISC unify eWave ServletExec upload || bugtraq,1868 || bugtraq,1876 || cve,2000-1024 || cve,2000-1025 || nessus,10570 +1081 || WEB-MISC Netscape Servers suite DOS || bugtraq,1868 || cve,2000-1025 +1082 || WEB-MISC amazon 1-click cookie theft || bugtraq,1194 || cve,2000-0439 +1083 || WEB-MISC unify eWave ServletExec DOS || bugtraq,1868 || cve,2000-1025 +1084 || WEB-MISC Allaire JRUN DOS attempt || bugtraq,2337 || cve,2000-1049 +1085 || WEB-PHP strings overflow || arachnids,431 || bugtraq,802 +1086 || WEB-PHP strings overflow || arachnids,430 || bugtraq,1786 || cve,2000-0967 +1087 || WEB-MISC whisker tab splice attack || arachnids,415 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html +1088 || WEB-CGI eXtropia webstore directory traversal || bugtraq,1774 || cve,2000-1005 || nessus,10532 +1089 || WEB-CGI shopping cart directory traversal || bugtraq,1777 || cve,2000-0921 +1090 || WEB-CGI Allaire Pro Web Shell attempt +1091 || WEB-MISC ICQ Webfront HTTP DOS || bugtraq,1463 || cve,2000-1078 +1092 || WEB-CGI Armada Style Master Index directory traversal || bugtraq,1772 || cve,2000-0924 || nessus,10562 || url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt +1093 || WEB-CGI cached_feed.cgi moreover shopping cart directory traversal || bugtraq,1762 || cve,2000-0906 +1094 || WEB-CGI webstore directory traversal || bugtraq,1774 || cve,2000-1005 +1095 || WEB-MISC Talentsoft Web+ Source Code view access || bugtraq,1722 || url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html +1096 || WEB-MISC Talentsoft Web+ internal IP Address access || bugtraq,1720 || url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html +1097 || WEB-CGI Talentsoft Web+ exploit attempt || bugtraq,1725 +1098 || WEB-MISC SmartWin CyberOffice Shopping Cart access || bugtraq,1734 || cve,2000-0925 +1099 || WEB-MISC cybercop scan || arachnids,374 +1100 || WEB-MISC L3retriever HTTP Probe || arachnids,310 +1101 || WEB-MISC Webtrends HTTP probe || arachnids,309 +1102 || WEB-MISC nessus 1.X 404 probe || arachnids,301 +1103 || WEB-MISC Netscape admin passwd || bugtraq,1579 || nessus,10468 +1104 || WEB-MISC whisker space splice attack || arachnids,296 || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html +1105 || WEB-MISC BigBrother access || bugtraq,1455 || cve,2000-0638 || nessus,10460 +1106 || WEB-CGI Poll-it access || bugtraq,1431 || cve,2000-0590 || nessus,10459 +1107 || WEB-MISC ftp.pl access || bugtraq,1471 || cve,2000-0674 || nessus,10467 +1108 || WEB-MISC Tomcat server snoop access || bugtraq,1532 || cve,2000-0760 +1109 || WEB-MISC ROXEN directory list attempt || bugtraq,1510 || cve,2000-0671 +1110 || WEB-MISC apache source.asp file access || bugtraq,1457 || cve,2000-0628 || nessus,10480 +1111 || WEB-MISC Tomcat server exploit access || bugtraq,1548 || cve,2000-0672 || nessus,10477 +1112 || WEB-MISC http directory traversal || arachnids,298 +1113 || WEB-MISC http directory traversal || arachnids,297 +1114 || WEB-MISC prefix-get // +1115 || WEB-MISC ICQ webserver DOS || cve,1999-0474 || url,www.securiteam.com/exploits/2ZUQ1QAQOG.html +1116 || WEB-MISC Lotus DelDoc attempt +1117 || WEB-MISC Lotus EditDoc attempt || url,www.securiteam.com/exploits/5NP080A1RE.html +1118 || WEB-MISC ls%20-l +1119 || WEB-MISC mlog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346 +1120 || WEB-MISC mylog.phtml access || bugtraq,713 || cve,1999-0068 || cve,1999-0346 +1121 || WEB-MISC O'Reilly args.bat access +1122 || WEB-MISC /etc/passwd +1123 || WEB-MISC ?PageServices access || bugtraq,1063 || bugtraq,7621 || cve,1999-0269 +1124 || WEB-MISC Ecommerce check.txt access +1125 || WEB-MISC webcart access || cve,1999-0610 || nessus,10298 +1126 || WEB-MISC AuthChangeUrl access || bugtraq,2110 || cve,1999-0407 +1127 || WEB-MISC convert.bas access || bugtraq,2025 || cve,1999-0175 +1128 || WEB-MISC cpshost.dll access || bugtraq,1811 || bugtraq,4002 || cve,1999-0360 +1129 || WEB-MISC .htaccess access +1130 || WEB-MISC .wwwacl access +1131 || WEB-MISC .wwwacl access +1132 || WEB-MISC Netscape Unixware overflow || arachnids,180 || bugtraq,908 || cve,1999-0744 +1133 || SCAN cybercop os probe || arachnids,145 +1134 || WEB-PHP Phorum admin access || arachnids,205 || bugtraq,2271 +1136 || WEB-MISC cd.. +1137 || WEB-PHP Phorum authentication access || arachnids,206 || bugtraq,2274 +1138 || WEB-MISC Cisco Web DOS attempt || arachnids,275 +1139 || WEB-MISC whisker HEAD/./ || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html +1140 || WEB-MISC guestbook.pl access || arachnids,228 || bugtraq,776 || cve,1999-0237 || cve,1999-1053 || nessus,10099 +1141 || WEB-MISC handler access || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100 +1142 || WEB-MISC /.... access +1143 || WEB-MISC ///cgi-bin access || nessus,11032 +1144 || WEB-MISC /cgi-bin/// access || nessus,11032 +1145 || WEB-MISC /~root access +1146 || WEB-MISC Ecommerce import.txt access +1147 || WEB-MISC cat%20 access || bugtraq,374 || cve,1999-0039 +1148 || WEB-MISC Ecommerce import.txt access +1149 || WEB-CGI count.cgi access || bugtraq,128 || cve,1999-0021 || nessus,10049 +1150 || WEB-MISC Domino catalog.nsf access || nessus,10629 +1151 || WEB-MISC Domino domcfg.nsf access || nessus,10629 +1152 || WEB-MISC Domino domlog.nsf access || nessus,10629 +1153 || WEB-MISC Domino log.nsf access || nessus,10629 +1154 || WEB-MISC Domino names.nsf access || nessus,10629 +1155 || WEB-MISC Ecommerce checks.txt access || bugtraq,2281 +1156 || WEB-MISC apache directory disclosure attempt || bugtraq,2503 +1157 || WEB-MISC Netscape PublishingXpert access || cve,2000-1196 || nessus,10364 +1158 || WEB-MISC windmail.exe access || arachnids,465 || bugtraq,1073 || cve,2000-0242 || nessus,10365 +1159 || WEB-MISC webplus access || bugtraq,1174 || bugtraq,1720 || bugtraq,1722 || bugtraq,1725 || cve,2000-1005 +1160 || WEB-MISC Netscape dir index wp || arachnids,270 || bugtraq,1063 || cve,2000-0236 +1161 || WEB-PHP piranha passwd.php3 access || arachnids,272 || bugtraq,1149 || cve,2000-0322 +1162 || WEB-MISC cart 32 AdminPwd access || bugtraq,1153 || cve,2000-0429 +1163 || WEB-CGI webdist.cgi access || bugtraq,374 || cve,1999-0039 || nessus,10299 +1164 || WEB-MISC shopping cart access || bugtraq,1983 || bugtraq,2049 || cve,1999-0607 || cve,2000-1188 +1165 || WEB-MISC Novell Groupwise gwweb.exe access || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877 +1166 || WEB-MISC ws_ftp.ini access || bugtraq,547 || cve,1999-1078 +1167 || WEB-MISC rpm_query access || bugtraq,1036 || cve,2000-0192 || nessus,10340 +1168 || WEB-MISC mall log order access || bugtraq,2266 || cve,1999-0606 +1171 || WEB-MISC whisker HEAD with large datagram || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html +1172 || WEB-CGI bigconf.cgi access || bugtraq,778 || cve,1999-1550 || nessus,10027 +1173 || WEB-MISC architext_query.pl access || bugtraq,2248 || cve,1999-0279 || nessus,10064 || url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt +1174 || WEB-CGI /cgi-bin/jj access || bugtraq,2002 || cve,1999-0260 || nessus,10131 +1175 || WEB-MISC wwwboard.pl access || bugtraq,1795 || bugtraq,649 || cve,1999-0930 || cve,1999-0954 +1176 || WEB-MISC order.log access +1177 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 +1178 || WEB-PHP Phorum read access || arachnids,208 +1179 || WEB-PHP Phorum violation access || arachnids,209 || bugtraq,2272 +1180 || WEB-MISC get32.exe access || arachnids,258 || bugtraq,1485 || bugtraq,770 || cve,1999-0885 || nessus,10011 +1181 || WEB-MISC Annex Terminal DOS attempt || arachnids,260 || cve,1999-1070 || nessus,10017 +1182 || WEB-MISC cgitest.exe attempt || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 +1183 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 || nessus,10352 +1184 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 +1185 || WEB-CGI bizdbsearch attempt || bugtraq,1104 || cve,2000-0287 || nessus,10383 +1186 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 +1187 || WEB-MISC SalesLogix Eviewer web command attempt || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289 +1188 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 +1189 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 +1190 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 +1191 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 +1192 || WEB-MISC Trend Micro OfficeScan access || bugtraq,1057 +1193 || WEB-MISC oracle web arbitrary command execution attempt || bugtraq,1053 || cve,2000-0169 || nessus,10348 +1194 || WEB-CGI sojourn.cgi File attempt || bugtraq,1052 || cve,2000-0180 || nessus,10349 +1195 || WEB-CGI sojourn.cgi access || bugtraq,1052 || cve,2000-0180 || nessus,10349 +1196 || WEB-CGI SGI InfoSearch fname attempt || arachnids,290 || bugtraq,1031 || cve,2000-0207 +1197 || WEB-PHP Phorum code access || arachnids,207 +1198 || WEB-MISC Netscape Enterprise Server directory view || bugtraq,1063 || cve,2000-0236 +1199 || WEB-MISC Compaq Insight directory traversal || arachnids,244 || bugtraq,282 || cve,1999-0771 +1200 || ATTACK-RESPONSES Invalid URL || url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx +1201 || ATTACK-RESPONSES 403 Forbidden +1202 || WEB-MISC search.vts access || bugtraq,162 +1204 || WEB-CGI ax-admin.cgi access +1205 || WEB-CGI axs.cgi access +1206 || WEB-CGI cachemgr.cgi access || bugtraq,2059 || cve,1999-0710 || nessus,10034 +1207 || WEB-MISC htgrep access || cve,2000-0832 +1208 || WEB-CGI responder.cgi access || bugtraq,3155 +1209 || WEB-MISC .nsconfig access || url,www.osvdb.org/5709 +1211 || WEB-CGI web-map.cgi access +1212 || WEB-MISC Admin_files access +1213 || WEB-MISC backup access +1214 || WEB-MISC intranet access || nessus,11626 +1215 || WEB-CGI ministats admin access +1216 || WEB-MISC filemail access || cve,1999-1154 || cve,1999-1155 || url,www.securityfocus.com/archive/1/11175 +1217 || WEB-MISC plusmail access || bugtraq,2653 || cve,2000-0074 || nessus,10181 +1218 || WEB-MISC adminlogin access || bugtraq,1164 || bugtraq,1175 || nessus,11748 +1219 || WEB-CGI dfire.cgi access || bugtraq,564 || cve,1999-0913 +1220 || WEB-MISC ultraboard access || bugtraq,1164 || bugtraq,1175 || nessus,11748 +1221 || WEB-MISC musicat empower access || bugtraq,2374 || cve,2001-0224 || nessus,10609 +1222 || WEB-CGI pals-cgi arbitrary file access attempt || bugtraq,2372 || cve,2001-0217 || nessus,10611 +1224 || WEB-MISC ROADS search.pl attempt || bugtraq,2371 || cve,2001-0215 || nessus,10627 +1225 || X11 MIT Magic Cookie detected || arachnids,396 +1226 || X11 xopen || arachnids,395 +1227 || X11 outbound client connection detected || arachnids,126 +1228 || SCAN nmap XMAS || arachnids,30 +1229 || FTP CWD ... || bugtraq,9237 +1230 || WEB-MISC VirusWall FtpSave access || bugtraq,2808 || cve,2001-0432 || nessus,10733 +1231 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650 +1232 || WEB-MISC VirusWall catinfo access || bugtraq,2579 || bugtraq,2808 || cve,2001-0432 || nessus,10650 +1233 || WEB-CLIENT Outlook EML access || nessus,10767 +1234 || WEB-MISC VirusWall FtpSaveCSP access || bugtraq,2808 || cve,2001-0432 || nessus,10733 +1235 || WEB-MISC VirusWall FtpSaveCVP access || bugtraq,2808 || cve,2001-0432 || nessus,10733 +1236 || WEB-MISC Tomcat sourecode view +1237 || WEB-MISC Tomcat sourecode view +1238 || WEB-MISC Tomcat sourecode view +1239 || NETBIOS RFParalyze Attempt || bugtraq,1163 || cve,2000-0347 || nessus,10392 +1240 || EXPLOIT MDBMS overflow || bugtraq,1252 || cve,2000-0446 +1241 || WEB-MISC SWEditServlet directory traversal attempt || bugtraq,2868 || cve,2001-0555 +1242 || WEB-IIS ISAPI .ida access || arachnids,552 || bugtraq,1065 || cve,2000-0071 +1243 || WEB-IIS ISAPI .ida attempt || arachnids,552 || bugtraq,1065 || cve,2000-0071 +1244 || WEB-IIS ISAPI .idq attempt || arachnids,553 || bugtraq,1065 || bugtraq,968 || cve,2000-0071 || cve,2000-0126 || nessus,10115 +1245 || WEB-IIS ISAPI .idq access || arachnids,553 || bugtraq,1065 || cve,2000-0071 +1246 || WEB-FRONTPAGE rad overflow attempt || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx +1247 || WEB-FRONTPAGE rad overflow attempt || bugtraq,2906 || cve,2001-0341 +1248 || WEB-FRONTPAGE rad fp30reg.dll access || arachnids,555 || bugtraq,2906 || cve,2001-0341 || url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx +1249 || WEB-FRONTPAGE frontpage rad fp4areg.dll access || bugtraq,2906 || cve,2001-0341 +1250 || WEB-MISC Cisco IOS HTTP configuration attempt || bugtraq,2936 || cve,2001-0537 +1251 || INFO TELNET Bad Login +1252 || TELNET bsd telnet exploit response || bugtraq,3064 || cve,2001-0554 || nessus,10709 +1253 || TELNET bsd exploit client finishing || bugtraq,3064 || cve,2001-0554 || nessus,10709 +1254 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370 +1255 || WEB-PHP PHPLIB remote command attempt || bugtraq,3079 || cve,2001-1370 +1256 || WEB-IIS CodeRed v2 root.exe access || url,www.cert.org/advisories/CA-2001-19.html +1257 || DOS Winnuke attack || bugtraq,2010 || cve,1999-0153 +1258 || WEB-MISC HP OpenView Manager DOS || bugtraq,2845 || cve,2001-0552 +1259 || WEB-MISC SWEditServlet access || bugtraq,2868 +1260 || WEB-MISC long basic authorization string || bugtraq,3230 || cve,2001-1067 +1261 || EXPLOIT AIX pdnsd overflow || bugtraq,3237 || bugtraq,590 || cve,1999-0745 +1262 || RPC portmap admind request TCP || arachnids,18 +1263 || RPC portmap amountd request TCP || arachnids,19 +1264 || RPC portmap bootparam request TCP || arachnids,16 || cve,1999-0647 +1265 || RPC portmap cmsd request TCP || arachnids,17 +1266 || RPC portmap mountd request TCP || arachnids,13 +1267 || RPC portmap nisd request TCP || arachnids,21 +1268 || RPC portmap pcnfsd request TCP || arachnids,22 +1269 || RPC portmap rexd request TCP || arachnids,23 +1270 || RPC portmap rstatd request TCP || arachnids,10 +1271 || RPC portmap rusers request TCP || arachnids,133 || cve,1999-0626 +1272 || RPC portmap sadmind request TCP || arachnids,20 +1273 || RPC portmap selection_svc request TCP || arachnids,25 +1274 || RPC portmap ttdbserv request TCP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html +1275 || RPC portmap yppasswd request TCP || arachnids,14 +1276 || RPC portmap ypserv request TCP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 +1277 || RPC portmap ypupdated request UDP || arachnids,125 +1278 || RPC rstatd query || arachnids,9 +1279 || RPC portmap snmpXdmi request UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html +1280 || RPC portmap listing UDP 111 || arachnids,428 +1281 || RPC portmap listing UDP 32771 || arachnids,429 +1282 || RPC EXPLOIT statdx || arachnids,442 +1283 || WEB-IIS outlook web dos || bugtraq,3223 +1284 || WEB-CLIENT readme.eml download attempt || url,www.cert.org/advisories/CA-2001-26.html +1285 || WEB-IIS msdac access || nessus,11032 +1286 || WEB-IIS _mem_bin access || nessus,11032 +1287 || WEB-IIS scripts access +1288 || WEB-FRONTPAGE /_vti_bin/ access || nessus,11032 +1289 || TFTP GET Admin.dll || url,www.cert.org/advisories/CA-2001-26.html +1290 || WEB-CLIENT readme.eml autoload attempt || url,www.cert.org/advisories/CA-2001-26.html +1291 || WEB-MISC sml3com access || bugtraq,2721 || cve,2001-0740 +1292 || ATTACK-RESPONSES directory listing +1293 || NETBIOS nimda .eml || url,www.f-secure.com/v-descs/nimda.shtml +1294 || NETBIOS nimda .nws || url,www.f-secure.com/v-descs/nimda.shtml +1295 || NETBIOS nimda RICHED20.DLL || url,www.f-secure.com/v-descs/nimda.shtml +1296 || RPC portmap request yppasswdd || bugtraq,2763 +1297 || RPC portmap request yppasswdd || bugtraq,2763 +1298 || RPC portmap tooltalk request TCP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html +1299 || RPC portmap tooltalk request UDP || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html +1300 || WEB-PHP admin.php file upload attempt || bugtraq,3361 || cve,2001-1032 +1301 || WEB-PHP admin.php access || bugtraq,3361 || bugtraq,7532 || bugtraq,9270 || cve,2001-1032 +1302 || WEB-MISC console.exe access || bugtraq,3375 || cve,2001-1252 +1303 || WEB-MISC cs.exe access || bugtraq,3375 || cve,2001-1252 +1304 || WEB-CGI txt2html.cgi access +1305 || WEB-CGI txt2html.cgi directory traversal attempt +1306 || WEB-CGI store.cgi product directory traversal attempt || bugtraq,2385 || cve,2001-0305 +1307 || WEB-CGI store.cgi access || bugtraq,2385 || cve,2001-0305 || nessus,10639 +1308 || WEB-CGI sendmessage.cgi access || bugtraq,3673 || cve,2001-1100 +1309 || WEB-CGI zsh access || cve,1999-0509 || url,www.cert.org/advisories/CA-1996-11.html +1321 || BAD-TRAFFIC 0 ttl || url,support.microsoft.com/default.aspx?scid=kb\ || url,www.isi.edu/in-notes/rfc1122.txt +1322 || BAD-TRAFFIC bad frag bits +1323 || EXPLOIT rwhoisd format string attempt || bugtraq,3474 || cve,2001-0838 +1324 || EXPLOIT ssh CRC32 overflow /bin/sh || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 +1325 || EXPLOIT ssh CRC32 overflow filler || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 +1326 || EXPLOIT ssh CRC32 overflow NOOP || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 +1327 || EXPLOIT ssh CRC32 overflow || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 +1328 || WEB-ATTACKS /bin/ps command attempt +1329 || WEB-ATTACKS ps command attempt +1330 || WEB-ATTACKS wget command attempt || bugtraq,10361 +1331 || WEB-ATTACKS uname -a command attempt +1332 || WEB-ATTACKS /usr/bin/id command attempt +1333 || WEB-ATTACKS id command attempt +1334 || WEB-ATTACKS echo command attempt +1335 || WEB-ATTACKS kill command attempt +1336 || WEB-ATTACKS chmod command attempt +1337 || WEB-ATTACKS chgrp command attempt +1338 || WEB-ATTACKS chown command attempt +1339 || WEB-ATTACKS chsh command attempt +1340 || WEB-ATTACKS tftp command attempt +1341 || WEB-ATTACKS /usr/bin/gcc command attempt +1342 || WEB-ATTACKS gcc command attempt +1343 || WEB-ATTACKS /usr/bin/cc command attempt +1344 || WEB-ATTACKS cc command attempt +1345 || WEB-ATTACKS /usr/bin/cpp command attempt +1346 || WEB-ATTACKS cpp command attempt +1347 || WEB-ATTACKS /usr/bin/g++ command attempt +1348 || WEB-ATTACKS g++ command attempt +1349 || WEB-ATTACKS bin/python access attempt +1350 || WEB-ATTACKS python access attempt +1351 || WEB-ATTACKS bin/tclsh execution attempt +1352 || WEB-ATTACKS tclsh execution attempt +1353 || WEB-ATTACKS bin/nasm command attempt +1354 || WEB-ATTACKS nasm command attempt +1355 || WEB-ATTACKS /usr/bin/perl execution attempt +1356 || WEB-ATTACKS perl execution attempt +1357 || WEB-ATTACKS nt admin addition attempt +1358 || WEB-ATTACKS traceroute command attempt +1359 || WEB-ATTACKS ping command attempt +1360 || WEB-ATTACKS netcat command attempt +1361 || WEB-ATTACKS nmap command attempt +1362 || WEB-ATTACKS xterm command attempt +1363 || WEB-ATTACKS X application to remote host attempt +1364 || WEB-ATTACKS lsof command attempt +1365 || WEB-ATTACKS rm command attempt +1366 || WEB-ATTACKS mail command attempt +1367 || WEB-ATTACKS mail command attempt +1368 || WEB-ATTACKS /bin/ls| command attempt +1369 || WEB-ATTACKS /bin/ls command attempt +1370 || WEB-ATTACKS /etc/inetd.conf access +1371 || WEB-ATTACKS /etc/motd access +1372 || WEB-ATTACKS /etc/shadow access +1373 || WEB-ATTACKS conf/httpd.conf attempt +1374 || WEB-MISC .htgroup access +1375 || WEB-MISC sadmind worm access || url,www.cert.org/advisories/CA-2001-11.html +1376 || WEB-MISC jrun directory browse attempt || bugtraq,3592 +1377 || FTP wu-ftp bad file completion attempt [ || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 +1378 || FTP wu-ftp bad file completion attempt { || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 +1379 || FTP STAT overflow attempt || bugtraq,3507 || bugtraq,8542 || cve,2001-0325 || cve,2001-1021 || url,labs.defcom.com/adv/2001/def-2001-31.txt +1380 || WEB-IIS cross-site scripting attempt || bugtraq,119 || bugtraq,1594 || bugtraq,1595 || cve,2000-0746 || cve,2000-1104 || nessus,10572 +1381 || WEB-MISC Trend Micro OfficeScan attempt || bugtraq,1057 +1382 || EXPLOIT CHAT IRC Ettercap parse overflow attempt || url,www.bugtraq.org/dev/GOBBLES-12.txt +1383 || P2P Fastrack kazaa/morpheus GET request || url,www.kazaa.com || url,www.musiccity.com/technology.htm +1384 || MISC UPnP malformed advertisement || bugtraq,3723 || cve,2001-0876 || cve,2001-0877 || url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx +1385 || WEB-MISC mod-plsql administration access || bugtraq,3726 || bugtraq,3727 || cve,2001-1216 || cve,2001-1217 || nessus,10849 +1386 || MS-SQL/SMB raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx +1387 || MS-SQL raiserror possible buffer overflow || bugtraq,3733 || cve,2001-0542 || nessus,11217 +1388 || MISC UPnP Location overflow || bugtraq,3723 || cve,2001-0876 +1389 || WEB-MISC viewcode.jse access || bugtraq,3715 +1390 || SHELLCODE x86 inc ebx NOOP +1391 || WEB-MISC Phorecast remote code execution attempt || bugtraq,3388 || cve,2001-1049 +1392 || WEB-CGI lastlines.cgi access || bugtraq,3754 || bugtraq,3755 || cve,2001-1205 || cve,2001-1206 +1393 || MISC AIM AddGame attempt || bugtraq,3769 || cve,2002-0005 || url,www.w00w00.org/files/w00aimexp/ +1394 || SHELLCODE x86 NOOP +1395 || WEB-CGI zml.cgi attempt || bugtraq,3759 || cve,2001-1209 +1396 || WEB-CGI zml.cgi access || bugtraq,3759 || cve,2001-1209 +1397 || WEB-CGI wayboard attempt || bugtraq,2370 || cve,2001-0214 +1398 || EXPLOIT CDE dtspcd exploit attempt || bugtraq,3517 || cve,2001-0803 || url,www.cert.org/advisories/CA-2002-01.html +1399 || WEB-PHP PHP-Nuke remote file include attempt || bugtraq,3889 || cve,2002-0206 +1400 || WEB-IIS /scripts/samples/ access || nessus,10370 +1401 || WEB-IIS /msadc/samples/ access || bugtraq,167 || cve,1999-0736 || nessus,1007 +1402 || WEB-IIS iissamples access || nessus,11032 +1403 || WEB-MISC viewcode access || cve,1999-0737 || nessus,10576 || nessus,12048 +1404 || WEB-MISC showcode access || bugtraq,167 || cve,1999-0736 || nessus,10007 +1405 || WEB-CGI AHG search.cgi access || bugtraq,3985 +1406 || WEB-CGI agora.cgi access || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836 +1407 || WEB-PHP smssend.php access || bugtraq,3982 || cve,2002-0220 +1408 || DOS MSDTC attempt || bugtraq,4006 || cve,2002-0224 || nessus,10939 +1409 || SNMP community string buffer overflow attempt || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html +1410 || WEB-CGI dcboard.cgi access || bugtraq,2728 || cve,2001-0527 || nessus,10583 +1411 || SNMP public access udp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 +1412 || SNMP public access tcp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || bugtraq,7212 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 +1413 || SNMP private access udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || bugtraq,7212 || cve,2002-0012 || cve,2002-0013 +1414 || SNMP private access tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1415 || SNMP Broadcast request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1416 || SNMP broadcast trap || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1417 || SNMP request udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1418 || SNMP request tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1419 || SNMP trap udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1420 || SNMP trap tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1421 || SNMP AgentX/tcp request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1422 || SNMP community string buffer overflow attempt with evasion || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html +1423 || WEB-PHP content-disposition memchr overflow || bugtraq,4183 || cve,2002-0081 || nessus,10867 +1424 || SHELLCODE x86 0xEB0C NOOP +1425 || WEB-PHP content-disposition || bugtraq,4183 || cve,2002-0081 || nessus,10867 +1426 || SNMP PROTOS test-suite-req-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html +1427 || SNMP PROTOS test-suite-trap-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html +1428 || MULTIMEDIA audio galaxy keepalive +1429 || POLICY poll.gotomypc.com access || url,www.gotomypc.com/help2.tmpl +1430 || TELNET Solaris memory mismanagement exploit attempt +1431 || BAD-TRAFFIC syn to multicast address +1432 || P2P GNUTella client request +1433 || WEB-MISC .history access +1434 || WEB-MISC .bash_history access || bugtraq,337 || cve,1999-0408 +1435 || DNS named authors attempt || arachnids,480 || nessus,10728 +1436 || MULTIMEDIA Quicktime User Agent access +1437 || MULTIMEDIA Windows Media download +1438 || MULTIMEDIA Windows Media Video download +1439 || MULTIMEDIA Shoutcast playlist redirection +1440 || MULTIMEDIA Icecast playlist redirection +1441 || TFTP GET nc.exe +1442 || TFTP GET shadow +1443 || TFTP GET passwd +1444 || TFTP Get +1445 || POLICY FTP file_id.diz access possible warez site +1446 || SMTP vrfy root +1447 || MISC MS Terminal server request RDP || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx +1448 || MISC MS Terminal server request || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx +1449 || POLICY FTP anonymous ftp login attempt +1450 || SMTP expn *@ || cve,1999-1200 +1451 || WEB-CGI NPH-publish access || bugtraq,2563 || cve,2001-0400 +1452 || WEB-CGI args.cmd access || cve,1999-1180 || nessus,11465 +1453 || WEB-CGI AT-generated.cgi access || cve,1999-1072 +1454 || WEB-CGI wwwwais access || cve,2001-0223 || nessus,10597 +1455 || WEB-CGI calendar.pl access || bugtraq,1215 || cve,2000-0432 +1456 || WEB-CGI calender_admin.pl access || cve,2000-0432 +1457 || WEB-CGI user_update_admin.pl access || bugtraq,1486 || cve,2000-0627 +1458 || WEB-CGI user_update_passwd.pl access || bugtraq,1486 || cve,2000-0627 +1459 || WEB-CGI bb-histlog.sh access || bugtraq,142 || cve,1999-1462 || nessus,10025 +1460 || WEB-CGI bb-histsvc.sh access || bugtraq,142 || cve,1999-1462 +1461 || WEB-CGI bb-rep.sh access || bugtraq,142 || cve,1999-1462 +1462 || WEB-CGI bb-replog.sh access || bugtraq,142 || cve,1999-1462 +1463 || CHAT IRC message +1464 || ATTACK-RESPONSES oracle one hour install || nessus,10737 +1465 || WEB-CGI auktion.cgi access || bugtraq,2367 || cve,2001-0212 || nessus,10638 +1466 || WEB-CGI cgiforum.pl access || bugtraq,1963 || cve,2000-1171 || nessus,10552 +1467 || WEB-CGI directorypro.cgi access || bugtraq,2793 || cve,2001-0780 +1468 || WEB-CGI Web Shopper shopper.cgi attempt || bugtraq,1776 || cve,2000-0922 +1469 || WEB-CGI Web Shopper shopper.cgi access || bugtraq,1776 || cve,2000-0922 +1470 || WEB-CGI listrec.pl access || bugtraq,3328 || cve,2001-0997 +1471 || WEB-CGI mailnews.cgi access || bugtraq,2391 || cve,2001-0271 || nessus,10641 +1472 || WEB-CGI book.cgi access || bugtraq,3178 || cve,2001-1114 || nessus,10721 +1473 || WEB-CGI newsdesk.cgi access || bugtraq,2172 || cve,2001-0232 +1474 || WEB-CGI cal_make.pl access || bugtraq,2663 || cve,2001-0463 || nessus,10664 +1475 || WEB-CGI mailit.pl access || nessus,10417 +1476 || WEB-CGI sdbsearch.cgi access || bugtraq,1658 || cve,2001-1130 || nessus,10503 || nessus,10720 +1477 || WEB-CGI swc attempt +1478 || WEB-CGI swc access || nessus,10493 +1479 || WEB-CGI ttawebtop.cgi arbitrary file attempt || bugtraq,2890 || cve,2001-0805 || nessus,10696 +1480 || WEB-CGI ttawebtop.cgi access || bugtraq,2890 || cve,2001-0805 || nessus,10696 +1481 || WEB-CGI upload.cgi access || nessus,10290 +1482 || WEB-CGI view_source access || bugtraq,2251 || cve,1999-0174 || nessus,10294 +1483 || WEB-CGI ustorekeeper.pl access || cve,2001-0466 || nessus,10645 +1484 || WEB-IIS /isapi/tstisapi.dll access || bugtraq,2381 || cve,2001-0302 +1485 || WEB-IIS mkilog.exe access || nessus,10359 || url,www.osvdb.org/274 +1486 || WEB-IIS ctss.idc access || nessus,10359 +1487 || WEB-IIS /iisadmpwd/aexp2.htr access || bugtraq,2110 || bugtraq,4236 || cve,1999-0407 || cve,2002-0421 || nessus,10371 +1488 || WEB-CGI store.cgi directory traversal attempt || bugtraq,2385 || cve,2001-0305 || nessus,10639 +1489 || WEB-MISC /~nobody access || nessus,10484 +1490 || WEB-PHP Phorum /support/common.php attempt || bugtraq,1997 +1491 || WEB-PHP Phorum /support/common.php access || bugtraq,1997 || bugtraq,9361 +1492 || WEB-MISC RBS ISP /newuser directory traversal attempt || bugtraq,1704 || cve,2000-1036 || nessus,10521 +1493 || WEB-MISC RBS ISP /newuser access || bugtraq,1704 || cve,2000-1036 || nessus,10521 +1494 || WEB-CGI SIX webboard generate.cgi attempt || bugtraq,3175 || cve,2001-1115 || nessus,10725 +1495 || WEB-CGI SIX webboard generate.cgi access || bugtraq,3175 || cve,2001-1115 +1496 || WEB-CGI spin_client.cgi access || nessus,10393 +1497 || WEB-MISC cross site scripting attempt +1498 || WEB-MISC PIX firewall manager directory traversal attempt || bugtraq,691 || cve,1999-0158 || nessus,10819 +1499 || WEB-MISC SiteScope Service access || nessus,10778 +1500 || WEB-MISC ExAir access || bugtraq,193 || cve,1999-0449 || nessus,10002 || nessus,10003 || nessus,10004 +1501 || WEB-CGI a1stats a1disp3.cgi directory traversal attempt || bugtraq,2705 || cve,2001-0561 || nessus,10669 +1502 || WEB-CGI a1stats a1disp3.cgi access || bugtraq,2705 || cve,2001-0561 || nessus,10669 +1503 || WEB-CGI admentor admin.asp access || bugtraq,4152 || cve,2002-0308 || nessus,10880 || url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html +1504 || MISC AFS access || nessus,10441 +1505 || WEB-CGI alchemy http server PRN arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871 +1506 || WEB-CGI alchemy http server NUL arbitrary command execution attempt || bugtraq,3599 || cve,2001-0871 +1507 || WEB-CGI alibaba.pl arbitrary command execution attempt || bugtraq,770 || cve,1999-0885 || nessus,10013 +1508 || WEB-CGI alibaba.pl access || bugtraq,770 || cve ,CAN-1999-0885 || nessus,10013 +1509 || WEB-CGI AltaVista Intranet Search directory traversal attempt || bugtraq,896 || cve,2000-0039 || nessus,10015 +1510 || WEB-CGI test.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 +1511 || WEB-CGI test.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 +1512 || WEB-CGI input.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 +1513 || WEB-CGI input.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 +1514 || WEB-CGI input2.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 +1515 || WEB-CGI input2.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 +1516 || WEB-CGI envout.bat arbitrary command execution attempt || bugtraq,762 || cve,1999-0947 || nessus,10016 +1517 || WEB-CGI envout.bat access || bugtraq,762 || cve,1999-0947 || nessus,10016 +1518 || WEB-MISC nstelemetry.adp access || nessus,10753 +1519 || WEB-MISC apache ?M=D directory list attempt || bugtraq,3009 || cve,2001-0731 +1520 || WEB-MISC server-info access || url,httpd.apache.org/docs/mod/mod_info.html +1521 || WEB-MISC server-status access || url,httpd.apache.org/docs/mod/mod_info.html +1522 || WEB-MISC ans.pl attempt || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875 +1523 || WEB-MISC ans.pl access || bugtraq,4147 || bugtraq,4149 || cve,2002-0306 || cve,2002-0307 || nessus,10875 +1524 || WEB-MISC AxisStorpoint CD attempt || bugtraq,1025 || cve,2000-0191 || nessus,10023 +1525 || WEB-MISC Axis Storpoint CD access || bugtraq,1025 || cve,2000-0191 || nessus,10023 +1526 || WEB-MISC basilix sendmail.inc access || bugtraq,2198 || cve,2001-1044 || nessus,10601 +1527 || WEB-MISC basilix mysql.class access || bugtraq,2198 || cve,2001-1044 || nessus,10601 +1528 || WEB-MISC BBoard access || bugtraq,1459 || cve,2000-0629 || nessus,10507 +1529 || FTP SITE overflow attempt || cve,1999-0838 || cve,2001-0755 || cve,2001-0770 +1530 || FTP format string attempt || bugtraq,1387 || bugtraq,2240 || bugtraq,726 || cve,1999-0997 || cve,2000-0573 || nessus,10452 +1531 || WEB-CGI bb-hist.sh attempt || bugtraq,142 || cve,1999-1462 || nessus,10025 +1532 || WEB-CGI bb-hostscv.sh attempt || bugtraq,1455 || cve,2000-0638 || nessus,10460 +1533 || WEB-CGI bb-hostscv.sh access || bugtraq,1455 || cve,2000-0638 || nessus,10460 +1534 || WEB-CGI agora.cgi attempt || bugtraq,3702 || bugtraq,3976 || cve,2001-1199 || cve,2002-0215 || nessus,10836 +1535 || WEB-CGI bizdbsearch access || bugtraq,1104 || cve,2000-0287 || nessus,10383 +1536 || WEB-CGI calendar_admin.pl arbitrary command execution attempt || cve,2000-0432 +1537 || WEB-CGI calendar_admin.pl access || cve,2000-0432 +1538 || NNTP AUTHINFO USER overflow attempt || arachnids,274 || bugtraq,1156 || cve,2000-0341 +1539 || WEB-CGI /cgi-bin/ls access || bugtraq,936 || cve,2000-0079 +1540 || WEB-COLDFUSION ?Mode=debug attempt || nessus,10797 +1541 || FINGER version query +1542 || WEB-CGI cgimail access || bugtraq,1623 || cve,2000-0726 || nessus,11721 +1543 || WEB-CGI cgiwrap access || bugtraq,1238 || bugtraq,3084 || bugtraq,777 || cve,1999-1530 || cve,2000-0431 || cve,2001-0987 || nessus,10041 +1544 || WEB-MISC Cisco Catalyst command execution attempt || bugtraq,1846 || cve,2000-0945 || nessus,10545 +1545 || DOS Cisco attempt +1546 || WEB-MISC Cisco /%% DOS attempt || bugtraq,1154 || cve,2000-0380 +1547 || WEB-CGI csSearch.cgi arbitrary command execution attempt || bugtraq,4368 || cve,2002-0495 || nessus,10924 +1548 || WEB-CGI csSearch.cgi access || bugtraq,4368 || cve,2002-0495 || nessus,10924 +1549 || SMTP HELO overflow attempt || bugtraq,7726 || bugtraq,895 || cve,2000-0042 || nessus,10324 || nessus,11674 +1550 || SMTP ETRN overflow attempt || bugtraq,1297 || bugtraq,7515 || cve,2000-0490 || nessus,10438 +1551 || WEB-MISC /CVS/Entries access || nessus,10922 || nessus,11032 +1552 || WEB-MISC cvsweb version access || cve,2000-0670 +1553 || WEB-CGI /cart/cart.cgi access || bugtraq,1115 || cve,2000-0252 +1554 || WEB-CGI dbman db.cgi access || bugtraq,1178 || cve,2000-0381 || nessus,10403 +1555 || WEB-CGI DCShop access || bugtraq,2889 || cve,2001-0821 +1556 || WEB-CGI DCShop orders.txt access || bugtraq,2889 || cve,2001-0821 +1557 || WEB-CGI DCShop auth_user_file.txt access || bugtraq,2889 || cve,2001-0821 +1558 || WEB-MISC Delegate whois overflow attempt || cve,2000-0165 +1559 || WEB-MISC /doc/packages access || bugtraq,1707 || cve,2000-1016 || nessus,10518 || nessus,11032 +1560 || WEB-MISC /doc/ access || bugtraq,318 || cve,1999-0678 +1561 || WEB-MISC ?open access +1562 || FTP SITE CHOWN overflow attempt || bugtraq,2120 || cve,2001-0065 +1563 || WEB-MISC login.htm attempt || bugtraq,665 || cve,1999-1533 +1564 || WEB-MISC login.htm access || bugtraq,665 || cve,1999-1533 +1565 || WEB-CGI eshop.pl arbitrary commane execution attempt || bugtraq,3340 || cve,2001-1014 +1566 || WEB-CGI eshop.pl access || bugtraq,3340 || cve,2001-1014 +1567 || WEB-IIS /exchange/root.asp attempt || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781 || url,www.microsoft.com/technet/security/bulletin/MS01-047.mspx +1568 || WEB-IIS /exchange/root.asp access || bugtraq,3301 || cve,2001-0660 || nessus,10755 || nessus,10781 +1569 || WEB-CGI loadpage.cgi directory traversal attempt || bugtraq,2109 || cve,2000-1092 +1570 || WEB-CGI loadpage.cgi access || bugtraq,2109 || cve,2000-1092 +1571 || WEB-CGI dcforum.cgi directory traversal attempt || bugtraq,2611 || cve,2001-0436 || cve,2001-0437 +1572 || WEB-CGI commerce.cgi arbitrary file access attempt || bugtraq,2361 || cve,2001-0210 || nessus,10612 +1573 || WEB-CGI cgiforum.pl attempt || bugtraq,1963 || cve,2000-1171 || nessus,10552 +1574 || WEB-CGI directorypro.cgi attempt || bugtraq,2793 || cve,2001-0780 +1575 || WEB-MISC Domino mab.nsf access || bugtraq,4022 || nessus,10953 +1576 || WEB-MISC Domino cersvr.nsf access || nessus,10629 +1577 || WEB-MISC Domino setup.nsf access || nessus,10629 +1578 || WEB-MISC Domino statrep.nsf access || nessus,10629 +1579 || WEB-MISC Domino webadmin.nsf access || bugtraq,9900 || bugtraq,9901 || nessus,10629 +1580 || WEB-MISC Domino events4.nsf access || nessus,10629 +1581 || WEB-MISC Domino ntsync4.nsf access || nessus,10629 +1582 || WEB-MISC Domino collect4.nsf access || nessus,10629 +1583 || WEB-MISC Domino mailw46.nsf access || nessus,10629 +1584 || WEB-MISC Domino bookmark.nsf access || nessus,10629 +1585 || WEB-MISC Domino agentrunner.nsf access || nessus,10629 +1586 || WEB-MISC Domino mail.box access || bugtraq,881 || nessus,10629 +1587 || WEB-MISC cgitest.exe access || arachnids,265 || bugtraq,1313 || bugtraq,3885 || cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 || nessus,11131 +1588 || WEB-MISC SalesLogix Eviewer access || bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289 +1589 || WEB-MISC musicat empower attempt || bugtraq,2374 || cve,2001-0224 || nessus,10609 +1590 || WEB-CGI faqmanager.cgi arbitrary file access attempt || bugtraq,3810 || nessus,10837 +1591 || WEB-CGI faqmanager.cgi access || bugtraq,3810 || nessus,10837 +1592 || WEB-CGI /fcgi-bin/echo.exe access || nessus,10838 +1593 || WEB-CGI FormHandler.cgi external site redirection attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 +1594 || WEB-CGI FormHandler.cgi access || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 +1595 || WEB-IIS htimage.exe access || bugtraq,1117 || bugtraq,964 || cve,2000-0122 || cve,2000-0256 || nessus,10376 +1597 || WEB-CGI guestbook.cgi access || cve,1999-0237 || nessus,10098 +1598 || WEB-CGI Home Free search.cgi directory traversal attempt || bugtraq,921 || cve,2000-0054 +1599 || WEB-CGI search.cgi access || bugtraq,921 || cve,2000-0054 +1600 || WEB-CGI htsearch arbitrary configuration file attempt || cve,2000-0208 +1601 || WEB-CGI htsearch arbitrary file read attempt || bugtraq,1026 || cve,2000-0208 || nessus,10105 +1602 || WEB-CGI htsearch access || bugtraq,1026 || cve,2000-0208 || nessus,10105 +1603 || WEB-MISC DELETE attempt || nessus,10498 +1604 || WEB-MISC iChat directory traversal attempt || cve,1999-0897 +1605 || DOS iParty DOS attempt || bugtraq,6844 || cve,1999-1566 +1606 || WEB-CGI icat access || cve,1999-1069 +1607 || WEB-CGI HyperSeek hsx.cgi access || bugtraq,2314 || cve,2001-0253 || nessus,10602 +1608 || WEB-CGI htmlscript attempt || bugtraq,2001 || cve,1999-0264 || nessus,10106 +1609 || WEB-CGI faxsurvey arbitrary file read attempt || bugtraq,2056 || cve,1999-0262 || nessus,10067 +1610 || WEB-CGI formmail arbitrary command execution attempt || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 +1611 || WEB-CGI eXtropia webstore access || bugtraq,1774 || cve,2000-1005 || nessus,10532 +1612 || WEB-MISC ftp.pl attempt || bugtraq,1471 || cve,2000-0674 || nessus,10467 +1613 || WEB-MISC handler attempt || arachnids,235 || bugtraq,380 || cve,1999-0148 || nessus,10100 +1614 || WEB-MISC Novell Groupwise gwweb.exe attempt || bugtraq,879 || cve,1999-1005 || cve,1999-1006 || nessus,10877 +1615 || WEB-MISC htgrep attempt || cve,2000-0832 +1616 || DNS named version attempt || arachnids,278 || nessus,10028 +1617 || WEB-CGI Bugzilla doeditvotes.cgi access || bugtraq,3800 || cve,2002-0011 +1618 || WEB-IIS .asp chunked Transfer-Encoding || bugtraq,4474 || bugtraq,4485 || cve,2002-0071 || cve,2002-0079 || nessus,10932 +1619 || EXPERIMENTAL WEB-IIS .htr request || bugtraq,4474 || cve,2002-0071 || nessus,10932 +1620 || BAD TRAFFIC Non-Standard IP protocol +1621 || FTP CMD overflow attempt +1622 || FTP RNFR ././ attempt +1623 || FTP invalid MODE +1624 || FTP large PWD command +1625 || FTP large SYST command +1626 || WEB-IIS /StoreCSVS/InstantOrder.asmx request +1627 || BAD-TRAFFIC Unassigned/Reserved IP protocol || url,www.iana.org/assignments/protocol-numbers +1628 || WEB-CGI FormHandler.cgi directory traversal attempt attempt || bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075 +1629 || OTHER-IDS SecureNetPro traffic +1631 || CHAT AIM login +1632 || CHAT AIM send message +1633 || CHAT AIM receive message +1634 || POP3 PASS overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10325 +1635 || POP3 APOP overflow attempt || bugtraq,1652 || cve,2000-0840 || cve,2000-0841 || nessus,10559 +1636 || MISC Xtramail Username overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10323 +1637 || WEB-CGI yabb access || arachnids,462 || bugtraq,1668 || cve,2000-0853 +1638 || SCAN SSH Version map attempt +1639 || CHAT IRC DCC file transfer request +1640 || CHAT IRC DCC chat request +1641 || DOS DB2 dos attempt || bugtraq,3010 || cve,2001-1143 || nessus,10871 +1642 || WEB-CGI document.d2w access || bugtraq,2017 || cve,2000-1110 +1643 || WEB-CGI db2www access || cve,2000-0677 +1644 || WEB-CGI test-cgi attempt || arachnids,218 || bugtraq,2003 || cve,1999-0070 || nessus,10282 +1645 || WEB-CGI testcgi access || bugtraq,7214 || nessus,11610 +1646 || WEB-CGI test.cgi access +1647 || WEB-CGI faxsurvey attempt full path || bugtraq,2056 || cve,1999-0262 || nessus,10067 +1648 || WEB-CGI perl.exe command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html +1649 || WEB-CGI perl command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html +1650 || WEB-CGI tst.bat access || bugtraq,770 || cve,1999-0885 || nessus,10014 +1651 || WEB-CGI environ.pl access +1652 || WEB-CGI campus attempt || bugtraq,1975 || cve,1999-0146 || nessus,10035 +1653 || WEB-CGI campus access || bugtraq,1975 || cve,1999-0146 || nessus,10035 +1654 || WEB-CGI cart32.exe access || bugtraq,1153 +1655 || WEB-CGI pfdispaly.cgi arbitrary command execution attempt || cve,1999-0270 || nessus,10174 +1656 || WEB-CGI pfdispaly.cgi access || cve,1999-0270 || nessus,10174 +1657 || WEB-CGI pagelog.cgi directory traversal attempt || bugtraq,1864 || cve,2000-0940 || nessus,10591 +1658 || WEB-CGI pagelog.cgi access || bugtraq,1864 || cve,2000-0940 || nessus,10591 +1659 || WEB-COLDFUSION sendmail.cfm access +1660 || WEB-IIS trace.axd access || nessus,10993 +1661 || WEB-IIS cmd32.exe access +1662 || WEB-MISC /~ftp access +1663 || WEB-MISC *%0a.pl access || nessus,11007 || url,www.securityfocus.com/archive/1/149482 +1664 || WEB-MISC mkplog.exe access +1665 || WEB-MISC mkilog.exe access +1666 || ATTACK-RESPONSES index of /cgi-bin/ response || nessus,10039 +1667 || WEB-MISC cross site scripting HTML Image tag set to javascript attempt || bugtraq,4858 || cve,2002-0902 +1668 || WEB-CGI /cgi-bin/ access +1669 || WEB-CGI /cgi-dos/ access +1670 || WEB-MISC /home/ftp access || nessus,11032 +1671 || WEB-MISC /home/www access || nessus,11032 +1672 || FTP CWD ~ attempt || bugtraq,2601 || bugtraq,9215 || cve,2001-0421 +1673 || ORACLE EXECUTE_SYSTEM attempt +1674 || ORACLE connect_data remote version detection attempt +1675 || ORACLE misparsed login response +1676 || ORACLE select union attempt +1677 || ORACLE select like '%' attempt +1678 || ORACLE select like '%' attempt backslash escaped +1679 || ORACLE describe attempt +1680 || ORACLE all_constraints access +1681 || ORACLE all_views access +1682 || ORACLE all_source access +1683 || ORACLE all_tables access +1684 || ORACLE all_tab_columns access +1685 || ORACLE all_tab_privs access +1686 || ORACLE dba_tablespace access +1687 || ORACLE dba_tables access +1688 || ORACLE user_tablespace access +1689 || ORACLE sys.all_users access +1690 || ORACLE grant attempt +1691 || ORACLE ALTER USER attempt +1692 || ORACLE drop table attempt +1693 || ORACLE create table attempt +1694 || ORACLE alter table attempt +1695 || ORACLE truncate table attempt +1696 || ORACLE create database attempt +1697 || ORACLE alter database attempt +1698 || ORACLE execute_system attempt +1699 || P2P Fastrack kazaa/morpheus traffic || url,www.kazaa.com +1700 || WEB-CGI imagemap.exe access || arachnids,412 || bugtraq,739 || cve,1999-0951 || nessus,10122 +1701 || WEB-CGI calendar-admin.pl access || bugtraq,1215 +1702 || WEB-CGI Amaya templates sendtemp.pl access || bugtraq,2504 || cve,2001-0272 +1703 || WEB-CGI auktion.cgi directory traversal attempt || bugtraq,2367 || cve,2001-0212 || nessus,10638 +1704 || WEB-CGI cal_make.pl directory traversal attempt || bugtraq,2663 || cve,2001-0463 || nessus,10664 +1705 || WEB-CGI echo.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246 +1706 || WEB-CGI echo.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246 +1707 || WEB-CGI hello.bat arbitrary command execution attempt || bugtraq,1002 || cve,2000-0213 || nessus,10246 +1708 || WEB-CGI hello.bat access || bugtraq,1002 || cve,2000-0213 || nessus,10246 +1709 || WEB-CGI ad.cgi access || bugtraq,2103 || cve,2001-0025 || nessus,11464 +1710 || WEB-CGI bbs_forum.cgi access || bugtraq,2177 || cve,2001-0123 || url,www.cgisecurity.com/advisory/3.1.txt +1711 || WEB-CGI bsguest.cgi access || bugtraq,2159 || cve,2001-0099 +1712 || WEB-CGI bslist.cgi access || bugtraq,2160 || cve,2001-0100 +1713 || WEB-CGI cgforum.cgi access || bugtraq,1951 || cve,2000-1132 +1714 || WEB-CGI newdesk access +1715 || WEB-CGI register.cgi access || bugtraq,2157 || cve,2001-0076 +1716 || WEB-CGI gbook.cgi access || bugtraq,1940 || cve,2000-1131 +1717 || WEB-CGI simplestguest.cgi access || bugtraq,2106 || cve,2001-0022 +1718 || WEB-CGI statsconfig.pl access || bugtraq,2211 || cve,2001-0113 +1719 || WEB-CGI talkback.cgi directory traversal attempt || bugtraq,2547 || cve,2001-0420 +1720 || WEB-CGI talkback.cgi access || bugtraq,2547 || cve,2001-0420 +1721 || WEB-CGI adcycle access || bugtraq,3741 || cve,2001-1226 +1722 || WEB-CGI MachineInfo access || cve,1999-1067 +1723 || WEB-CGI emumail.cgi NULL attempt || bugtraq,5824 || cve,2002-1526 +1724 || WEB-CGI emumail.cgi access || bugtraq,5824 || cve,2002-1526 +1725 || WEB-IIS +.htr code fragment attempt || bugtraq,1488 || cve,2000-0630 || nessus,10680 || url,www.microsoft.com/technet/security/bulletin/MS00-044.mspx +1726 || WEB-IIS doctodep.btr access +1727 || WEB-CGI SGI InfoSearch fname access || arachnids,290 || bugtraq,1031 || cve,2000-0207 +1728 || FTP CWD ~ attempt || bugtraq,2601 || cve,2001-0421 +1729 || CHAT IRC channel join +1730 || WEB-CGI ustorekeeper.pl directory traversal attempt || bugtraq,2536 || cve,2001-0466 || nessus,10645 +1731 || WEB-CGI a1stats access || bugtraq,2705 || cve,2001-0561 || nessus,10669 +1732 || RPC portmap rwalld request UDP +1733 || RPC portmap rwalld request TCP +1734 || FTP USER overflow attempt || bugtraq,10078 || bugtraq,1227 || bugtraq,1504 || bugtraq,1690 || bugtraq,4638 || bugtraq,7307 || bugtraq,8376 || cve,1999-1510 || cve,1999-1514 || cve,1999-1519 || cve,1999-1539 || cve,2000-0479 || cve,2000-0656 || cve,2000-0761 || cve,2000-0943 || cve,2000-1035 || cve,2000-1194 || cve,2001-0256 || cve,2001-0794 || cve,2001-0826 || cve,2002-0126 || cve,2002-1522 || cve,2003-0271 || cve,2004-0286 +1735 || WEB-CLIENT XMLHttpRequest attempt || bugtraq,4628 || cve,2002-0354 +1736 || WEB-PHP squirrel mail spell-check arbitrary command attempt || bugtraq,3952 +1737 || WEB-PHP squirrel mail theme arbitrary command attempt || bugtraq,4385 || cve,2002-0516 +1738 || WEB-MISC global.inc access || bugtraq,4612 || cve,2002-0614 +1739 || WEB-PHP DNSTools administrator authentication bypass attempt || bugtraq,4617 || cve,2002-0613 +1740 || WEB-PHP DNSTools authentication bypass attempt || bugtraq,4617 || cve,2002-0613 +1741 || WEB-PHP DNSTools access || bugtraq,4617 || cve,2002-0613 +1742 || WEB-PHP Blahz-DNS dostuff.php modify user attempt || bugtraq,4618 || cve,2002-0599 +1743 || WEB-PHP Blahz-DNS dostuff.php access || bugtraq,4618 || cve,2002-0599 +1744 || WEB-MISC SecureSite authentication bypass attempt || bugtraq,4621 +1745 || WEB-PHP Messagerie supp_membre.php access || bugtraq,4635 +1746 || RPC portmap cachefsd request UDP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 +1747 || RPC portmap cachefsd request TCP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 +1748 || FTP command overflow attempt || bugtraq,4638 || cve,2002-0606 +1749 || EXPERIMENTAL WEB-IIS .NET trace.axd access +1750 || WEB-IIS users.xml access +1751 || EXPLOIT cachefsd buffer overflow attempt || bugtraq,4631 || cve,2002-0084 || nessus,10951 +1752 || MISC AIM AddExternalApp attempt || url,www.w00w00.org/files/w00aimexp/ +1753 || WEB-IIS as_web.exe access || bugtraq,4670 +1754 || WEB-IIS as_web4.exe access || bugtraq,4670 +1755 || IMAP partial body buffer overflow attempt || bugtraq,4713 || cve,2002-0379 +1756 || WEB-IIS NewsPro administration authentication attempt || bugtraq,4672 +1757 || WEB-MISC b2 arbitrary command execution attempt || bugtraq,4673 || cve,2002-0734 || cve,2002-1466 || nessus,11667 +1758 || WEB-MISC b2 access || bugtraq,4673 || cve,2002-0734 || cve,2002-1466 || nessus,11667 +1759 || MS-SQL xp_cmdshell program execution 445 +1760 || OTHER-IDS ISS RealSecure 6 event collector connection attempt +1761 || OTHER-IDS ISS RealSecure 6 daemon connection attempt +1762 || WEB-CGI phf arbitrary command execution attempt || arachnids,128 || bugtraq,629 || cve,1999-0067 +1763 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 +1764 || WEB-CGI Nortel Contivity cgiproc DOS attempt || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 +1765 || WEB-CGI Nortel Contivity cgiproc access || bugtraq,938 || cve,2000-0063 || cve,2000-0064 || nessus,10160 +1766 || WEB-MISC search.dll directory listing attempt || bugtraq,1684 || cve,2000-0835 || nessus,10514 +1767 || WEB-MISC search.dll access || bugtraq,1684 || cve,2000-0835 || nessus,10514 +1768 || WEB-IIS header field buffer overflow attempt || bugtraq,4476 || cve,2002-0150 +1769 || WEB-MISC .DS_Store access || url,www.macintouch.com/mosxreaderreports46.html +1770 || WEB-MISC .FBCIndex access || url,www.securiteam.com/securitynews/5LP0O005FS.html +1771 || POLICY IPSec PGPNet connection attempt +1772 || WEB-IIS pbserver access || cve,2000-1089 || url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx +1773 || WEB-PHP php.exe access || url,www.securitytracker.com/alerts/2002/Jan/1003104.html +1774 || WEB-PHP bb_smilies.php access || url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html +1775 || MYSQL root login attempt +1776 || MYSQL show databases attempt +1777 || FTP EXPLOIT STAT * dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx +1778 || FTP EXPLOIT STAT ? dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx +1779 || FTP CWD .... attempt || bugtraq,4884 +1780 || IMAP EXPLOIT partial body overflow attempt || bugtraq,4713 || cve,2002-0379 +1787 || WEB-CGI csPassword.cgi access || bugtraq,4885 || bugtraq,4886 || bugtraq,4887 || bugtraq,4889 || cve,2002-0917 || cve,2002-0918 +1788 || WEB-CGI csPassword password.cgi.tmp access || bugtraq,4889 || cve,2002-0920 +1789 || CHAT IRC dns request +1790 || CHAT IRC dns response +1791 || BACKDOOR fragroute trojan connection attempt || bugtraq,4898 +1792 || NNTP return code buffer overflow attempt || bugtraq,4900 || cve,2002-0909 +1800 || VIRUS Klez Incoming +1801 || WEB-IIS .asp HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx +1802 || WEB-IIS .asa HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx +1803 || WEB-IIS .cer HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx +1804 || WEB-IIS .cdx HTTP header buffer overflow attempt || bugtraq,4476 || cve,2002-0150 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx +1805 || WEB-CGI Oracle reports CGI access || bugtraq,4848 || cve,2002-0947 +1806 || WEB-IIS .htr chunked Transfer-Encoding || bugtraq,4855 || bugtraq,5003 || cve,2002-0364 +1807 || WEB-MISC Chunked-Encoding transfer attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392 +1808 || WEB-MISC apache chunked encoding memory corruption exploit attempt || bugtraq,5033 || cve,2002-0392 +1809 || WEB-MISC Apache Chunked-Encoding worm attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392 +1810 || ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 +1811 || ATTACK-RESPONSES successful gobbles ssh exploit uname || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 +1812 || EXPLOIT gobbles SSH exploit attempt || bugtraq,5093 || cve,2002-0390 || cve,2002-0639 +1813 || ICMP digital island bandwidth query +1814 || WEB-MISC CISCO VoIP DOS ATTEMPT || bugtraq,4794 || cve,2002-0882 || nessus,11013 +1815 || WEB-PHP directory.php arbitrary command attempt || bugtraq,4278 || cve,2002-0434 +1816 || WEB-PHP directory.php access || bugtraq,4278 || cve,2002-0434 +1817 || WEB-IIS MS Site Server default login attempt || nessus,11018 +1818 || WEB-IIS MS Site Server admin attempt || nessus,11018 +1819 || MISC Alcatel PABX 4400 connection attempt || nessus,11019 +1820 || WEB-MISC IBM Net.Commerce orderdspc.d2w access || bugtraq,2350 || cve,2001-0319 || nessus,11020 +1821 || EXPLOIT LPD dvips remote command execution attempt || bugtraq,3241 || cve,2001-1002 || nessus,11023 +1822 || WEB-CGI alienform.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027 +1823 || WEB-CGI AlienForm af.cgi directory traversal attempt || bugtraq,4983 || cve,2002-0934 || nessus,11027 +1824 || WEB-CGI alienform.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027 +1825 || WEB-CGI AlienForm af.cgi access || bugtraq,4983 || cve,2002-0934 || nessus,11027 +1826 || WEB-MISC WEB-INF access || bugtraq,1830 || bugtraq,5119 || cve,2000-1050 || cve,2001-0179 || nessus,11037 +1827 || WEB-MISC Tomcat servlet mapping cross site scripting attempt || bugtraq,5193 || cve,2002-0682 || nessus,11041 +1828 || WEB-MISC iPlanet Search directory traversal attempt || bugtraq,5191 || cve,2002-1042 || nessus,11043 +1829 || WEB-MISC Tomcat TroubleShooter servlet access || bugtraq,4575 || nessus,11046 +1830 || WEB-MISC Tomcat SnoopServlet servlet access || bugtraq,4575 || nessus,11046 +1831 || WEB-MISC jigsaw dos attempt || nessus,11047 +1832 || CHAT ICQ forced user addition || bugtraq,3226 || cve,2001-1305 +1834 || WEB-PHP PHP-Wiki cross site scripting attempt || bugtraq,5254 || cve,2002-1070 +1835 || WEB-MISC Macromedia SiteSpring cross site scripting attempt || bugtraq,5249 || cve,2002-1027 +1838 || EXPLOIT SSH server banner overflow || bugtraq,5287 || cve,2002-1059 +1839 || WEB-MISC mailman cross site scripting attempt || bugtraq,5298 || cve,2002-0855 +1840 || WEB-CLIENT Javascript document.domain attempt || bugtraq,5346 || cve,2002-0815 +1841 || WEB-CLIENT Javascript URL host spoofing attempt || bugtraq,5293 +1842 || IMAP login buffer overflow attempt || bugtraq,13727 || bugtraq,502 || cve,1999-0005 || cve,1999-1557 || cve,2005-1255 || nessus,10123 || nessus,10125 +1843 || BACKDOOR trinity connection attempt || cve,2000-0138 || nessus,10501 +1844 || IMAP authenticate overflow attempt || bugtraq,12995 || bugtraq,130 || cve,1999-0005 || cve,1999-0042 || nessus,10292 +1845 || IMAP list literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +1846 || POLICY vncviewer Java applet download attempt || nessus,10758 +1847 || WEB-MISC webalizer access || bugtraq,3473 || cve,2001-0835 || nessus,10816 +1848 || WEB-MISC webcart-lite access || cve,1999-0610 || nessus,10298 +1849 || WEB-MISC webfind.exe access || bugtraq,1487 || cve,2000-0622 || nessus,10475 +1850 || WEB-CGI way-board.cgi access || nessus,10610 +1851 || WEB-MISC active.log access || bugtraq,1497 || cve,2000-0642 || nessus,10470 +1852 || WEB-MISC robots.txt access || nessus,10302 +1853 || BACKDOOR win-trin00 connection attempt || cve,2000-0138 || nessus,10307 +1854 || DDOS Stacheldraht handler->agent niggahbitch || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis +1855 || DDOS Stacheldraht agent->handler skillz || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis +1856 || DDOS Stacheldraht handler->agent ficken || url,staff.washington.edu/dittrich/misc/stacheldraht.analysis +1857 || WEB-MISC robot.txt access || nessus,10302 +1858 || WEB-MISC CISCO PIX Firewall Manager directory traversal attempt || bugtraq,691 || cve,1999-0158 || nessus,10819 +1859 || WEB-MISC Sun JavaServer default password login attempt || cve,1999-0508 || nessus,10995 +1860 || WEB-MISC Linksys router default password login attempt || nessus,10999 +1861 || WEB-MISC Linksys router default username and password login attempt || nessus,10999 +1862 || WEB-CGI mrtg.cgi directory traversal attempt || bugtraq,4017 || cve,2002-0232 || nessus,11001 +1864 || FTP SITE NEWER attempt || cve,1999-0880 || nessus,10319 +1865 || WEB-CGI webdist.cgi arbitrary command attempt || bugtraq,374 || cve,1999-0039 || nessus,10299 +1866 || POP3 USER overflow attempt || bugtraq,11256 || bugtraq,789 || cve,1999-0494 || nessus,10311 +1867 || MISC xdmcp info query || nessus,10891 +1868 || WEB-CGI story.pl arbitrary file read attempt || bugtraq,3028 || cve,2001-0804 || nessus,10817 +1869 || WEB-CGI story.pl access || bugtraq,3028 || cve,2001-0804 || nessus,10817 +1870 || WEB-CGI siteUserMod.cgi access || bugtraq,951 || cve,2000-0117 || nessus,10253 +1871 || WEB-MISC Oracle XSQLConfig.xml access || bugtraq,4290 || cve,2002-0568 || nessus,10855 +1872 || WEB-MISC Oracle Dynamic Monitoring Services dms access || nessus,10848 +1873 || WEB-MISC globals.jsa access || bugtraq,4034 || cve,2002-0562 || nessus,10850 +1874 || WEB-MISC Oracle Java Process Manager access || nessus,10851 +1875 || WEB-CGI cgicso access || bugtraq,6141 || nessus,10779 || nessus,10780 +1876 || WEB-CGI nph-publish.cgi access || cve,1999-1177 || nessus,10164 +1877 || WEB-CGI printenv access || bugtraq,1658 || cve,2000-0868 || nessus,10188 || nessus,10503 +1878 || WEB-CGI sdbsearch.cgi access || bugtraq,1658 || cve,2000-0868 || nessus,10503 +1879 || WEB-CGI book.cgi arbitrary command execution attempt || bugtraq,3178 || cve,2001-1114 || nessus,10721 +1880 || WEB-MISC oracle web application server access || bugtraq,1053 || cve,2000-0169 || nessus,10348 +1881 || WEB-MISC bad HTTP/1.1 request, Potentially worm attack || url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html +1882 || ATTACK-RESPONSES id check returned userid +1883 || ATTACK-RESPONSES id check returned nobody +1884 || ATTACK-RESPONSES id check returned web +1885 || ATTACK-RESPONSES id check returned http +1886 || ATTACK-RESPONSES id check returned apache +1887 || MISC OpenSSL Worm traffic || url,www.cert.org/advisories/CA-2002-27.html +1888 || FTP SITE CPWD overflow attempt || bugtraq,5427 || cve,2002-0826 +1889 || MISC slapper worm admin traffic || url,isc.incidents.org/analysis.html?id=167 || url,www.cert.org/advisories/CA-2002-27.html +1890 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666 +1891 || RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666 +1892 || SNMP null community string attempt || bugtraq,2112 || bugtraq,8974 || cve,1999-0517 +1893 || SNMP missing community string attempt || bugtraq,2112 || cve,1999-0517 +1894 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1895 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1896 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1897 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1898 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1899 || EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1900 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1901 || ATTACK-RESPONSES successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1902 || IMAP lsub literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +1903 || IMAP rename overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +1904 || IMAP find overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +1905 || RPC AMD UDP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704 +1906 || RPC AMD TCP amqproc_mount plog overflow attempt || bugtraq,614 || cve,1999-0704 +1907 || RPC CMSD UDP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 +1908 || RPC CMSD TCP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 +1909 || RPC CMSD TCP CMSD_INSERT buffer overflow attempt || bugtraq,524 || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html +1910 || RPC CMSD udp CMSD_INSERT buffer overflow attempt || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html +1911 || RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,866 || cve,1999-0977 +1912 || RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,0866 || bugtraq,866 || cve,1999-0977 +1913 || RPC STATD UDP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 +1914 || RPC STATD TCP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 +1915 || RPC STATD UDP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 +1916 || RPC STATD TCP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 +1917 || SCAN UPnP service discover attempt +1918 || SCAN SolarWinds IP scan attempt +1919 || FTP CWD overflow attempt || bugtraq,11069 || bugtraq,1227 || bugtraq,1690 || bugtraq,6869 || bugtraq,7251 || bugtraq,7950 || cve,1999-0219 || cve,1999-1058 || cve,1999-1510 || cve,2000-1035 || cve,2000-1194 || cve,2001-0781 || cve,2002-0126 || cve,2002-0405 +1920 || FTP SITE NEWER overflow attempt || bugtraq,229 || cve,1999-0800 +1921 || FTP SITE ZIPCHK overflow attempt || cve,2000-0040 +1922 || RPC portmap proxy attempt TCP +1923 || RPC portmap proxy attempt UDP +1924 || RPC mountd UDP export request || arachnids,26 +1925 || RPC mountd TCP exportall request || arachnids,26 +1926 || RPC mountd UDP exportall request || arachnids,26 +1927 || FTP authorized_keys +1928 || FTP shadow retrieval attempt +1929 || BACKDOOR TCPDUMP/PCAP trojan traffic || url,hlug.fscker.com +1930 || IMAP auth literal overflow attempt || cve,1999-0005 +1931 || WEB-CGI rpc-nlog.pl access || cve,1999-1278 || url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2 || url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2 +1932 || WEB-CGI rpc-smb.pl access || cve,1999-1278 +1933 || WEB-CGI cart.cgi access || bugtraq,1115 || cve,2000-0252 || nessus,10368 +1934 || POP2 FOLD overflow attempt || bugtraq,283 || cve,1999-0920 || nessus,10130 +1935 || POP2 FOLD arbitrary file attempt +1936 || POP3 AUTH overflow attempt || bugtraq,830 || cve,1999-0822 || nessus,10184 +1937 || POP3 LIST overflow attempt || bugtraq,948 || cve,2000-0096 || nessus,10197 +1938 || POP3 XTND overflow attempt +1939 || MISC bootp hardware address length overflow || cve,1999-0798 +1940 || MISC bootp invalid hardware type || cve,1999-0798 +1941 || TFTP GET filename overflow attempt || bugtraq,5328 || cve,2002-0813 +1942 || FTP RMDIR overflow attempt || bugtraq,819 +1943 || WEB-MISC /Carello/add.exe access || bugtraq,1245 || cve,2000-0396 || nessus,11776 +1944 || WEB-MISC /ecscripts/ecware.exe access || bugtraq,6066 +1945 || WEB-IIS unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 +1946 || WEB-MISC answerbook2 admin attempt || bugtraq,5383 || cve,2000-0696 +1947 || WEB-MISC answerbook2 arbitrary command execution attempt || bugtraq,1556 || cve,2000-0697 +1948 || DNS zone transfer UDP || arachnids,212 || cve,1999-0532 || nessus,10595 +1949 || RPC portmap SET attempt TCP 111 +1950 || RPC portmap SET attempt UDP 111 +1951 || RPC mountd TCP mount request +1952 || RPC mountd UDP mount request +1953 || RPC AMD TCP pid request +1954 || RPC AMD UDP pid request +1955 || RPC AMD TCP version request +1956 || RPC AMD UDP version request || bugtraq,1554 || cve,2000-0696 +1957 || RPC sadmind UDP PING || bugtraq,866 +1958 || RPC sadmind TCP PING || bugtraq,866 +1959 || RPC portmap NFS request UDP +1960 || RPC portmap NFS request TCP +1961 || RPC portmap RQUOTA request UDP +1962 || RPC portmap RQUOTA request TCP +1963 || RPC RQUOTA getquota overflow attempt UDP || bugtraq,864 || cve,1999-0974 +1964 || RPC tooltalk UDP overflow attempt || bugtraq,122 || cve,1999-0003 +1965 || RPC tooltalk TCP overflow attempt || bugtraq,122 || cve,1999-0003 +1966 || MISC GlobalSunTech Access Point Information Disclosure attempt || bugtraq,6100 +1967 || WEB-PHP phpbb quick-reply.php arbitrary command attempt || bugtraq,6173 +1968 || WEB-PHP phpbb quick-reply.php access || bugtraq,6173 +1969 || WEB-MISC ion-p access || bugtraq,6091 || cve,2002-1559 +1970 || WEB-IIS MDAC Content-Type overflow attempt || bugtraq,6214 || cve,2002-1142 || url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337 || url,www.microsoft.com/technet/security/bulletin/MS02-065.mspx || url,www.microsoft.com/technet/security/bulletin/MS98-004.mspx +1971 || FTP SITE EXEC format string attempt +1972 || FTP PASS overflow attempt || bugtraq,10078 || bugtraq,10720 || bugtraq,1690 || bugtraq,3884 || bugtraq,8601 || bugtraq,9285 || cve,1999-1519 || cve,1999-1539 || cve,2000-1035 || cve,2002-0126 || cve,2002-0895 +1973 || FTP MKD overflow attempt || bugtraq,612 || bugtraq,7278 || bugtraq,9872 || cve,1999-0911 || nessus,12108 +1974 || FTP REST overflow attempt || bugtraq,2972 || cve,2001-0826 +1975 || FTP DELE overflow attempt || bugtraq,2972 || cve,2001-0826 || cve,2001-1021 +1976 || FTP RMD overflow attempt || bugtraq,2972 || cve,2000-0133 || cve,2001-0826 || cve,2001-1021 +1977 || WEB-MISC xp_regwrite attempt +1978 || WEB-MISC xp_regdeletekey attempt +1979 || WEB-MISC perl post attempt || bugtraq,5520 || cve,2002-1436 || nessus,11158 +1980 || BACKDOOR DeepThroat 3.1 Connection attempt || mcafee,98574 || nessus,10053 +1981 || BACKDOOR DeepThroat 3.1 Connection attempt [3150] || mcafee,98574 || nessus,10053 +1982 || BACKDOOR DeepThroat 3.1 Server Response [3150] || arachnids,106 || mcafee,98574 || nessus,10053 +1983 || BACKDOOR DeepThroat 3.1 Connection attempt [4120] || mcafee,98574 || nessus,10053 +1984 || BACKDOOR DeepThroat 3.1 Server Response [4120] || arachnids,106 || mcafee,98574 || nessus,10053 +1985 || BACKDOOR Doly 1.5 server response +1986 || CHAT MSN outbound file transfer request +1987 || MISC xfs overflow attempt || bugtraq,6241 || cve,2002-1317 || nessus,11188 +1988 || CHAT MSN outbound file transfer accept +1989 || CHAT MSN outbound file transfer rejected +1990 || CHAT MSN user search +1991 || CHAT MSN login attempt +1992 || FTP LIST directory traversal attempt || bugtraq,2618 || cve,2001-0680 || cve,2002-1054 || nessus,11112 +1993 || IMAP login literal buffer overflow attempt || bugtraq,6298 +1994 || WEB-CGI vpasswd.cgi access || bugtraq,6038 || nessus,11165 +1995 || WEB-CGI alya.cgi access || nessus,11118 +1996 || WEB-CGI viralator.cgi access || bugtraq,3495 || cve,2001-0849 || nessus,11107 +1997 || WEB-PHP read_body.php access attempt || bugtraq,6302 || cve,2002-1341 +1998 || WEB-PHP calendar.php access || bugtraq,5820 || bugtraq,9353 || nessus,11179 +1999 || WEB-PHP edit_image.php access || bugtraq,3288 || cve,2001-1020 || nessus,11104 +2000 || WEB-PHP readmsg.php access || cve,2001-1408 || nessus,11073 +2001 || WEB-CGI smartsearch.cgi access || bugtraq,7133 +2002 || WEB-PHP remote include path +2003 || MS-SQL Worm propagation attempt || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm +2004 || MS-SQL Worm propagation attempt OUTBOUND || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm +2005 || RPC portmap kcms_server request UDP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 +2006 || RPC portmap kcms_server request TCP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 +2007 || RPC kcms_server directory traversal attempt || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 +2008 || MISC CVS invalid user authentication response +2009 || MISC CVS invalid repository response +2010 || MISC CVS double free exploit attempt response || bugtraq,6650 || cve,2003-0015 +2011 || MISC CVS invalid directory response || bugtraq,6650 || cve,2003-0015 +2012 || MISC CVS missing cvsroot response +2013 || MISC CVS invalid module response +2014 || RPC portmap UNSET attempt TCP 111 || bugtraq,1892 +2015 || RPC portmap UNSET attempt UDP 111 || bugtraq,1892 +2016 || RPC portmap status request TCP || arachnids,15 +2017 || RPC portmap espd request UDP || bugtraq,2714 || cve,2001-0331 +2018 || RPC mountd TCP dump request +2019 || RPC mountd UDP dump request +2020 || RPC mountd TCP unmount request +2021 || RPC mountd UDP unmount request +2022 || RPC mountd TCP unmountall request +2023 || RPC mountd UDP unmountall request +2024 || RPC RQUOTA getquota overflow attempt TCP || bugtraq,864 || cve,1999-0974 +2025 || RPC yppasswd username overflow attempt UDP || bugtraq,2763 || cve,2001-0779 +2026 || RPC yppasswd username overflow attempt TCP || bugtraq,2763 || cve,2001-0779 +2027 || RPC yppasswd old password overflow attempt UDP || bugtraq,2763 || cve,2001-0779 +2028 || RPC yppasswd old password overflow attempt TCP || bugtraq,2763 || cve,2001-0779 +2029 || RPC yppasswd new password overflow attempt UDP || bugtraq,2763 || cve,2001-0779 +2030 || RPC yppasswd new password overflow attempt TCP || bugtraq,2763 || cve,2001-0779 +2031 || RPC yppasswd user update UDP || bugtraq,2763 || cve,2001-0779 +2032 || RPC yppasswd user update TCP || bugtraq,2763 || cve,2001-0779 +2033 || RPC ypserv maplist request UDP || bugtraq,5914 || bugtraq,6016 || cve,2002-1232 +2034 || RPC ypserv maplist request TCP || Cve,CAN-2002-1232 || bugtraq,5914 || bugtraq,6016 +2035 || RPC portmap network-status-monitor request UDP +2036 || RPC portmap network-status-monitor request TCP +2037 || RPC network-status-monitor mon-callback request UDP +2038 || RPC network-status-monitor mon-callback request TCP +2039 || MISC bootp hostname format string attempt || bugtraq,4701 || cve,2002-0702 || nessus,11312 +2040 || POLICY xtacacs login attempt +2041 || MISC xtacacs failed login response +2042 || POLICY xtacacs accepted login response +2043 || MISC isakmp login failed +2044 || POLICY PPTP Start Control Request attempt +2045 || RPC snmpXdmi overflow attempt UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html +2046 || IMAP partial body.peek buffer overflow attempt || bugtraq,4713 || cve,2002-0379 +2047 || MISC rsyncd module list access +2048 || MISC rsyncd overflow attempt || bugtraq,9153 || cve,2003-0962 || nessus,11943 +2049 || MS-SQL ping attempt || nessus,10674 +2050 || MS-SQL version overflow attempt || bugtraq,5310 || cve,2002-0649 || nessus,10674 +2051 || WEB-CGI cached_feed.cgi moreover shopping cart access || bugtraq,1762 || cve,2000-0906 +2052 || WEB-CGI overflow.cgi access || bugtraq,6326 || cve,2002-1361 || nessus,11190 || url,www.cert.org/advisories/CA-2002-35.html +2053 || WEB-CGI process_bug.cgi access || bugtraq,3272 || cve,2002-0008 +2054 || WEB-CGI enter_bug.cgi arbitrary command attempt || bugtraq,3272 || cve,2002-0008 +2055 || WEB-CGI enter_bug.cgi access || bugtraq,3272 || cve,2002-0008 +2056 || WEB-MISC TRACE attempt || bugtraq,9561 || nessus,11213 || url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf +2057 || WEB-MISC helpout.exe access || bugtraq,6002 || cve,2002-1169 || nessus,11162 +2058 || WEB-MISC MsmMask.exe attempt || nessus,11163 +2059 || WEB-MISC MsmMask.exe access || nessus,11163 +2060 || WEB-MISC DB4Web access || nessus,11180 +2061 || WEB-MISC Tomcat null byte directory listing attempt || bugtraq,2518 || bugtraq,6721 || cve,2003-0042 +2062 || WEB-MISC iPlanet .perf access || nessus,11220 +2063 || WEB-MISC Demarc SQL injection attempt || bugtraq,4520 || cve,2002-0539 +2064 || WEB-MISC Lotus Notes .csp script source download attempt || bugtraq,6841 +2065 || WEB-MISC Lotus Notes .csp script source download attempt +2066 || WEB-MISC Lotus Notes .pl script source download attempt || bugtraq,6841 +2067 || WEB-MISC Lotus Notes .exe script source download attempt || bugtraq,6841 +2068 || WEB-MISC BitKeeper arbitrary command attempt || bugtraq,6588 +2069 || WEB-MISC chip.ini access || bugtraq,2755 || bugtraq,2775 || cve,2001-0749 || cve,2001-0771 +2070 || WEB-MISC post32.exe arbitrary command attempt || bugtraq,1485 +2071 || WEB-MISC post32.exe access || bugtraq,1485 +2072 || WEB-MISC lyris.pl access || bugtraq,1584 || cve,2000-0758 +2073 || WEB-MISC globals.pl access || bugtraq,2671 || cve,2001-0330 +2074 || WEB-PHP Mambo uploadimage.php upload php file attempt || bugtraq,6572 +2075 || WEB-PHP Mambo upload.php upload php file attempt || bugtraq,6572 +2076 || WEB-PHP Mambo uploadimage.php access || bugtraq,6572 +2077 || WEB-PHP Mambo upload.php access || bugtraq,6572 +2078 || WEB-PHP phpBB privmsg.php access || bugtraq,6634 +2079 || RPC portmap nlockmgr request UDP || bugtraq,1372 || cve,2000-0508 +2080 || RPC portmap nlockmgr request TCP || bugtraq,1372 || cve,2000-0508 +2081 || RPC portmap rpc.xfsmd request UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 +2082 || RPC portmap rpc.xfsmd request TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 +2083 || RPC rpc.xfsmd xfs_export attempt UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 +2084 || RPC rpc.xfsmd xfs_export attempt TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 +2085 || WEB-CGI parse_xml.cgi access || bugtraq,6960 || cve,2003-0054 +2086 || WEB-CGI streaming server parse_xml.cgi access || bugtraq,6960 || cve,2003-0054 +2087 || SMTP From comment overflow attempt || bugtraq,6991 || cve,2002-1337 || url,www.kb.cert.org/vuls/id/398025 +2088 || RPC ypupdated arbitrary command attempt UDP +2089 || RPC ypupdated arbitrary command attempt TCP +2090 || WEB-IIS WEBDAV exploit attempt || bugtraq,7116 || bugtraq,7716 || cve,2003-0109 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx +2091 || WEB-IIS WEBDAV nessus safe scan attempt || bugtraq,7116 || cve,2003-0109 || nessus,11412 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx +2092 || RPC portmap proxy integer overflow attempt UDP || bugtraq,7123 || cve,2003-0028 +2093 || RPC portmap proxy integer overflow attempt TCP || bugtraq,7123 || cve,2003-0028 +2094 || RPC CMSD UDP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 +2095 || RPC CMSD TCP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 +2100 || BACKDOOR SubSeven 2.1 Gold server connection response || mcafee,10566 || nessus,10409 +2101 || NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx +2102 || NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx +2103 || NETBIOS SMB trans2open buffer overflow attempt || bugtraq,7294 || cve,2003-0201 || url,www.digitaldefense.net/labs/advisories/DDI-1013.txt +2104 || ATTACK-RESPONSES rexec username too long response || bugtraq,7459 +2105 || IMAP authenticate literal overflow attempt || cve,1999-0042 || nessus,10292 +2106 || IMAP lsub overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +2107 || IMAP create buffer overflow attempt || bugtraq,7446 +2108 || POP3 CAPA overflow attempt +2109 || POP3 TOP overflow attempt +2110 || POP3 STAT overflow attempt +2111 || POP3 DELE overflow attempt +2112 || POP3 RSET overflow attempt +2113 || RSERVICES rexec username overflow attempt +2114 || RSERVICES rexec password overflow attempt +2115 || WEB-CGI album.pl access || bugtraq,7444 || nessus,11581 +2116 || WEB-CGI chipcfg.cgi access || bugtraq,2767 || cve,2001-1341 || url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html +2117 || WEB-IIS Battleaxe Forum login.asp access || bugtraq,7416 || cve,2003-0215 +2118 || IMAP list overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +2119 || IMAP rename literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +2120 || IMAP create literal buffer overflow attempt || bugtraq,7446 +2121 || POP3 DELE negative argument attempt || bugtraq,6053 || bugtraq,7445 || cve,2002-1539 +2122 || POP3 UIDL negative argument attempt || bugtraq,6053 || cve,2002-1539 || nessus,11570 +2123 || ATTACK-RESPONSES Microsoft cmd.exe banner || nessus,11633 +2124 || BACKDOOR Remote PC Access connection attempt || nessus,11673 +2125 || FTP CWD Root directory transversal attempt || bugtraq,7674 || cve,2003-0392 || nessus,11677 +2126 || MISC Microsoft PPTP Start Control Request buffer overflow attempt || bugtraq,5807 || cve,2002-1214 || url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx +2127 || WEB-CGI ikonboard.cgi access || bugtraq,7361 || nessus,11605 +2128 || WEB-CGI swsrv.cgi access || bugtraq,7510 || cve,2003-0217 || nessus,11608 +2129 || WEB-IIS nsiislog.dll access || bugtraq,8035 || cve,2003-0227 || cve,2003-0349 || nessus,11664 || url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx +2130 || WEB-IIS IISProtect siteadmin.asp access || bugtraq,7675 || cve,2003-0377 || nessus,11662 +2131 || WEB-IIS IISProtect access || nessus,11661 +2132 || WEB-IIS Synchrologic Email Accelerator userid list access attempt || nessus,11657 +2133 || WEB-IIS MS BizTalk server access || bugtraq,7469 || bugtraq,7470 || cve,2003-0117 || cve,2003-0118 || nessus,11638 || url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx +2134 || WEB-IIS register.asp access || nessus,11621 +2135 || WEB-MISC philboard.mdb access || nessus,11682 +2136 || WEB-MISC philboard_admin.asp authentication bypass attempt || bugtraq,7739 || nessus,11675 +2137 || WEB-MISC philboard_admin.asp access || bugtraq,7739 || nessus,11675 +2138 || WEB-MISC logicworks.ini access || bugtraq,6996 || nessus,11639 +2139 || WEB-MISC /*.shtml access || bugtraq,1517 || cve,2000-0683 || nessus,11604 +2140 || WEB-PHP p-news.php access || nessus,11669 +2141 || WEB-PHP shoutbox.php directory traversal attempt || nessus,11668 +2142 || WEB-PHP shoutbox.php access || nessus,11668 +2143 || WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt || nessus,11667 +2144 || WEB-PHP b2 cafelog gm-2-b2.php access || nessus,11667 +2145 || WEB-PHP TextPortal admin.php default password admin attempt || bugtraq,7673 || nessus,11660 +2146 || WEB-PHP TextPortal admin.php default password 12345 attempt || bugtraq,7673 || nessus,11660 +2147 || WEB-PHP BLNews objects.inc.php4 remote file include attempt || bugtraq,7677 || cve,2003-0394 || nessus,11647 +2148 || WEB-PHP BLNews objects.inc.php4 access || bugtraq,7677 || cve,2003-0394 || nessus,11647 +2149 || WEB-PHP Turba status.php access || nessus,11646 +2150 || WEB-PHP ttCMS header.php remote file include attempt || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636 +2151 || WEB-PHP ttCMS header.php access || bugtraq,7542 || bugtraq,7543 || bugtraq,7625 || nessus,11636 +2152 || WEB-PHP test.php access || nessus,11617 +2153 || WEB-PHP autohtml.php directory traversal attempt || nessus,11630 +2154 || WEB-PHP autohtml.php access || nessus,11630 +2155 || WEB-PHP ttforum remote file include attempt || bugtraq,7542 || bugtraq,7543 || nessus,11615 +2156 || WEB-MISC mod_gzip_status access || nessus,11685 +2157 || WEB-IIS IISProtect globaladmin.asp access || nessus,11661 +2158 || MISC BGP invalid length || bugtraq,6213 || cve,2002-1350 || url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575 +2159 || MISC BGP invalid type 0 || bugtraq,6213 || cve,2002-1350 +2160 || VIRUS OUTBOUND .exe file attachment +2161 || VIRUS OUTBOUND .doc file attachment +2162 || VIRUS OUTBOUND .hta file attachment +2163 || VIRUS OUTBOUND .chm file attachment +2164 || VIRUS OUTBOUND .reg file attachment +2165 || VIRUS OUTBOUND .ini file attachment +2166 || VIRUS OUTBOUND .bat file attachment +2167 || VIRUS OUTBOUND .diz file attachment +2168 || VIRUS OUTBOUND .cpp file attachment +2169 || VIRUS OUTBOUND .dll file attachment +2170 || VIRUS OUTBOUND .vxd file attachment +2171 || VIRUS OUTBOUND .sys file attachment +2172 || VIRUS OUTBOUND .com file attachment +2173 || VIRUS OUTBOUND .hsq file attachment +2174 || NETBIOS SMB winreg create tree attempt +2175 || NETBIOS SMB winreg unicode create tree attempt +2176 || NETBIOS SMB startup folder access +2177 || NETBIOS SMB startup folder unicode access +2178 || FTP USER format string attempt || bugtraq,7474 || bugtraq,7776 || bugtraq,9262 || bugtraq,9402 || bugtraq,9600 || bugtraq,9800 || cve,2004-0277 || nessus,10041 || nessus,11687 +2179 || FTP PASS format string attempt || bugtraq,7474 || bugtraq,9262 || bugtraq,9800 || cve,2000-0699 +2180 || P2P BitTorrent announce request +2181 || P2P BitTorrent transfer +2182 || BACKDOOR typot trojan traffic || mcafee,100406 +2183 || SMTP Content-Transfer-Encoding overflow attempt || cve,2003-0161 || url,www.cert.org/advisories/CA-2003-12.html +2184 || RPC mountd TCP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 +2185 || RPC mountd UDP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 +2186 || BAD-TRAFFIC IP Proto 53 SWIPE || bugtraq,8211 || cve,2003-0567 +2187 || BAD-TRAFFIC IP Proto 55 IP Mobility || bugtraq,8211 || cve,2003-0567 +2188 || BAD-TRAFFIC IP Proto 77 Sun ND || bugtraq,8211 || cve,2003-0567 +2189 || BAD-TRAFFIC IP Proto 103 PIM || bugtraq,8211 || cve,2003-0567 +2190 || NETBIOS DCERPC invalid bind attempt +2191 || NETBIOS SMB DCERPC invalid bind attempt +2192 || NETBIOS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +2193 || NETBIOS SMB-DS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +2194 || WEB-CGI CSMailto.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-0749 || nessus,11748 +2195 || WEB-CGI alert.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748 +2196 || WEB-CGI catgy.cgi access || bugtraq,3714 || bugtraq,4579 || cve,2001-1212 || nessus,11748 +2197 || WEB-CGI cvsview2.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 +2198 || WEB-CGI cvslog.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 +2199 || WEB-CGI multidiff.cgi access || bugtraq,4579 || bugtraq,5517 || cve,2003-0153 || nessus,11748 +2200 || WEB-CGI dnewsweb.cgi access || bugtraq,1172 || bugtraq,4579 || cve,2000-0423 || nessus,11748 +2201 || WEB-CGI download.cgi access || bugtraq,4579 || cve,1999-1377 || nessus,11748 +2202 || WEB-CGI edit_action.cgi access || bugtraq,3698 || bugtraq,4579 || cve,2001-1196 || nessus,11748 +2203 || WEB-CGI everythingform.cgi access || bugtraq,2101 || bugtraq,4579 || cve,2001-0023 || nessus,11748 +2204 || WEB-CGI ezadmin.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 +2205 || WEB-CGI ezboard.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 +2206 || WEB-CGI ezman.cgi access || bugtraq,4068 || bugtraq,4579 || cve,2002-0263 || nessus,11748 +2207 || WEB-CGI fileseek.cgi access || bugtraq,4579 || bugtraq,6784 || cve,2002-0611 || nessus,11748 +2208 || WEB-CGI fom.cgi access || bugtraq,4579 || cve,2002-0230 || nessus,11748 +2209 || WEB-CGI getdoc.cgi access || bugtraq,4579 || cve,2000-0288 || nessus,11748 +2210 || WEB-CGI global.cgi access || bugtraq,4579 || cve,2000-0952 || nessus,11748 +2211 || WEB-CGI guestserver.cgi access || bugtraq,4579 || cve,2001-0180 || nessus,11748 +2212 || WEB-CGI imageFolio.cgi access || bugtraq,4579 || bugtraq,6265 || cve,2002-1334 || nessus,11748 +2213 || WEB-CGI mailfile.cgi access || bugtraq,1807 || bugtraq,4579 || cve,2000-0977 || nessus,11748 +2214 || WEB-CGI mailview.cgi access || bugtraq,1335 || bugtraq,4579 || cve,2000-0526 || nessus,11748 +2215 || WEB-CGI nsManager.cgi access || bugtraq,1710 || bugtraq,4579 || cve,2000-1023 || nessus,11748 +2216 || WEB-CGI readmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748 +2217 || WEB-CGI printmail.cgi access || bugtraq,3427 || bugtraq,4579 || cve,2001-1283 || nessus,11748 +2218 || WEB-CGI service.cgi access || bugtraq,4211 || bugtraq,4579 || cve,2002-0346 || nessus,11748 +2219 || WEB-CGI setpasswd.cgi access || bugtraq,2212 || bugtraq,4579 || cve,2001-0133 || nessus,11748 +2220 || WEB-CGI simplestmail.cgi access || bugtraq,2106 || bugtraq,4579 || cve,2001-0022 || nessus,11748 +2221 || WEB-CGI ws_mail.cgi access || bugtraq,2861 || bugtraq,4579 || cve,2001-1343 || nessus,11748 +2222 || WEB-CGI nph-exploitscanget.cgi access || bugtraq,7910 || bugtraq,7911 || bugtraq,7913 || cve,2003-0434 || nessus,11740 +2223 || WEB-CGI csNews.cgi access || bugtraq,4994 || cve,2002-0923 || nessus,11726 +2224 || WEB-CGI psunami.cgi access || bugtraq,6607 || nessus,11750 +2225 || WEB-CGI gozila.cgi access || bugtraq,6086 || cve,2002-1236 || nessus,11773 +2226 || WEB-PHP pmachine remote file include attempt || bugtraq,7919 || nessus,11739 +2227 || WEB-PHP forum_details.php access || bugtraq,7933 || nessus,11760 +2228 || WEB-PHP phpMyAdmin db_details_importdocsql.php access || bugtraq,7962 || bugtraq,7965 || nessus,11761 +2229 || WEB-PHP viewtopic.php access || bugtraq,7979 || cve,2003-0486 || nessus,11767 +2230 || WEB-MISC NetGear router default password login attempt admin/password || nessus,11737 +2231 || WEB-MISC register.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 +2232 || WEB-MISC ContentFilter.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 +2233 || WEB-MISC SFNofitication.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 +2234 || WEB-MISC TOP10.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 +2235 || WEB-MISC SpamExcp.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 +2236 || WEB-MISC spamrule.dll access || bugtraq,3327 || cve,2001-0958 || nessus,11747 +2237 || WEB-MISC cgiWebupdate.exe access || bugtraq,3216 || cve,2001-1150 || nessus,11722 +2238 || WEB-MISC WebLogic ConsoleHelp view source attempt || bugtraq,1518 || cve,2000-0682 || nessus,11724 +2239 || WEB-MISC redirect.exe access || bugtraq,1256 || cve,2000-0401 +2240 || WEB-MISC changepw.exe access || bugtraq,1256 || cve,2000-0401 +2241 || WEB-MISC cwmail.exe access || bugtraq,4093 || cve,2002-0273 || nessus,11727 +2242 || WEB-MISC ddicgi.exe access || bugtraq,1657 || cve,2000-0826 || nessus,11728 +2243 || WEB-MISC ndcgi.exe access || bugtraq,3583 || cve,2001-0922 || nessus,11730 +2244 || WEB-MISC VsSetCookie.exe access || bugtraq,3784 || cve,2002-0236 || nessus,11731 +2245 || WEB-MISC Webnews.exe access || bugtraq,4124 || cve,2002-0290 || nessus,11732 +2246 || WEB-MISC webadmin.dll access || bugtraq,7438 || bugtraq,7439 || bugtraq,8024 || cve,2003-0471 || nessus,11771 +2247 || WEB-IIS UploadScript11.asp access || cve,2001-0938 +2248 || WEB-IIS DirectoryListing.asp access || cve,2001-0938 +2249 || WEB-IIS /pcadmin/login.asp access || bugtraq,8103 || nessus,11785 +2250 || POP3 USER format string attempt || bugtraq,10976 || bugtraq,7667 || cve,2003-0391 || nessus,11742 +2251 || NETBIOS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx +2252 || NETBIOS SMB-DS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx +2253 || SMTP XEXCH50 overflow attempt || bugtraq,8838 || cve,2003-0714 || nessus,11889 || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx +2254 || SMTP XEXCH50 overflow with evasion attempt || url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx +2255 || RPC sadmind query with root credentials attempt TCP +2256 || RPC sadmind query with root credentials attempt UDP +2257 || NETBIOS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx +2258 || NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx +2259 || SMTP EXPN overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161 +2260 || SMTP VRFY overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161 +2261 || SMTP SEND FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 || nessus,11316 +2262 || SMTP SEND FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 +2263 || SMTP SAML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 +2264 || SMTP SAML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 +2265 || SMTP SOML FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 +2266 || SMTP SOML FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 +2267 || SMTP MAIL FROM sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 +2268 || SMTP MAIL FROM sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 +2269 || SMTP RCPT TO sendmail prescan too many addresses overflow || bugtraq,6991 || cve,2002-1337 +2270 || SMTP RCPT TO sendmail prescan too long addresses overflow || bugtraq,7230 || cve,2003-0161 +2271 || BACKDOOR FsSniffer connection attempt || nessus,11854 +2272 || FTP LIST integer overflow attempt || bugtraq,8875 || cve,2003-0853 || cve,2003-0854 +2273 || IMAP login brute force attempt +2274 || POP3 login brute force attempt +2275 || SMTP AUTH LOGON brute force attempt +2276 || WEB-MISC oracle portal demo access || nessus,11918 +2277 || WEB-MISC PeopleSoft PeopleBooks psdoccgi access || bugtraq,9037 || bugtraq,9038 || cve,2003-0626 || cve,2003-0627 +2278 || WEB-MISC client negative Content-Length attempt || bugtraq,9098 || bugtraq,9476 || bugtraq,9576 || cve,2004-0095 +2279 || WEB-PHP UpdateClasses.php access || bugtraq,9057 +2280 || WEB-PHP Title.php access || bugtraq,9057 +2281 || WEB-PHP Setup.php access || bugtraq,9057 +2282 || WEB-PHP GlobalFunctions.php access || bugtraq,9057 +2283 || WEB-PHP DatabaseFunctions.php access || bugtraq,9057 +2284 || WEB-PHP rolis guestbook remote file include attempt || bugtraq,9057 +2285 || WEB-PHP rolis guestbook access || bugtraq,9057 +2286 || WEB-PHP friends.php access || bugtraq,9088 +2287 || WEB-PHP Advanced Poll admin_comment.php access || bugtraq,8890 || nessus,11487 +2288 || WEB-PHP Advanced Poll admin_edit.php access || bugtraq,8890 || nessus,11487 +2289 || WEB-PHP Advanced Poll admin_embed.php access || bugtraq,8890 || nessus,11487 +2290 || WEB-PHP Advanced Poll admin_help.php access || bugtraq,8890 || nessus,11487 +2291 || WEB-PHP Advanced Poll admin_license.php access || bugtraq,8890 || nessus,11487 +2292 || WEB-PHP Advanced Poll admin_logout.php access || bugtraq,8890 || nessus,11487 +2293 || WEB-PHP Advanced Poll admin_password.php access || bugtraq,8890 || nessus,11487 +2294 || WEB-PHP Advanced Poll admin_preview.php access || bugtraq,8890 || nessus,11487 +2295 || WEB-PHP Advanced Poll admin_settings.php access || bugtraq,8890 || nessus,11487 +2296 || WEB-PHP Advanced Poll admin_stats.php access || bugtraq,8890 || nessus,11487 +2297 || WEB-PHP Advanced Poll admin_templates_misc.php access || bugtraq,8890 || nessus,11487 +2298 || WEB-PHP Advanced Poll admin_templates.php access || bugtraq,8890 || nessus,11487 +2299 || WEB-PHP Advanced Poll admin_tpl_misc_new.php access || bugtraq,8890 || nessus,11487 +2300 || WEB-PHP Advanced Poll admin_tpl_new.php access || bugtraq,8890 || nessus,11487 +2301 || WEB-PHP Advanced Poll booth.php access || bugtraq,8890 || nessus,11487 +2302 || WEB-PHP Advanced Poll poll_ssi.php access || bugtraq,8890 || nessus,11487 +2303 || WEB-PHP Advanced Poll popup.php access || bugtraq,8890 || nessus,11487 +2304 || WEB-PHP files.inc.php access || bugtraq,8910 +2305 || WEB-PHP chatbox.php access || bugtraq,8930 +2306 || WEB-PHP gallery remote file include attempt || bugtraq,8814 || nessus,11876 +2307 || WEB-PHP PayPal Storefront remote file include attempt || bugtraq,8791 || nessus,11873 +2308 || NETBIOS SMB DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx +2309 || NETBIOS SMB DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx +2310 || NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx +2311 || NETBIOS SMB-DS DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx +2312 || SHELLCODE x86 0x71FB7BAB NOOP +2313 || SHELLCODE x86 0x71FB7BAB NOOP unicode +2314 || SHELLCODE x86 0x90 NOOP unicode +2315 || NETBIOS DCERPC Workstation Service direct service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx +2316 || NETBIOS DCERPC Workstation Service direct service access attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx +2317 || MISC CVS non-relative path error response || bugtraq,9178 || cve,2003-0977 +2318 || MISC CVS non-relative path access attempt || bugtraq,9178 || cve,2003-0977 +2319 || EXPLOIT ebola PASS overflow attempt || bugtraq,9156 +2320 || EXPLOIT ebola USER overflow attempt || bugtraq,9156 +2321 || WEB-IIS foxweb.exe access || nessus,11939 +2322 || WEB-IIS foxweb.dll access || nessus,11939 +2323 || WEB-CGI quickstore.cgi access || bugtraq,9282 || nessus,11975 +2324 || WEB-IIS VP-ASP shopsearch.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942 +2325 || WEB-IIS VP-ASP ShopDisplayProducts.asp access || bugtraq,9133 || bugtraq,9134 || nessus,11942 +2326 || WEB-IIS sgdynamo.exe access || bugtraq,4720 || cve,2002-0375 || nessus,11955 +2327 || WEB-MISC bsml.pl access || bugtraq,9311 || nessus,11973 +2328 || WEB-PHP authentication_index.php access || cve,2004-0032 || nessus,11982 +2329 || MS-SQL probe response overflow attempt || bugtraq,9407 || cve,2003-0903 || url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx +2330 || IMAP auth overflow attempt || bugtraq,8861 +2331 || WEB-PHP MatrikzGB privilege escalation attempt || bugtraq,8430 +2332 || FTP MKDIR format string attempt || bugtraq,9262 +2333 || FTP RENAME format string attempt || bugtraq,9262 +2334 || FTP Yak! FTP server default account login attempt || bugtraq,9072 +2335 || FTP RMD / attempt || bugtraq,9159 +2336 || TFTP NULL command attempt || bugtraq,7575 +2337 || TFTP PUT filename overflow attempt || bugtraq,7819 || bugtraq,8505 || cve,2003-0380 +2338 || FTP LIST buffer overflow attempt || bugtraq,10181 || bugtraq,6869 || bugtraq,7251 || bugtraq,7861 || bugtraq,8486 || bugtraq,9675 || cve,1999-0349 || cve,1999-1510 || cve,2000-0129 || url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx +2339 || TFTP NULL command attempt || bugtraq,7575 +2340 || FTP SITE CHMOD overflow attempt || bugtraq,10181 || bugtraq,9483 || bugtraq,9675 || cve,1999-0838 || nessus,12037 +2341 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525 +2342 || WEB-PHP DCP-Portal remote file include attempt || bugtraq,6525 +2343 || FTP STOR overflow attempt || bugtraq,8668 || cve,2000-0133 +2344 || FTP XCWD overflow attempt || bugtraq,11542 || bugtraq,8704 +2345 || WEB-PHP PhpGedView search.php access || bugtraq,9369 || cve,2004-0032 +2346 || WEB-PHP myPHPNuke chatheader.php access || bugtraq,6544 +2347 || WEB-PHP myPHPNuke partner.php access || bugtraq,6544 +2348 || NETBIOS SMB-DS DCERPC print spool bind attempt +2349 || NETBIOS SMB-DS DCERPC enumerate printers request attempt +2350 || NETBIOS DCERPC ISystemActivator bind accept || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +2351 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +2352 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +2353 || WEB-PHP IdeaBox cord.php file include || bugtraq,7488 +2354 || WEB-PHP IdeaBox notification.php file include || bugtraq,7488 +2355 || WEB-PHP Invision Board emailer.php file include || bugtraq,7204 +2356 || WEB-PHP WebChat db_mysql.php file include || bugtraq,7000 +2357 || WEB-PHP WebChat english.php file include || bugtraq,7000 +2358 || WEB-PHP Typo3 translations.php file include || bugtraq,6984 +2359 || WEB-PHP Invision Board ipchat.php file include || bugtraq,6976 +2360 || WEB-PHP myphpPagetool pt_config.inc file include || bugtraq,6744 +2361 || WEB-PHP news.php file include || bugtraq,6674 +2362 || WEB-PHP YaBB SE packages.php file include || bugtraq,6663 +2363 || WEB-PHP Cyboards default_header.php access || bugtraq,6597 +2364 || WEB-PHP Cyboards options_form.php access || bugtraq,6597 +2365 || WEB-PHP newsPHP Language file include attempt || bugtraq,8488 +2366 || WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 +2367 || WEB-PHP PhpGedView PGV functions.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 +2368 || WEB-PHP PhpGedView PGV config_gedcom.php base directory manipulation attempt || bugtraq,9368 || cve,2004-0030 +2369 || WEB-MISC ISAPISkeleton.dll access || bugtraq,9516 +2370 || WEB-MISC BugPort config.conf file access || bugtraq,9542 +2371 || WEB-MISC Sample_showcode.html access || bugtraq,9555 +2372 || WEB-PHP Photopost PHP Pro showphoto.php access || bugtraq,9557 +2373 || FTP XMKD overflow attempt || bugtraq,7909 || cve,2000-0133 || cve,2001-1021 +2374 || FTP NLST overflow attempt || bugtraq,10184 || bugtraq,7909 || bugtraq,9675 || cve,1999-1544 +2375 || BACKDOOR DoomJuice file upload attempt || url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html +2376 || EXPLOIT ISAKMP first payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 +2377 || EXPLOIT ISAKMP second payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 +2378 || EXPLOIT ISAKMP third payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 +2379 || EXPLOIT ISAKMP forth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 +2380 || EXPLOIT ISAKMP fifth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 +2381 || WEB-MISC schema overflow attempt || bugtraq,9581 || cve,2004-0039 || nessus,12084 +2382 || NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +2383 || NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +2384 || NETBIOS SMB NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 +2385 || NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 +2386 || WEB-IIS NTLM ASN.1 vulnerability scan attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12055 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +2387 || WEB-CGI view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422 +2388 || WEB-CGI streaming server view_broadcast.cgi access || bugtraq,8257 || cve,2003-0422 +2389 || FTP RNTO overflow attempt || bugtraq,8315 || cve,2000-0133 || cve,2001-1021 || cve,2003-0466 +2390 || FTP STOU overflow attempt || bugtraq,8315 || cve,2003-0466 +2391 || FTP APPE overflow attempt || bugtraq,8315 || bugtraq,8542 || cve,2000-0133 || cve,2003-0466 +2392 || FTP RETR overflow attempt || bugtraq,8315 || cve,2003-0466 || cve,2004-0287 || cve,2004-0298 +2393 || WEB-PHP /_admin access || bugtraq,9537 || nessus,12032 +2394 || WEB-MISC Compaq web-based management agent denial of service attempt || bugtraq,8014 +2395 || WEB-MISC InteractiveQuery.jsp access || bugtraq,8938 || cve,2003-0624 +2396 || WEB-CGI CCBill whereami.cgi arbitrary command execution attempt || bugtraq,8095 || url,secunia.com/advisories/9191/ +2397 || WEB-CGI CCBill whereami.cgi access || bugtraq,8095 || url,secunia.com/advisories/9191/ +2398 || WEB-PHP WAnewsletter newsletter.php file include attempt || bugtraq,6965 +2399 || WEB-PHP WAnewsletter db_type.php access || bugtraq,6964 +2400 || WEB-MISC edittag.pl access || bugtraq,6675 +2401 || NETBIOS SMB Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html +2402 || NETBIOS SMB-DS Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html +2403 || NETBIOS SMB Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html +2404 || NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html +2405 || WEB-PHP phptest.php access || bugtraq,9737 +2406 || TELNET APC SmartSlot default admin account attempt || bugtraq,9681 || cve,2004-0311 || nessus,12066 +2407 || WEB-MISC util.pl access || bugtraq,9748 +2408 || WEB-MISC Invision Power Board search.pl access || bugtraq,9766 +2409 || POP3 APOP USER overflow attempt || bugtraq,9794 +2410 || WEB-PHP IGeneric Free Shopping Cart page.php access || bugtraq,9773 +2411 || WEB-MISC Real Server DESCRIBE buffer overflow attempt || bugtraq,8476 || url,www.service.real.com/help/faq/security/rootexploit091103.html +2412 || ATTACK-RESPONSES successful cross site scripting forced download attempt +2413 || EXPLOIT ISAKMP delete hash with empty hash attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 +2414 || EXPLOIT ISAKMP initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 +2415 || EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 +2416 || FTP invalid MDTM command attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 +2417 || FTP format string attempt +2418 || MISC MS Terminal Server no encryption session initiation attempt || url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx +2419 || MULTIMEDIA realplayer .ram playlist download attempt +2420 || MULTIMEDIA realplayer .rmp playlist download attempt +2421 || MULTIMEDIA realplayer .smi playlist download attempt +2422 || MULTIMEDIA realplayer .rt playlist download attempt +2423 || MULTIMEDIA realplayer .rp playlist download attempt +2424 || NNTP sendsys overflow attempt || bugtraq,9382 || cve,2004-0045 +2425 || NNTP senduuname overflow attempt || bugtraq,9382 || cve,2004-0045 +2426 || NNTP version overflow attempt || bugtraq,9382 || cve,2004-0045 +2427 || NNTP checkgroups overflow attempt || bugtraq,9382 || cve,2004-0045 +2428 || NNTP ihave overflow attempt || bugtraq,9382 || cve,2004-0045 +2429 || NNTP sendme overflow attempt || bugtraq,9382 || cve,2004-0045 +2430 || NNTP newgroup overflow attempt || bugtraq,9382 || cve,2004-0045 +2431 || NNTP rmgroup overflow attempt || bugtraq,9382 || cve,2004-0045 +2432 || NNTP article post without path attempt +2433 || WEB-CGI MDaemon form2raw.cgi overflow attempt || bugtraq,9317 || url,secunia.com/advisories/10512/ +2434 || WEB-CGI MDaemon form2raw.cgi access || bugtraq,9317 || url,secunia.com/advisories/10512/ +2435 || WEB-CLIENT Microsoft emf metafile access || bugtraq,10120 || bugtraq,9707 || cve,2003-0906 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2436 || WEB-CLIENT Microsoft wmf metafile access || bugtraq,10120 || bugtraq,9707 || cve,2003-0906 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2437 || WEB-CLIENT RealPlayer arbitrary javascript command attempt || bugtraq,8453 || bugtraq,9378 || cve,2003-0726 +2438 || WEB-CLIENT RealPlayer playlist file URL overflow attempt || bugtraq,9579 || cve,2004-0258 +2439 || WEB-CLIENT RealPlayer playlist http URL overflow attempt || bugtraq,9579 || cve,2004-0258 +2440 || WEB-CLIENT RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579 || cve,2004-0258 +2441 || WEB-MISC NetObserve authentication bypass attempt || bugtraq,9319 +2442 || WEB-MISC Quicktime User-Agent buffer overflow attempt || bugtraq,9735 || cve,2004-0169 +2443 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html +2444 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html +2445 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt || url,www.eeye.com/html/Research/Advisories/AD20040318.html +2446 || EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt || cve,2004-0362 || url,www.eeye.com/html/Research/Advisories/AD20040318.html +2447 || WEB-MISC ServletManager access || bugtraq,3697 || cve,2001-1195 || nessus,12122 +2448 || WEB-MISC setinfo.hts access || bugtraq,9973 || nessus,12120 +2449 || FTP ALLO overflow attempt || bugtraq,9953 +2450 || CHAT Yahoo IM successful logon +2451 || CHAT Yahoo IM voicechat +2452 || CHAT Yahoo IM ping +2453 || CHAT Yahoo IM conference invitation +2454 || CHAT Yahoo IM conference logon success +2455 || CHAT Yahoo IM conference message +2456 || CHAT Yahoo Messenger File Transfer Receive Request +2457 || CHAT Yahoo IM message +2458 || CHAT Yahoo IM successful chat join +2459 || CHAT Yahoo IM conference offer invitation +2460 || CHAT Yahoo IM conference request +2461 || CHAT Yahoo IM conference watch +2462 || EXPLOIT IGMP IGAP account overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 +2463 || EXPLOIT IGMP IGAP message overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 +2464 || EXPLOIT EIGRP prefix length overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 +2465 || NETBIOS SMB-DS IPC$ share access +2466 || NETBIOS SMB-DS IPC$ unicode share access +2467 || NETBIOS SMB D$ unicode share access +2468 || NETBIOS SMB-DS D$ share access +2469 || NETBIOS SMB-DS D$ unicode share access +2470 || NETBIOS SMB C$ unicode share access +2471 || NETBIOS SMB-DS C$ share access +2472 || NETBIOS SMB-DS C$ unicode share access +2473 || NETBIOS SMB ADMIN$ unicode share access +2474 || NETBIOS SMB-DS ADMIN$ share access +2475 || NETBIOS SMB-DS ADMIN$ unicode share access +2476 || NETBIOS SMB-DS winreg create tree attempt +2477 || NETBIOS SMB-DS winreg unicode create tree attempt +2478 || NETBIOS SMB-DS winreg bind attempt +2479 || NETBIOS SMB-DS winreg unicode bind attempt +2480 || NETBIOS SMB-DS InitiateSystemShutdown unicode attempt +2481 || NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt +2482 || NETBIOS SMB-DS InitiateSystemShutdown attempt +2483 || NETBIOS SMB-DS InitiateSystemShutdown little endian attempt +2484 || WEB-MISC source.jsp access || nessus,12119 +2485 || WEB-CLIENT Norton antivirus sysmspam.dll load attempt || bugtraq,9916 || cve,2004-0363 +2486 || DOS ISAKMP invalid identification payload attempt || bugtraq,10004 || cve,2004-0184 +2487 || SMTP WinZip MIME content-type buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621 +2488 || SMTP WinZip MIME content-disposition buffer overflow || bugtraq,9758 || cve,2004-0333 || nessus,12621 +2489 || EXPLOIT esignal STREAMQUOTE buffer overflow attempt || bugtraq,9978 +2490 || EXPLOIT esignal SNAPQUOTE buffer overflow attempt || bugtraq,9978 +2491 || NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2492 || NETBIOS SMB DCERPC ISystemActivator bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2493 || NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2494 || NETBIOS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2495 || NETBIOS SMB DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2496 || NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2497 || IMAP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2498 || IMAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2499 || MISC LDAP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2500 || POP3 SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2501 || POP3 SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2502 || POP3 SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2503 || SMTP SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2504 || SMTP SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2505 || WEB-MISC SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2506 || WEB-MISC SSLv3 invalid timestamp attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2507 || NETBIOS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2508 || NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2509 || NETBIOS SMB DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2510 || NETBIOS SMB DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2511 || NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2512 || NETBIOS SMB-DS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2513 || NETBIOS SMB-DS DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2514 || NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2515 || WEB-MISC PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2516 || POP3 PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2517 || IMAP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2518 || POP3 PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2520 || WEB-MISC SSLv3 Client_Hello request +2521 || WEB-MISC SSLv3 Server_Hello request +2522 || WEB-MISC SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2523 || DOS BGP spoofed connection reset attempt || bugtraq,10183 || cve,2004-0230 || url,www.uniras.gov.uk/vuls/2004/236929/index.htm +2524 || NETBIOS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2525 || NETBIOS SMB DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2526 || NETBIOS SMB-DS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2527 || SMTP STARTTLS attempt +2528 || SMTP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2529 || IMAP SSLv3 Client_Hello request +2530 || IMAP SSLv3 Server_Hello request +2531 || IMAP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2532 || POP3 SSLv3 Client_Hello request +2533 || POP3 SSLv3 Server_Hello request +2534 || POP3 SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2535 || POP3 SSLv3 Client_Hello request +2536 || POP3 SSLv3 Server_Hello request +2537 || POP3 SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2541 || SMTP TLS SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2542 || SMTP SSLv3 Client_Hello request +2543 || SMTP TLS SSLv3 Server_Hello request || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2544 || SMTP SSLv3 invalid Client_Hello attempt || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +2545 || EXPLOIT AFP FPLoginExt username buffer overflow attempt || bugtraq,10271 || cve,2004-0430 || url,www.atstake.com/research/advisories/2004/a050304-1.txt +2546 || FTP MDTM overflow attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 || nessus,12080 +2547 || MISC HP Web JetAdmin remote file upload attempt || bugtraq,9978 +2548 || MISC HP Web JetAdmin setinfo access || bugtraq,9972 +2549 || MISC HP Web JetAdmin file write attempt || bugtraq,9973 +2550 || EXPLOIT winamp XM module name overflow || url,www.nextgenss.com/advisories/winampheap.txt +2551 || EXPLOIT Oracle Web Cache GET overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +2552 || EXPLOIT Oracle Web Cache HEAD overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +2553 || EXPLOIT Oracle Web Cache PUT overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +2554 || EXPLOIT Oracle Web Cache POST overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +2555 || EXPLOIT Oracle Web Cache TRACE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +2556 || EXPLOIT Oracle Web Cache DELETE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +2557 || EXPLOIT Oracle Web Cache LOCK overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +2558 || EXPLOIT Oracle Web Cache MKCOL overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +2559 || EXPLOIT Oracle Web Cache COPY overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +2560 || EXPLOIT Oracle Web Cache MOVE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +2561 || MISC rsync backup-dir directory traversal attempt || bugtraq,10247 || cve,2004-0426 || nessus,12230 +2562 || WEB-MISC McAfee ePO file upload attempt || bugtraq,10200 || cve,2004-0038 +2563 || NETBIOS NS lookup response name overflow attempt || bugtraq,10333 || bugtraq,10334 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512A.html +2564 || NETBIOS NS lookup short response attempt || bugtraq,10334 || bugtraq,10335 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512C.html +2565 || WEB-PHP modules.php access || bugtraq,9879 +2566 || WEB-PHP PHPBB viewforum.php access || bugtraq,9865 || bugtraq,9866 || nessus,12093 +2567 || WEB-CGI Emumail init.emu access || bugtraq,9861 || nessus,12095 +2568 || WEB-CGI Emumail emumail.fcgi access || bugtraq,9861 || nessus,12095 +2569 || WEB-MISC cPanel resetpass access || bugtraq,9848 +2570 || WEB-MISC Invalid HTTP Version String || bugtraq,9809 || nessus,11593 +2571 || WEB-IIS SmarterTools SmarterMail frmGetAttachment.aspx access || bugtraq,9805 +2572 || WEB-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt || bugtraq,9805 +2573 || WEB-IIS SmarterTools SmarterMail frmCompose.asp access || bugtraq,9805 +2574 || FTP RETR format string attempt || bugtraq,9800 +2575 || WEB-PHP Opt-X header.php remote file include attempt || bugtraq,9732 +2576 || ORACLE dbms_repcat.generate_replication_support buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck93.html +2577 || WEB-CLIENT local resource redirection attempt || cve,2004-0549 || url,www.kb.cert.org/vuls/id/713878 +2578 || EXPLOIT kerberos principal name overflow UDP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt +2579 || EXPLOIT kerberos principal name overflow TCP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt +2580 || WEB-MISC server negative Content-Length attempt || cve,2004-0492 || url,www.guninski.com/modproxy1.html +2581 || WEB-MISC Crystal Reports crystalimagehandler.aspx access || cve,2004-0204 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx +2582 || WEB-MISC Crystal Reports crystalImageHandler.aspx directory traversal attempt || bugtraq,10260 || cve,2004-0204 || nessus,12271 || url,www.microsoft.com/security/bulletins/200406_crystal.mspx +2583 || MISC CVS Max-dotdot integer overflow attempt || bugtraq,10499 || cve,2004-0417 +2584 || EXPLOIT eMule buffer overflow attempt || bugtraq,10039 || nessus,12233 +2585 || WEB-MISC nessus 2.x 404 probe || nessus,10386 +2586 || P2P eDonkey transfer || url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html +2587 || P2P eDonkey server response || url,www.emule-project.net +2588 || WEB-PHP TUTOS path disclosure attempt || bugtraq,10129 || url,www.securiteam.com/unixfocus/5FP0J15CKE.html +2589 || WEB-CLIENT Content-Disposition CLSID command attempt || bugtraq,9510 || cve,2004-0420 || url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx +2590 || SMTP MAIL FROM overflow attempt || bugtraq,10290 || bugtraq,7506 || cve,2004-0399 || url,www.guninski.com/exim1.html +2591 || SMTP From command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html +2592 || SMTP ReplyTo command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html +2593 || SMTP Sender command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html +2594 || SMTP To command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html +2595 || SMTP CC command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html +2596 || SMTP BCC command overflow attempt || bugtraq,10291 || cve,2004-0400 || url,www.guninski.com/exim1.html +2597 || WEB-MISC Samba SWAT Authorization overflow attempt || bugtraq,10780 +2598 || WEB-MISC Samba SWAT Authorization port 901 overflow attempt || bugtraq,10780 +2599 || ORACLE dbms_repcat.add_grouped_column buffer overflow attempt +2600 || ORACLE add_grouped_column ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html +2601 || ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt +2602 || ORACLE drop_master_repgroup ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck87.html +2603 || ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html +2604 || ORACLE create_mview_repgroup ordered fname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html +2605 || ORACLE dbms_repcat.compare_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html +2606 || ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html +2607 || ORACLE comment_on_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html +2608 || ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +2609 || ORACLE dbms_repcat.cancel_statistics buffer overflow attempt +2610 || ORACLE cancel_statistics ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html +2611 || ORACLE LINK metadata buffer overflow attempt || bugtraq,7453 || cve,2003-0222 || url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html +2612 || ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +2613 || ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +2614 || ORACLE time_zone buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_time_zone.txt +2615 || ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +2616 || ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +2617 || ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html +2618 || ORACLE alter_mview_propagation ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html +2619 || ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html +2620 || ORACLE alter_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html +2621 || ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +2622 || ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +2623 || ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +2624 || ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html +2625 || ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html +2626 || ORACLE dbms_repcat.send_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html +2627 || ORACLE dbms_repcat.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html +2628 || ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html +2629 || ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html +2630 || ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html +2631 || ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html +2632 || ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html +2633 || ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +2634 || ORACLE rectifier_diff ordered sname1 buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +2635 || ORACLE dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html +2636 || ORACLE snapshot.end_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html +2637 || ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html +2638 || ORACLE drop_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html +2639 || ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html +2640 || ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html +2641 || ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt +2642 || ORACLE drop_site_instantiation ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck629.html +2643 || ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck96.html +2644 || ORACLE from_tz buffer overflow attempt || url,www.nextgenss.com/advisories/ora_from_tz.txt +2645 || ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt +2646 || ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck630.html +2647 || ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt +2648 || ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck631.html +2649 || ORACLE service_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck52.html +2650 || ORACLE user name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck62.html +2651 || ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_numtodsinterval.txt || url,www.nextgenss.com/advisories/ora_numtoyminterval.txt +2652 || ORACLE dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html +2653 || ORACLE og.begin_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html +2654 || WEB-PHP PHPNuke Forum viewtopic SQL insertion attempt || bugtraq,7193 +2655 || MISC HP Web JetAdmin ExecuteFile admin access || bugtraq,10224 +2656 || WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt +2657 || WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt +2658 || WEB-MISC SSLv2 Client_Hello request +2659 || WEB-MISC SSLv2 Client_Hello with pad request +2660 || WEB-MISC SSLv2 Server_Hello request +2661 || WEB-MISC TLSv1 Client_Hello request +2662 || WEB-MISC TLSv1 Server_Hello request +2663 || WEB-CGI WhatsUpGold instancename overflow attempt || bugtraq,11043 || cve,2004-0798 +2664 || IMAP login format string attempt || bugtraq,10976 +2665 || IMAP login literal format string attempt || bugtraq,10976 +2666 || POP3 PASS format string attempt || bugtraq,10976 +2667 || WEB-IIS ping.asp access || nessus,10968 +2668 || WEB-CGI processit access || nessus,10649 +2669 || WEB-CGI ibillpm.pl access || bugtraq,3476 || nessus,11083 +2670 || WEB-CGI pgpmail.pl access || bugtraq,3605 || cve,2001-0937 || nessus,11070 +2671 || WEB-CLIENT bitmap BitmapOffset integer overflow attempt || bugtraq,9663 || cve,2004-0566 +2672 || WEB-MISC sresult.exe access || bugtraq,10837 || nessus,14186 +2673 || WEB-CLIENT libpng tRNS overflow attempt || bugtraq,10872 || cve,2004-0597 +2674 || ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt +2675 || ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt +2676 || ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt +2677 || ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt +2678 || ORACLE ctx_output.start_log buffer overflow attempt +2679 || ORACLE sys.dbms_system.ksdwrt buffer overflow attempt +2680 || ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt +2681 || ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt +2682 || ORACLE mdsys.md2.validate_geom buffer overflow attempt +2683 || ORACLE mdsys.md2.sdo_code_size buffer overflow attempt +2684 || ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt +2685 || ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt +2686 || ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +2687 || ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt +2688 || ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt +2689 || ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt +2690 || ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt +2691 || ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt +2692 || ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt +2693 || ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt +2694 || ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt +2695 || ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt +2696 || ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt +2697 || ORACLE alter file buffer overflow attempt +2698 || ORACLE create file buffer overflow attempt +2699 || ORACLE TO_CHAR buffer overflow attempt +2700 || ORACLE numtoyminterval buffer overflow attempt +2701 || WEB-MISC Oracle iSQLPlus sid overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt +2702 || WEB-MISC Oracle iSQLPlus username overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt +2703 || WEB-MISC Oracle iSQLPlus login.uix username overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt +2704 || WEB-MISC Oracle 10g iSQLPlus login.unix connectID overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt +2705 || WEB-CLIENT JPEG parser heap overflow attempt || bugtraq,11173 || cve,2004-0200 || url,www.microsoft.com/security/bulletins/200409_jpeg.mspx +2706 || WEB-CLIENT JPEG transfer +2707 || WEB-CLIENT JPEG parser multipacket heap overflow || bugtraq,11173 || cve,2004-0200 || url,www.microsoft.com/security/bulletins/200409_jpeg.mspx +2708 || ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2709 || ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2710 || ORACLE dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2711 || ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2712 || ORACLE dbms_offline_og.end_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2713 || ORACLE dbms_offline_og.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2714 || ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2715 || ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2716 || ORACLE dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2717 || ORACLE dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2718 || ORACLE dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2719 || ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2720 || ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2721 || ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2722 || ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2723 || ORACLE dbms_repcat.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2724 || ORACLE dbms_repcat.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2725 || ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2726 || ORACLE dbms_repcat.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2727 || ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2728 || ORACLE dbms_repcat.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2729 || ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2730 || ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2731 || ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2732 || ORACLE dbms_repcat.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2733 || ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2734 || ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2735 || ORACLE dbms_repcat.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2736 || ORACLE dbms_repcat.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2737 || ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2738 || ORACLE dbms_repcat.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2739 || ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2740 || ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2741 || ORACLE dbms_repcat.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2742 || ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2743 || ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2744 || ORACLE dbms_repcat.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2745 || ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2746 || ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2747 || ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2748 || ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2749 || ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2750 || ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2751 || ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2752 || ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2753 || ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2754 || ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2755 || ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2756 || ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2757 || ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2758 || ORACLE dbms_repcat.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2759 || ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2760 || ORACLE dbms_repcat.define_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2761 || ORACLE dbms_repcat.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2762 || ORACLE dbms_repcat.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2763 || ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2764 || ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2765 || ORACLE dbms_repcat.drop_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2766 || ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2767 || ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2768 || ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2769 || ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2770 || ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2771 || ORACLE dbms_repcat.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2772 || ORACLE dbms_repcat.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2773 || ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2774 || ORACLE dbms_repcat.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2775 || ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2776 || ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2777 || ORACLE dbms_repcat.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2778 || ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2779 || ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2780 || ORACLE dbms_repcat.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2781 || ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2782 || ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2783 || ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2784 || ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2785 || ORACLE dbms_repcat.execute_ddl buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2786 || ORACLE dbms_repcat.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2787 || ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2788 || ORACLE dbms_repcat.make_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2789 || ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2790 || ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2791 || ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2792 || ORACLE dbms_repcat.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2793 || ORACLE dbms_repcat.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2794 || ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2795 || ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2796 || ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2797 || ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2798 || ORACLE dbms_repcat.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2799 || ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2800 || ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2801 || ORACLE dbms_repcat.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2802 || ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2803 || ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2804 || ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2805 || ORACLE dbms_repcat.set_columns buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2806 || ORACLE dbms_repcat.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2807 || ORACLE dbms_repcat.specify_new_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2808 || ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2809 || ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2810 || ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2811 || ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2812 || ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2813 || ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2814 || ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2815 || ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2816 || ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2817 || ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2818 || ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2819 || ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2820 || ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2821 || ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2822 || ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2823 || ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2824 || ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2825 || ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2826 || ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2827 || ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2828 || ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2829 || ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2830 || ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2831 || ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2832 || ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2833 || ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2834 || ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2835 || ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2836 || ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2837 || ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2838 || ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2839 || ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2840 || ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2841 || ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2842 || ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2843 || ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2844 || ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2845 || ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2846 || ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2847 || ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2848 || ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2849 || ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2850 || ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2851 || ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2852 || ORACLE dbms_repcat.generate_mview_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2853 || ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2854 || ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2855 || ORACLE dbms_repcat.remove_master_databases buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2856 || ORACLE dbms_repcat.switch_mview_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2857 || ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2858 || ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2859 || ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2860 || ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2861 || ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2862 || ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2863 || ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2864 || ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2865 || ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2866 || ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2867 || ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2868 || ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2869 || ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2870 || ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2871 || ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2872 || ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2873 || ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2874 || ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2875 || ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2876 || ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2877 || ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2878 || ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2879 || ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2880 || ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2881 || ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2882 || ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2883 || ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2884 || ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2885 || ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2886 || ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2887 || ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2888 || ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2889 || ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2890 || ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2891 || ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2892 || ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2893 || ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2894 || ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2895 || ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2896 || ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2897 || ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2898 || ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2899 || ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2900 || ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2901 || ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2902 || ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2903 || ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2904 || ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2905 || ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2906 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2907 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2908 || ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2909 || ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2910 || ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2911 || ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2912 || ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2913 || ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2914 || ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2915 || ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2916 || ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2917 || ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2918 || ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2919 || ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2921 || DNS UDP inverse query || bugtraq,2302 || cve,2001-0010 +2922 || DNS TCP inverse query || bugtraq,2302 || cve,2001-0010 +2923 || NETBIOS SMB repeated logon failure +2924 || NETBIOS SMB-DS repeated logon failure +2925 || INFO web bug 0x0 gif attempt +2926 || WEB-PHP PhpGedView PGV base directory manipulation || bugtraq,9368 +2927 || NNTP XPAT pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx +2928 || NETBIOS SMB nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206 +2929 || NETBIOS SMB nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206 +2930 || NETBIOS SMB-DS nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206 +2931 || NETBIOS SMB-DS nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206 +2932 || NETBIOS SMB nddeapi bind attempt || bugtraq,11372 || cve,2004-0206 +2933 || NETBIOS SMB nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206 +2934 || NETBIOS SMB-DS nddeapi bind attempt || bugtraq,11372 || cve,2004-0206 +2935 || NETBIOS SMB-DS nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206 +2936 || NETBIOS SMB NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206 +2937 || NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206 +2938 || NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206 +2939 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206 +2940 || NETBIOS SMB winreg bind attempt +2941 || NETBIOS SMB winreg unicode bind attempt +2942 || NETBIOS SMB InitiateSystemShutdown attempt +2943 || NETBIOS SMB InitiateSystemShutdown little endian attempt +2944 || NETBIOS SMB InitiateSystemShutdown unicode attempt +2945 || NETBIOS SMB InitiateSystemShutdown unicode little endian attempt +2946 || NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206 +2947 || NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206 +2948 || NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206 +2949 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206 +2950 || NETBIOS SMB too many stacked requests +2951 || NETBIOS SMB-DS too many stacked requests +2952 || NETBIOS SMB IPC$ andx share access +2953 || NETBIOS SMB IPC$ unicode andx share access +2954 || NETBIOS SMB-DS IPC$ andx share access +2955 || NETBIOS SMB-DS IPC$ unicode andx share access +2956 || NETBIOS SMB nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206 +2957 || NETBIOS SMB nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206 +2958 || NETBIOS SMB-DS nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206 +2959 || NETBIOS SMB-DS nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206 +2960 || NETBIOS SMB nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206 +2961 || NETBIOS SMB nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206 +2962 || NETBIOS SMB-DS nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206 +2963 || NETBIOS SMB-DS nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206 +2964 || NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206 +2965 || NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 +2966 || NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206 +2967 || NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 +2968 || NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206 +2969 || NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 +2970 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206 +2971 || NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 +2972 || NETBIOS SMB D$ andx share access +2973 || NETBIOS SMB D$ unicode andx share access +2974 || NETBIOS SMB-DS D$ andx share access +2975 || NETBIOS SMB-DS D$ unicode andx share access +2976 || NETBIOS SMB C$ andx share access +2977 || NETBIOS SMB C$ unicode andx share access +2978 || NETBIOS SMB-DS C$ andx share access +2979 || NETBIOS SMB-DS C$ unicode andx share access +2980 || NETBIOS SMB ADMIN$ andx share access +2981 || NETBIOS SMB ADMIN$ unicode andx share access +2982 || NETBIOS SMB-DS ADMIN$ andx share access +2983 || NETBIOS SMB-DS ADMIN$ unicode andx share access +2984 || NETBIOS SMB winreg andx create tree attempt +2985 || NETBIOS SMB winreg unicode andx create tree attempt +2986 || NETBIOS SMB-DS winreg andx create tree attempt +2987 || NETBIOS SMB-DS winreg unicode andx create tree attempt +2988 || NETBIOS SMB winreg andx bind attempt +2989 || NETBIOS SMB winreg unicode andx bind attempt +2990 || NETBIOS SMB-DS winreg andx bind attempt +2991 || NETBIOS SMB-DS winreg unicode andx bind attempt +2992 || NETBIOS SMB InitiateSystemShutdown andx attempt +2993 || NETBIOS SMB InitiateSystemShutdown little endian andx attempt +2994 || NETBIOS SMB InitiateSystemShutdown unicode andx attempt +2995 || NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt +2996 || NETBIOS SMB-DS InitiateSystemShutdown andx attempt +2997 || NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt +2998 || NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt +2999 || NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt +3000 || NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +3001 || NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +3002 || NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +3003 || NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +3004 || NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +3005 || NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +3006 || EXPLOIT Volition Freespace 2 buffer overflow attempt || bugtraq,9785 +3007 || IMAP delete overflow attempt || bugtraq,11675 +3008 || IMAP delete literal overflow attempt || bugtraq,11675 +3009 || BACKDOOR NetBus Pro 2.0 connection request +3010 || BACKDOOR RUX the Tick get windows directory attempt +3011 || BACKDOOR RUX the Tick get system directory attempt +3012 || BACKDOOR RUX the Tick upload/execute arbitrary file attempt +3013 || BACKDOOR Asylum 0.1 connection request +3014 || BACKDOOR Asylum 0.1 connection established +3015 || BACKDOOR Insane Network 4.0 connection established +3016 || BACKDOOR Insane Network 4.0 connection established port 63536 +3017 || EXPLOIT WINS overflow attempt || bugtraq,11763 || cve,2004-1080 || url,www.immunitysec.com/downloads/instantanea.pdf || url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx +3018 || NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154 +3019 || NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154 +3020 || NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154 +3021 || NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154 +3022 || NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154 +3023 || NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154 +3024 || NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154 +3025 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154 +3026 || NETBIOS SMB NT Trans NT CREATE SACL overflow attempt || cve,2004-1154 +3027 || NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154 +3028 || NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154 +3029 || NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154 +3030 || NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt || cve,2004-1154 +3031 || NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154 +3032 || NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154 +3033 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154 +3034 || NETBIOS SMB NT Trans NT CREATE DACL overflow attempt || cve,2004-1154 +3035 || NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154 +3036 || NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154 +3037 || NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154 +3038 || NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt || cve,2004-1154 +3039 || NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154 +3040 || NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154 +3041 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154 +3042 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt +3043 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt +3044 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt +3045 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt +3046 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt +3047 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt +3048 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt +3049 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt +3050 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt +3051 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt +3052 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt +3053 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt +3054 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt +3055 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt +3056 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt +3057 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt +3058 || IMAP copy literal overflow attempt || bugtraq,1110 +3059 || WEB-MISC TLSv1 Client_Hello via SSLv2 handshake request +3061 || MISC distccd command execution attempt || url,distcc.samba.org/security.html +3062 || WEB-CGI NetScreen SA 5000 delhomepage.cgi access || bugtraq,9791 +3063 || BACKDOOR Vampire 1.2 connection request +3064 || BACKDOOR Vampire 1.2 connection confirmation +3065 || IMAP append literal overflow attempt || bugtraq,11775 +3066 || IMAP append overflow attempt || bugtraq,11775 +3067 || IMAP examine literal overflow attempt || bugtraq,11775 +3068 || IMAP examine overflow attempt || bugtraq,11775 +3069 || IMAP fetch literal overflow attempt || bugtraq,11775 +3070 || IMAP fetch overflow attempt || bugtraq,11775 +3071 || IMAP status literal overflow attempt || bugtraq,11775 +3072 || IMAP status overflow attempt || bugtraq,11775 || bugtraq,13727 || cve,2005-1256 +3073 || IMAP subscribe literal overflow attempt || bugtraq,11775 +3074 || IMAP subscribe overflow attempt || bugtraq,11775 +3075 || IMAP unsubscribe literal overflow attempt || bugtraq,11775 +3076 || IMAP unsubscribe overflow attempt || bugtraq,11775 +3077 || FTP RNFR overflow attempt +3078 || NNTP SEARCH pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx +3079 || WEB-CLIENT Microsoft ANI file parsing overflow || cve,2004-1049 +3080 || MISC Unreal Tournament secure overflow attempt || bugtraq,10570 || cve,2004-0608 +3081 || BACKDOOR Y3KRAT 1.5 Connect +3082 || BACKDOOR Y3KRAT 1.5 Connect Client Response +3083 || BACKDOOR Y3KRAT 1.5 Connection confirmation +3084 || EXPLOIT Veritas backup overflow attempt || bugtraq,11974 || cve,2004-1172 +3085 || EXPLOIT AIM goaway message buffer overflow attempt || bugtraq,10889 || cve,2004-0636 +3086 || WEB-MISC 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt || bugtraq,11408 +3087 || WEB-IIS w3who.dll buffer overflow attempt || bugtraq,11820 || cve,2004-1134 +3088 || WEB-CLIENT winamp .cda file name overflow attempt || bugtraq,11730 +3089 || DOS squid WCCP I_SEE_YOU message overflow attempt || bugtraq,12275 || cve,2005-0095 +3090 || NETBIOS SMB llsrpc create tree attempt +3091 || NETBIOS SMB llsrpc unicode create tree attempt +3092 || NETBIOS SMB llsrpc andx create tree attempt +3093 || NETBIOS SMB llsrpc unicode andx create tree attempt +3094 || NETBIOS SMB-DS llsrpc create tree attempt +3095 || NETBIOS SMB-DS llsrpc unicode create tree attempt +3096 || NETBIOS SMB-DS llsrpc andx create tree attempt +3097 || NETBIOS SMB-DS llsrpc unicode andx create tree attempt +3098 || NETBIOS SMB llsrpc bind attempt +3099 || NETBIOS SMB llsrpc little endian bind attempt +3100 || NETBIOS SMB llsrpc unicode bind attempt +3101 || NETBIOS SMB llsrpc unicode little endian bind attempt +3102 || NETBIOS SMB llsrpc andx bind attempt +3103 || NETBIOS SMB llsrpc little endian andx bind attempt +3104 || NETBIOS SMB llsrpc unicode andx bind attempt +3105 || NETBIOS SMB llsrpc unicode little endian andx bind attempt +3106 || NETBIOS SMB-DS llsrpc bind attempt +3107 || NETBIOS SMB-DS llsrpc little endian bind attempt +3108 || NETBIOS SMB-DS llsrpc unicode bind attempt +3109 || NETBIOS SMB-DS llsrpc unicode little endian bind attempt +3110 || NETBIOS SMB-DS llsrpc andx bind attempt +3111 || NETBIOS SMB-DS llsrpc little endian andx bind attempt +3112 || NETBIOS SMB-DS llsrpc unicode andx bind attempt +3113 || NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt +3114 || NETBIOS SMB llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3115 || NETBIOS SMB llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3116 || NETBIOS SMB llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3117 || NETBIOS SMB llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3118 || NETBIOS SMB llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3119 || NETBIOS SMB llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3120 || NETBIOS SMB llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3121 || NETBIOS SMB llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3122 || NETBIOS SMB-DS llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3123 || NETBIOS SMB-DS llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3124 || NETBIOS SMB-DS llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3125 || NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3126 || NETBIOS SMB-DS llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3127 || NETBIOS SMB-DS llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3128 || NETBIOS SMB-DS llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3129 || NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +3130 || EXPLOIT MSN Messenger png overflow || bugtraq,10872 || cve,2004-0957 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx +3131 || WEB-CGI mailman directory traversal attempt || cve,2005-0202 +3132 || WEB-CLIENT PNG large image width download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx +3133 || WEB-CLIENT PNG large image height download attempt || bugtraq,11481 || bugtraq,11523 || cve,2004-0599 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx +3134 || WEB-CLIENT PNG large colour depth download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx +3135 || NETBIOS SMB Trans2 QUERY_FILE_INFO attempt +3136 || NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt +3137 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt +3138 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt +3139 || NETBIOS SMB Trans2 FIND_FIRST2 attempt +3140 || NETBIOS SMB Trans2 FIND_FIRST2 andx attempt +3141 || NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt +3142 || NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt +3143 || NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx +3144 || NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx +3145 || NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx +3146 || NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx +3147 || TELNET login buffer overflow attempt || bugtraq,3681 || cve,2001-0797 +3148 || WEB-CLIENT winhelp clsid attempt || bugtraq,4857 || cve,2002-0823 || url,www.ngssoftware.com/advisories/ms-winhlp.txt +3149 || WEB-CLIENT object type overflow attempt || cve,2003-0344 || url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx +3150 || WEB-IIS SQLXML content type overflow || bugtraq,5004 || cve,2002-0186 || url,www.microsoft.com/technet/security/bulletin/MS02-030.mspx || url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt +3151 || FINGER / execution attempt || cve,1999-0612 || cve,2000-0915 +3152 || MS-SQL sa brute force failed login attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673 +3153 || DNS TCP inverse query overflow || bugtraq,134 || cve,1999-0009 +3154 || DNS UDP inverse query overflow || bugtraq,134 || cve,1999-0009 +3155 || BACKDOOR BackOrifice 2000 Inbound Traffic +3156 || NETBIOS DCERPC msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3157 || NETBIOS DCERPC msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3158 || NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3159 || NETBIOS DCERPC CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3160 || NETBIOS SMB msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3161 || NETBIOS SMB msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3162 || NETBIOS SMB msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3163 || NETBIOS SMB msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3164 || NETBIOS SMB msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3165 || NETBIOS SMB msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3166 || NETBIOS SMB msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3167 || NETBIOS SMB msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3168 || NETBIOS SMB-DS msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3169 || NETBIOS SMB-DS msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3170 || NETBIOS SMB-DS msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3171 || NETBIOS SMB-DS msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3172 || NETBIOS SMB-DS msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3173 || NETBIOS SMB-DS msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3174 || NETBIOS SMB-DS msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3175 || NETBIOS SMB-DS msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3176 || NETBIOS SMB CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3177 || NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3178 || NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3179 || NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3180 || NETBIOS SMB CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3181 || NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3182 || NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3183 || NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3184 || NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3185 || NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3186 || NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3187 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3188 || NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3189 || NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3190 || NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3191 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3192 || WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt || bugtraq,7517 || cve,2003-0228 || url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx +3193 || WEB-IIS .cmd executable file parsing attack || bugtraq,1912 || cve,2000-0886 +3194 || WEB-IIS .bat executable file parsing attack || bugtraq,1912 || cve,2000-0886 +3195 || NETBIOS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825 +3196 || NETBIOS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825 +3197 || NETBIOS DCERPC ISystemActivator path overflow attempt little endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3198 || NETBIOS DCERPC ISystemActivator path overflow attempt big endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +3199 || EXPLOIT WINS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx +3200 || EXPLOIT WINS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx +3201 || WEB-IIS httpodbc.dll access - nimda || bugtraq,2708 || cve,2001-0333 +3202 || NETBIOS SMB winreg bind attempt +3203 || NETBIOS SMB winreg little endian bind attempt +3204 || NETBIOS SMB winreg unicode bind attempt +3205 || NETBIOS SMB winreg unicode little endian bind attempt +3206 || NETBIOS SMB winreg andx bind attempt +3207 || NETBIOS SMB winreg little endian andx bind attempt +3208 || NETBIOS SMB winreg unicode andx bind attempt +3209 || NETBIOS SMB winreg unicode little endian andx bind attempt +3210 || NETBIOS SMB-DS winreg bind attempt +3211 || NETBIOS SMB-DS winreg little endian bind attempt +3212 || NETBIOS SMB-DS winreg unicode bind attempt +3213 || NETBIOS SMB-DS winreg unicode little endian bind attempt +3214 || NETBIOS SMB-DS winreg andx bind attempt +3215 || NETBIOS SMB-DS winreg little endian andx bind attempt +3216 || NETBIOS SMB-DS winreg unicode andx bind attempt +3217 || NETBIOS SMB-DS winreg unicode little endian andx bind attempt +3218 || NETBIOS SMB OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx +3219 || NETBIOS SMB OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377 +3220 || NETBIOS SMB OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377 +3221 || NETBIOS SMB OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377 +3222 || NETBIOS SMB OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377 +3223 || NETBIOS SMB OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 +3224 || NETBIOS SMB OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377 +3225 || NETBIOS SMB OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 +3226 || NETBIOS SMB-DS OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377 +3227 || NETBIOS SMB-DS OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377 +3228 || NETBIOS SMB-DS OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377 +3229 || NETBIOS SMB-DS OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377 +3230 || NETBIOS SMB-DS OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377 +3231 || NETBIOS SMB-DS OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 +3232 || NETBIOS SMB-DS OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377 +3233 || NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx +3234 || NETBIOS Messenger message little endian overflow attempt || bugtraq,8826 || cve,2003-0717 +3235 || NETBIOS Messenger message overflow attempt || bugtraq,8826 || cve,2003-0717 +3236 || NETBIOS DCERPC irot bind attempt +3237 || NETBIOS DCERPC irot little endian bind attempt +3238 || NETBIOS DCERPC IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3239 || NETBIOS DCERPC IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3240 || NETBIOS SMB irot bind attempt +3241 || NETBIOS SMB irot little endian bind attempt +3242 || NETBIOS SMB irot unicode bind attempt +3243 || NETBIOS SMB irot unicode little endian bind attempt +3244 || NETBIOS SMB irot andx bind attempt +3245 || NETBIOS SMB irot little endian andx bind attempt +3246 || NETBIOS SMB irot unicode andx bind attempt +3247 || NETBIOS SMB irot unicode little endian andx bind attempt +3248 || NETBIOS SMB-DS irot bind attempt +3249 || NETBIOS SMB-DS irot little endian bind attempt +3250 || NETBIOS SMB-DS irot unicode bind attempt +3251 || NETBIOS SMB-DS irot unicode little endian bind attempt +3252 || NETBIOS SMB-DS irot andx bind attempt +3253 || NETBIOS SMB-DS irot little endian andx bind attempt +3254 || NETBIOS SMB-DS irot unicode andx bind attempt +3255 || NETBIOS SMB-DS irot unicode little endian andx bind attempt +3256 || NETBIOS SMB IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3257 || NETBIOS SMB IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3258 || NETBIOS SMB IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3259 || NETBIOS SMB IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3260 || NETBIOS SMB IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3261 || NETBIOS SMB IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3262 || NETBIOS SMB IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3263 || NETBIOS SMB IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3264 || NETBIOS SMB-DS IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3265 || NETBIOS SMB-DS IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3266 || NETBIOS SMB-DS IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3267 || NETBIOS SMB-DS IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3268 || NETBIOS SMB-DS IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3269 || NETBIOS SMB-DS IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3270 || NETBIOS SMB-DS IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3271 || NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +3272 || BACKDOOR mydoom.a backdoor upload/execute attempt +3273 || MS-SQL sa brute force failed login unicode attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673 +3274 || TELNET login buffer non-evasive overflow attempt || bugtraq,3681 || cve,2001-0797 +3275 || NETBIOS DCERPC IActivation bind attempt +3276 || NETBIOS DCERPC IActivation little endian bind attempt +3377 || NETBIOS SMB IActivation bind attempt +3378 || NETBIOS SMB IActivation little endian bind attempt +3379 || NETBIOS SMB IActivation unicode bind attempt +3380 || NETBIOS SMB IActivation unicode little endian bind attempt +3381 || NETBIOS SMB IActivation andx bind attempt +3382 || NETBIOS SMB IActivation little endian andx bind attempt +3383 || NETBIOS SMB IActivation unicode andx bind attempt +3384 || NETBIOS SMB IActivation unicode little endian andx bind attempt +3385 || NETBIOS SMB-DS IActivation bind attempt +3386 || NETBIOS SMB-DS IActivation little endian bind attempt +3387 || NETBIOS SMB-DS IActivation unicode bind attempt +3388 || NETBIOS SMB-DS IActivation unicode little endian bind attempt +3389 || NETBIOS SMB-DS IActivation andx bind attempt +3390 || NETBIOS SMB-DS IActivation little endian andx bind attempt +3391 || NETBIOS SMB-DS IActivation unicode andx bind attempt +3392 || NETBIOS SMB-DS IActivation unicode little endian andx bind attempt +3393 || NETBIOS SMB ISystemActivator bind attempt +3394 || NETBIOS SMB ISystemActivator little endian bind attempt +3395 || NETBIOS SMB ISystemActivator unicode bind attempt +3396 || NETBIOS SMB ISystemActivator unicode little endian bind attempt +3397 || NETBIOS SMB ISystemActivator andx bind attempt +3398 || NETBIOS SMB ISystemActivator little endian andx bind attempt +3399 || NETBIOS SMB ISystemActivator unicode andx bind attempt +3400 || NETBIOS SMB ISystemActivator unicode little endian andx bind attempt +3401 || NETBIOS SMB-DS ISystemActivator bind attempt +3402 || NETBIOS SMB-DS ISystemActivator little endian bind attempt +3403 || NETBIOS SMB-DS ISystemActivator unicode bind attempt +3404 || NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt +3405 || NETBIOS SMB-DS ISystemActivator andx bind attempt +3406 || NETBIOS SMB-DS ISystemActivator little endian andx bind attempt +3407 || NETBIOS SMB-DS ISystemActivator unicode andx bind attempt +3408 || NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt +3409 || NETBIOS SMB RemoteActivation attempt +3410 || NETBIOS SMB RemoteActivation little endian attempt +3411 || NETBIOS SMB RemoteActivation unicode attempt +3412 || NETBIOS SMB RemoteActivation unicode little endian attempt +3413 || NETBIOS SMB RemoteActivation andx attempt +3414 || NETBIOS SMB RemoteActivation little endian andx attempt +3415 || NETBIOS SMB RemoteActivation unicode andx attempt +3416 || NETBIOS SMB RemoteActivation unicode little endian andx attempt +3417 || NETBIOS SMB-DS RemoteActivation attempt +3418 || NETBIOS SMB-DS RemoteActivation little endian attempt +3419 || NETBIOS SMB-DS RemoteActivation unicode attempt +3420 || NETBIOS SMB-DS RemoteActivation unicode little endian attempt +3421 || NETBIOS SMB-DS RemoteActivation andx attempt +3422 || NETBIOS SMB-DS RemoteActivation little endian andx attempt +3423 || NETBIOS SMB-DS RemoteActivation unicode andx attempt +3424 || NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt +3425 || NETBIOS SMB CoGetInstanceFromFile attempt +3426 || NETBIOS SMB CoGetInstanceFromFile little endian attempt +3427 || NETBIOS SMB CoGetInstanceFromFile unicode attempt +3428 || NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt +3429 || NETBIOS SMB CoGetInstanceFromFile andx attempt +3430 || NETBIOS SMB CoGetInstanceFromFile little endian andx attempt +3431 || NETBIOS SMB CoGetInstanceFromFile unicode andx attempt +3432 || NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt +3433 || NETBIOS SMB-DS CoGetInstanceFromFile attempt +3434 || NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt +3435 || NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt +3436 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt +3437 || NETBIOS SMB-DS CoGetInstanceFromFile andx attempt +3438 || NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt +3439 || NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt +3440 || NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt +3441 || FTP PORT bounce attempt +3442 || DOS WIN32 TCP print service denial of service attempt || bugtraq,1082 || cve,2000-0232 || url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx +3443 || MS-SQL DNS query with 1 requests +3444 || MS-SQL DNS query with 2 requests +3445 || MS-SQL DNS query with 3 requests +3446 || MS-SQL DNS query with 4 requests +3447 || MS-SQL DNS query with 5 requests +3448 || MS-SQL DNS query with 6 requests +3449 || MS-SQL DNS query with 7 requests +3450 || MS-SQL DNS query with 8 requests +3451 || MS-SQL DNS query with 9 requests +3452 || MS-SQL DNS query with 10 requests +3453 || MISC Arkeia client backup system info probe || bugtraq,12594 +3454 || MISC Arkeia client backup generic info probe || bugtraq,12594 +3455 || EXPLOIT Bontago Game Server Nickname Buffer Overflow || bugtraq,12603 || url,aluigi.altervista.org/adv/bontagobof-adv.txt +3456 || MYSQL 4.0 root login attempt +3457 || EXPLOIT Arkeia backup client type 77 overflow attempt || bugtraq,12594 +3458 || EXPLOIT Arkeia backup client type 84 overflow attempt || bugtraq,12594 +3459 || P2P Manolito Search Query || url,openlito.sourceforge.net || url,www.blubster.com +3460 || FTP REST with numeric argument || bugtraq,7825 +3461 || SMTP Content-Type overflow attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx +3462 || SMTP Content-Encoding overflow attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx +3463 || WEB-CGI awstats access || bugtraq,12572 +3464 || WEB-CGI awstats.pl command execution attempt || bugtraq,12572 +3465 || WEB-CGI RiSearch show.pl proxy attempt || bugtraq,10812 +3466 || WEB-MISC Authorization Basic overflow attempt || bugtraq,8375 || cve,2003-0727 +3467 || WEB-MISC CISCO VoIP Portinformation access || bugtraq,4798 || cve,2002-0882 +3468 || WEB-CGI math_sum.mscgi access || bugtraq,10831 || nessus,14182 +3469 || WEB-CGI Ipswitch WhatsUp Gold dos attempt || bugtraq,11110 || cve,2004-0799 || url,www.idefense.com/application/poi/display?id=142&type=vulnerabilities || url,www.ipswitch.com/Support/WhatsUp/patch-upgrades.html || url,www.secunia.com/advisories/12578/ +3470 || WEB-CLIENT RealPlayer VIDORV30 header length buffer overflow || bugtraq,11309 || url,www.eeye.com/html/research/advisories/AD20041001.html +3471 || WEB-CLIENT iTunes playlist URL overflow attempt || bugtraq,12238 || cve,2005-0043 +3472 || EXPLOIT ARCserve discovery service overflow || bugtraq,12491 || can,2005-0260 +3473 || WEB-CLIENT RealPlayer SMIL file overflow attempt || bugtraq,12698 || cve,2005-0455 +3474 || EXPLOIT ARCserve backup TCP slot info msg client name overflow || bugtraq,12563 +3475 || EXPLOIT ARCserve backup TCP slot info msg client domain overflow || bugtraq,12563 +3476 || EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow || bugtraq,12563 +3477 || EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow || bugtraq,12563 +3478 || EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow || bugtraq,12563 +3479 || EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow || bugtraq,12563 +3480 || EXPLOIT ARCserve backup UDP slot info msg client name overflow || bugtraq,12563 +3481 || EXPLOIT ARCserve backup UDP slot info msg client domain overflow || bugtraq,12563 +3482 || EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow || bugtraq,12563 +3483 || EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow || bugtraq,12563 +3484 || EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow || bugtraq,12563 +3485 || EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow || bugtraq,12563 +3486 || WEB-MISC SSLv3 invalid data version attempt || bugtraq,10115 || cve,2004-0120 || nessus,12204 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +3487 || IMAP SSLv2 Client_Hello request +3488 || IMAP SSLv2 Client_Hello with pad request +3489 || IMAP TLSv1 Client_Hello request +3490 || IMAP TLSv1 Client_Hello via SSLv2 handshake request +3491 || IMAP SSLv2 Server_Hello request +3492 || IMAP TLSv1 Server_Hello request +3493 || SMTP SSLv2 Client_Hello request +3494 || SMTP SSLv2 Client_Hello with pad request +3495 || SMTP TLSv1 Client_Hello request +3496 || SMTP TLSv1 Client_Hello via SSLv2 handshake request +3497 || SMTP SSLv2 Server_Hello request +3498 || SMTP TLSv1 Server_Hello request +3499 || POP3 SSLv2 Client_Hello request +3500 || POP3 SSLv2 Client_Hello with pad request +3501 || POP3 TLSv1 Client_Hello request +3502 || POP3 TLSv1 Client_Hello via SSLv2 handshake request +3503 || POP3 SSLv2 Server_Hello request +3504 || POP3 TLSv1 Server_Hello request +3505 || POP3 SSLv2 Client_Hello request +3506 || POP3 SSLv2 Client_Hello with pad request +3507 || POP3 TLSv1 Client_Hello request +3508 || POP3 TLSv1 Client_Hello via SSLv2 handshake request +3509 || POP3 SSLv2 Server_Hello request +3510 || POP3 TLSv1 Server_Hello request +3511 || SMTP PCT Client_Hello overflow attempt || bugtraq,10116 || cve,2003-0719 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +3512 || ORACLE utl_file.fcopy directory traversal attempt || bugtraq,12749 +3513 || ORACLE utl_file.fopen_nchar directory traversal attempt || bugtraq,12749 +3514 || ORACLE utl_file.fopen directory traversal attempt || bugtraq,12749 +3515 || ORACLE utl_file.fremove directory traversal attempt || bugtraq,12749 +3516 || ORACLE utl_file.frename directory traversal attempt || bugtraq,12749 +3517 || EXPLOIT Computer Associates license PUTOLF overflow attempt || bugtraq,12705 || cve,2005-0581 +3518 || WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow || bugtraq,12265 +3519 || WEB-MISC MySQL MaxDB WebSQL wppassword buffer overflow default port || bugtraq,12265 +3520 || EXPLOIT Computer Associates license GCR NETWORK overflow attempt || bugtraq,12705 || cve,2005-0581 +3521 || EXPLOIT Computer Associates license GCR CHECKSUMS overflow attempt || bugtraq,12705 || cve,2005-0581 +3522 || EXPLOIT Computer Associates license GETCONFIG server overflow attempt || bugtraq,12705 || cve,2005-0581 +3523 || FTP SITE INDEX format string attempt +3524 || EXPLOIT Computer Associates license invalid GCR CHECKSUMS attempt || bugtraq,12705 || cve,2005-0581 +3525 || EXPLOIT Computer Associates license invalid GCR NETWORK attempt || bugtraq,12705 || cve,2005-0581 +3526 || ORACLE XDB FTP UNLOCK overflow attempt || bugtraq,8375 || cve,2003-0727 +3527 || EXPLOIT Solaris LPD overflow attempt || bugtraq,3274 +3528 || MYSQL CREATE FUNCTION attempt || bugtraq,12781 || cve,2005-0709 +3529 || EXPLOIT Computer Associates license GETCONFIG client overflow attempt || bugtraq,12705 || cve,2005-0581 +3530 || EXPLOIT ARCserve backup UDP msg 0x99 client name overflow || bugtraq,12563 +3531 || EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow || bugtraq,12563 +3532 || FTP ORACLE password buffer overflow attempt || bugtraq,8375 +3533 || TELNET client LINEMODE SLC overflow attempt || bugtraq,12918 || cve,2005-0469 +3534 || WEB-CLIENT Mozilla GIF heap overflow || bugtraq,12881 || cve,2005-0399 +3535 || WEB-CLIENT GIF transfer +3536 || WEB-CLIENT Mozilla GIF multipacket heap overflow || bugtraq,12881 || cve,2005-0399 +3537 || TELNET client ENV OPT escape overflow attempt || bugtraq,12918 || cve,2005-0469 +3538 || EXPLOIT RADIUS registration MSID overflow attempt || bugtraq,12759 || cve,2005-0699 +3539 || EXPLOIT RADIUS MSID overflow attempt || bugtraq,12759 || cve,2005-0699 +3540 || EXPLOIT RADIUS registration vendor ATTR_TYPE_STR overflow attempt || bugtraq,12759 || cve,2005-0699 +3541 || EXPLOIT RADIUS ATTR_TYPE_STR overflow attempt || bugtraq,12759 || cve,2005-0699 +3542 || MS-SQL SA brute force login attempt || cve,2000-1209 || nessus,10673 +3543 || MS-SQL SA brute force login attempt TDS v7/8 || cve,2000-1209 || nessus,10673 +3544 || WEB-MISC TrackerCam ComGetLogFile.php3 directory traversal attempt || bugtraq,12592 || cve,2005-0481 +3545 || WEB-MISC TrackerCam ComGetLogFile.php3 log information disclosure || bugtraq,12592 || cve,2005-0481 +3546 || WEB-MISC TrackerCam User-Agent buffer overflow attempt || bugtraq,12592 || cve,2005-0481 +3547 || WEB-MISC TrackerCam overly long php parameter overflow attempt || bugtraq,12592 || cve,2005-0481 +3548 || WEB-MISC TrackerCam negative Content-Length attempt || bugtraq,12592 || cve,2005-0481 +3549 || WEB-CLIENT HTML DOM invalid element creation attempt || cve,2005-0553 +3550 || WEB-CLIENT HTML http scheme hostname overflow attempt || cve,2005-0553 +3551 || WEB-CLIENT .hta download attempt +3552 || WEB-CLIENT OLE32 MSHTA masquerade attempt || cve,2005-0063 +3553 || WEB-CLIENT HTML DOM null element insertion attempt || cve,2005-0553 +3554 || NETBIOS DCERPC-DIRECT mqqm bind attempt +3555 || NETBIOS DCERPC-DIRECT mqqm little endian bind attempt +3556 || NETBIOS DCERPC mqqm bind attempt +3557 || NETBIOS DCERPC mqqm little endian bind attempt +3558 || NETBIOS SMB mqqm WriteAndX andx bind attempt +3559 || NETBIOS SMB mqqm WriteAndX bind attempt +3560 || NETBIOS SMB mqqm WriteAndX little endian andx bind attempt +3561 || NETBIOS SMB mqqm WriteAndX little endian bind attempt +3562 || NETBIOS SMB mqqm WriteAndX unicode andx bind attempt +3563 || NETBIOS SMB mqqm WriteAndX unicode bind attempt +3564 || NETBIOS SMB mqqm WriteAndX unicode little endian andx bind attempt +3565 || NETBIOS SMB mqqm WriteAndX unicode little endian bind attempt +3566 || NETBIOS SMB mqqm andx bind attempt +3567 || NETBIOS SMB mqqm bind attempt +3568 || NETBIOS SMB mqqm little endian andx bind attempt +3569 || NETBIOS SMB mqqm little endian bind attempt +3570 || NETBIOS SMB mqqm unicode andx bind attempt +3571 || NETBIOS SMB mqqm unicode bind attempt +3572 || NETBIOS SMB mqqm unicode little endian andx bind attempt +3573 || NETBIOS SMB mqqm unicode little endian bind attempt +3574 || NETBIOS SMB-DS mqqm WriteAndX andx bind attempt +3575 || NETBIOS SMB-DS mqqm WriteAndX bind attempt +3576 || NETBIOS SMB-DS mqqm WriteAndX little endian andx bind attempt +3577 || NETBIOS SMB-DS mqqm WriteAndX little endian bind attempt +3578 || NETBIOS SMB-DS mqqm WriteAndX unicode andx bind attempt +3579 || NETBIOS SMB-DS mqqm WriteAndX unicode bind attempt +3580 || NETBIOS SMB-DS mqqm WriteAndX unicode little endian andx bind attempt +3581 || NETBIOS SMB-DS mqqm WriteAndX unicode little endian bind attempt +3582 || NETBIOS SMB-DS mqqm andx bind attempt +3583 || NETBIOS SMB-DS mqqm bind attempt +3584 || NETBIOS SMB-DS mqqm little endian andx bind attempt +3585 || NETBIOS SMB-DS mqqm little endian bind attempt +3586 || NETBIOS SMB-DS mqqm unicode andx bind attempt +3587 || NETBIOS SMB-DS mqqm unicode bind attempt +3588 || NETBIOS SMB-DS mqqm unicode little endian andx bind attempt +3589 || NETBIOS SMB-DS mqqm unicode little endian bind attempt +3590 || NETBIOS DCERPC-DIRECT mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3591 || NETBIOS DCERPC-DIRECT mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3592 || NETBIOS DCERPC mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3593 || NETBIOS DCERPC mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3594 || NETBIOS SMB mqqm QMDeleteObject WriteAndX andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3595 || NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3596 || NETBIOS SMB mqqm QMDeleteObject WriteAndX little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3597 || NETBIOS SMB mqqm QMDeleteObject WriteAndX overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3598 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3599 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3600 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3601 || NETBIOS SMB mqqm QMDeleteObject WriteAndX unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3602 || NETBIOS SMB mqqm QMDeleteObject andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3603 || NETBIOS SMB mqqm QMDeleteObject little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3604 || NETBIOS SMB mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3605 || NETBIOS SMB mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3606 || NETBIOS SMB mqqm QMDeleteObject unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3607 || NETBIOS SMB mqqm QMDeleteObject unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3608 || NETBIOS SMB mqqm QMDeleteObject unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3609 || NETBIOS SMB mqqm QMDeleteObject unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3610 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3611 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3612 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3613 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3614 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3615 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3616 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3617 || NETBIOS SMB-DS mqqm QMDeleteObject WriteAndX unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3618 || NETBIOS SMB-DS mqqm QMDeleteObject andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3619 || NETBIOS SMB-DS mqqm QMDeleteObject little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3620 || NETBIOS SMB-DS mqqm QMDeleteObject little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3621 || NETBIOS SMB-DS mqqm QMDeleteObject overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3622 || NETBIOS SMB-DS mqqm QMDeleteObject unicode andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3623 || NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian andx overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3624 || NETBIOS SMB-DS mqqm QMDeleteObject unicode little endian overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3625 || NETBIOS SMB-DS mqqm QMDeleteObject unicode overflow attempt || cve,2005-0059 || url,www.microsoft.com/technet/security/Bulletin/MS05-017.mspx +3626 || ICMP PATH MTU denial of service || cve,2004-1060 +3627 || POLICY X-LINK2STATE CHUNK attempt || url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx +3628 || POLICY IDA Pro startup license check attempt +3629 || WEB-MISC sambar /search/results.stm access || bugtraq,7975 +3630 || FTP ORACLE TEST command buffer overflow attempt || bugtraq,8375 +3631 || FTP ORACLE user name buffer overflow attempt || bugtraq,8375 +3632 || WEB-CLIENT Mozilla bitmap width integer overflow attempt || bugtraq,11171 || cve,2004-0904 || url,bugzilla.mozilla.org/show_bug.cgi?id=255067 +3633 || WEB-CLIENT bitmap transfer +3634 || WEB-CLIENT Mozilla bitmap width integer overflow multipacket attempt || bugtraq,11171 || cve,2004-0904 || url,bugzilla.mozilla.org/show_bug.cgi?id=255067 +3635 || BACKDOOR Amanda 2.0 connection established +3636 || BACKDOOR Crazzy Net 5.0 connection established +3637 || EXPLOIT Computer Associates license PUTOLF directory traversal attempt || bugtraq,12705 || cve,2005-0581 +3638 || WEB-CGI SoftCart.exe CGI buffer overflow attempt || bugtraq,10926 +3639 || NETBIOS SMB Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html +3640 || NETBIOS SMB Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html +3641 || NETBIOS SMB Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html +3642 || NETBIOS SMB Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html +3643 || NETBIOS SMB-DS Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html +3644 || NETBIOS SMB-DS Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html +3645 || NETBIOS SMB-DS Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html +3646 || NETBIOS SMB-DS Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html +3647 || NETBIOS-DG SMB Trans andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html +3648 || NETBIOS-DG SMB Trans data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html +3649 || NETBIOS-DG SMB Trans unicode data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html +3650 || NETBIOS-DG SMB Trans unicode andx data displacement null pointer DOS attempt || bugtraq,13504 || url,www.ethereal.com/news/item_20050504_01.html +3651 || EXPLOIT CVS rsh annotate revision overflow attempt || bugtraq,13217 || cve,2005-0753 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142 +3652 || EXPLOIT CVS pserver annotate revision overflow attempt || bugtraq,13217 || cve,2005-0753 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141 || url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142 +3653 || SMTP SAML overflow attempt || bugtraq,11238 +3654 || SMTP SOML overflow attempt || bugtraq,11238 +3655 || SMTP SEND overflow attempt || bugtraq,11238 +3656 || SMTP MAIL overflow attempt || bugtraq,11238 +3657 || ORACLE ctxsys.driload attempt || bugtraq,11099 || cve,2004-0637 +3658 || EXPLOIT ARCserve backup universal agent option 1000 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 +3659 || EXPLOIT ARCserve backup universal agent option 1000 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 +3660 || EXPLOIT ARCserve backup universal agent option 00 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 +3661 || EXPLOIT ARCserve backup universal agent option 00 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 +3662 || EXPLOIT ARCserve backup universal agent option 03 little endian buffer overflow attempt || bugtraq,13102 || cve,2005-1018 +3663 || EXPLOIT ARCserve backup universal agent option 03 buffer overflow attempt || bugtraq,13102 || cve,2005-1018 +3664 || EXPLOIT PPTP echo request buffer overflow attempt || bugtaq,7316 || cve,2003-0213 +3665 || MYSQL server greeting || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt +3666 || MYSQL server greeting finished || bugtraq,10655 || www.nextgenss.com/advisories/mysql-authbypass.txt, +3667 || MYSQL protocol 41 client authentication bypass attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt +3668 || MYSQL client authentication bypass attempt || bugtraq,10655 || www.nextgenss.com/advisories/mysql-authbypass.txt, +3669 || MYSQL protocol 41 secure client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt +3670 || MYSQL secure client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt +3671 || MYSQL protocol 41 client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt +3672 || MYSQL client overflow attempt || bugtraq,10655 || url,www.nextgenss.com/advisories/mysql-authbypass.txt +3673 || MISC Microsoft SMS remote control client DoS overly long length attempt || bugtraq,10726 || cve,2004-0728 +3674 || WEB-CGI db4web_c directory traversal attempt || bugtraq,5723 || cve,2002-1483 || nessus,11182 +3675 || MISC IBM DB2 DTS empty format string dos attempt || bugtraq,11400 || url,www-1.ibm.com/support/docview.wss?uid=swg1IY61781 +3676 || WEB-MISC newsscript.pl admin attempt || bugtraq,12761 +3677 || EXPLOIT SIP UDP CSeq overflow attempt || url,www.ethereal.com/news/item_20050504_01.html +3678 || EXPLOIT SIP TCP CSeq overflow attempt || url,www.ethereal.com/news/item_20050504_01.html +3679 || WEB-CLIENT Firefox IFRAME src javascript code execution || bugtraq,13544 || cve,2005-1476 +3680 || P2P AOL Instant Messenger Message Send +3681 || P2P AOL Instant Messenger Message Receive +3682 || SMTP spoofed MIME-Type auto-execution attempt || bugtraq,2524 || cve,2001-0154 || url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx +3683 || WEB-CLIENT spoofed MIME-Type auto-execution attempt || bugtraq,2524 || cve,2001-0154 || url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx +3684 || WEB-CLIENT Bitmap Transfer +3685 || WEB-CLIENT bitmap BitmapOffset multipacket integer overflow attempt || bugtraq,9663 || cve,2004-0566 +3686 || WEB-CLIENT Internet Explorer Content Advisor attempted overflow || bugtraq,13117 || cve,2005-0555 +3687 || TELNET client ENV OPT USERVAR information disclosure || cve,2005-1205 || url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx +3688 || TELNET client ENV OPT VAR information disclosure || cve,2005-1205 || url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx +3689 || WEB-CLIENT Internet Explorer tRNS overflow attempt || bugtraq,13941 || cve,2005-1211 || url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx +3690 || WEB-CGI Nucleus CMS action.php itemid SQL injection || bugtraq,10798 || nessus,14194 +3691 || CHAT Yahoo Messenger Message +3692 || CHAT Yahoo Messenger File Transfer Initiation Request +3693 || WEB-MISC IBM WebSphere j_security_check overflow attempt || bugtraq,13853 +3694 || WEB-MISC Squid content length cache poisoning attempt || bugtraq,12412 || cve,2005-0174 +3695 || EXPLOIT Veritas Backup Agent password overflow attempt || cve,2005-0773 +3696 || EXPLOIT Veritas Backup Agent DoS attempt || bugtraq,14201 || cve,2005-0772 +3697 || NETBIOS DCERPC DIRECT veritas alter context attempt +3698 || NETBIOS DCERPC DIRECT veritas bind attempt +3699 || NETBIOS DCERPC DIRECT veritas little endian alter context attempt +3700 || NETBIOS DCERPC DIRECT veritas little endian bind attempt +3701 || NETBIOS DCERPC NCACN-IP-TCP veritas alter context attempt +3702 || NETBIOS DCERPC NCACN-IP-TCP veritas bind attempt +3703 || NETBIOS DCERPC NCACN-IP-TCP veritas little endian alter context attempt +3704 || NETBIOS DCERPC NCACN-IP-TCP veritas little endian bind attempt +3705 || NETBIOS SMB veritas WriteAndX alter context attempt +3706 || NETBIOS SMB veritas WriteAndX andx alter context attempt +3707 || NETBIOS SMB veritas WriteAndX andx bind attempt +3708 || NETBIOS SMB veritas WriteAndX bind attempt +3709 || NETBIOS SMB veritas WriteAndX little endian alter context attempt +3710 || NETBIOS SMB veritas WriteAndX little endian andx alter context attempt +3711 || NETBIOS SMB veritas WriteAndX little endian andx bind attempt +3712 || NETBIOS SMB veritas WriteAndX little endian bind attempt +3713 || NETBIOS SMB veritas WriteAndX unicode alter context attempt +3714 || NETBIOS SMB veritas WriteAndX unicode andx alter context attempt +3715 || NETBIOS SMB veritas WriteAndX unicode andx bind attempt +3716 || NETBIOS SMB veritas WriteAndX unicode bind attempt +3717 || NETBIOS SMB veritas WriteAndX unicode little endian alter context attempt +3718 || NETBIOS SMB veritas WriteAndX unicode little endian andx alter context attempt +3719 || NETBIOS SMB veritas WriteAndX unicode little endian andx bind attempt +3720 || NETBIOS SMB veritas WriteAndX unicode little endian bind attempt +3721 || NETBIOS SMB veritas alter context attempt +3722 || NETBIOS SMB veritas andx alter context attempt +3723 || NETBIOS SMB veritas andx bind attempt +3724 || NETBIOS SMB veritas bind attempt +3725 || NETBIOS SMB veritas little endian alter context attempt +3726 || NETBIOS SMB veritas little endian andx alter context attempt +3727 || NETBIOS SMB veritas little endian andx bind attempt +3728 || NETBIOS SMB veritas little endian bind attempt +3729 || NETBIOS SMB veritas unicode alter context attempt +3730 || NETBIOS SMB veritas unicode andx alter context attempt +3731 || NETBIOS SMB veritas unicode andx bind attempt +3732 || NETBIOS SMB veritas unicode bind attempt +3733 || NETBIOS SMB veritas unicode little endian alter context attempt +3734 || NETBIOS SMB veritas unicode little endian andx alter context attempt +3735 || NETBIOS SMB veritas unicode little endian andx bind attempt +3736 || NETBIOS SMB veritas unicode little endian bind attempt +3737 || NETBIOS SMB-DS veritas WriteAndX alter context attempt +3738 || NETBIOS SMB-DS veritas WriteAndX andx alter context attempt +3739 || NETBIOS SMB-DS veritas WriteAndX andx bind attempt +3740 || NETBIOS SMB-DS veritas WriteAndX bind attempt +3741 || NETBIOS SMB-DS veritas WriteAndX little endian alter context attempt +3742 || NETBIOS SMB-DS veritas WriteAndX little endian andx alter context attempt +3743 || NETBIOS SMB-DS veritas WriteAndX little endian andx bind attempt +3744 || NETBIOS SMB-DS veritas WriteAndX little endian bind attempt +3745 || NETBIOS SMB-DS veritas WriteAndX unicode alter context attempt +3746 || NETBIOS SMB-DS veritas WriteAndX unicode andx alter context attempt +3747 || NETBIOS SMB-DS veritas WriteAndX unicode andx bind attempt +3748 || NETBIOS SMB-DS veritas WriteAndX unicode bind attempt +3749 || NETBIOS SMB-DS veritas WriteAndX unicode little endian alter context attempt +3750 || NETBIOS SMB-DS veritas WriteAndX unicode little endian andx alter context attempt +3751 || NETBIOS SMB-DS veritas WriteAndX unicode little endian andx bind attempt +3752 || NETBIOS SMB-DS veritas WriteAndX unicode little endian bind attempt +3753 || NETBIOS SMB-DS veritas alter context attempt +3754 || NETBIOS SMB-DS veritas andx alter context attempt +3755 || NETBIOS SMB-DS veritas andx bind attempt +3756 || NETBIOS SMB-DS veritas bind attempt +3757 || NETBIOS SMB-DS veritas little endian alter context attempt +3758 || NETBIOS SMB-DS veritas little endian andx alter context attempt +3759 || NETBIOS SMB-DS veritas little endian andx bind attempt +3760 || NETBIOS SMB-DS veritas little endian bind attempt +3761 || NETBIOS SMB-DS veritas unicode alter context attempt +3762 || NETBIOS SMB-DS veritas unicode andx alter context attempt +3763 || NETBIOS SMB-DS veritas unicode andx bind attempt +3764 || NETBIOS SMB-DS veritas unicode bind attempt +3765 || NETBIOS SMB-DS veritas unicode little endian alter context attempt +3766 || NETBIOS SMB-DS veritas unicode little endian andx alter context attempt +3767 || NETBIOS SMB-DS veritas unicode little endian andx bind attempt +3768 || NETBIOS SMB-DS veritas unicode little endian bind attempt +3769 || NETBIOS DCERPC NCACN-HTTP veritas alter context attempt +3770 || NETBIOS DCERPC NCACN-HTTP veritas bind attempt +3771 || NETBIOS DCERPC NCACN-HTTP veritas little endian alter context attempt +3772 || NETBIOS DCERPC NCACN-HTTP veritas little endian bind attempt +3773 || NETBIOS DCERPC DIRECT-UDP veritas alter context attempt +3774 || NETBIOS DCERPC DIRECT-UDP veritas bind attempt +3775 || NETBIOS DCERPC DIRECT-UDP veritas little endian alter context attempt +3776 || NETBIOS DCERPC DIRECT-UDP veritas little endian bind attempt +3777 || NETBIOS DCERPC NCADG-IP-UDP veritas alter context attempt +3778 || NETBIOS DCERPC NCADG-IP-UDP veritas bind attempt +3779 || NETBIOS DCERPC NCADG-IP-UDP veritas little endian alter context attempt +3780 || NETBIOS DCERPC NCADG-IP-UDP veritas little endian bind attempt +3781 || NETBIOS-DG SMB veritas WriteAndX alter context attempt +3782 || NETBIOS-DG SMB veritas WriteAndX andx alter context attempt +3783 || NETBIOS-DG SMB veritas WriteAndX andx bind attempt +3784 || NETBIOS-DG SMB veritas WriteAndX bind attempt +3785 || NETBIOS-DG SMB veritas WriteAndX little endian alter context attempt +3786 || NETBIOS-DG SMB veritas WriteAndX little endian andx alter context attempt +3787 || NETBIOS-DG SMB veritas WriteAndX little endian andx bind attempt +3788 || NETBIOS-DG SMB veritas WriteAndX little endian bind attempt +3789 || NETBIOS-DG SMB veritas WriteAndX unicode alter context attempt +3790 || NETBIOS-DG SMB veritas WriteAndX unicode andx alter context attempt +3791 || NETBIOS-DG SMB veritas WriteAndX unicode andx bind attempt +3792 || NETBIOS-DG SMB veritas WriteAndX unicode bind attempt +3793 || NETBIOS-DG SMB veritas WriteAndX unicode little endian alter context attempt +3794 || NETBIOS-DG SMB veritas WriteAndX unicode little endian andx alter context attempt +3795 || NETBIOS-DG SMB veritas WriteAndX unicode little endian andx bind attempt +3796 || NETBIOS-DG SMB veritas WriteAndX unicode little endian bind attempt +3797 || NETBIOS-DG SMB veritas alter context attempt +3798 || NETBIOS-DG SMB veritas andx alter context attempt +3799 || NETBIOS-DG SMB veritas andx bind attempt +3800 || NETBIOS-DG SMB veritas bind attempt +3801 || NETBIOS-DG SMB veritas little endian alter context attempt +3802 || NETBIOS-DG SMB veritas little endian andx alter context attempt +3803 || NETBIOS-DG SMB veritas little endian andx bind attempt +3804 || NETBIOS-DG SMB veritas little endian bind attempt +3805 || NETBIOS-DG SMB veritas unicode alter context attempt +3806 || NETBIOS-DG SMB veritas unicode andx alter context attempt +3807 || NETBIOS-DG SMB veritas unicode andx bind attempt +3808 || NETBIOS-DG SMB veritas unicode bind attempt +3809 || NETBIOS-DG SMB veritas unicode little endian alter context attempt +3810 || NETBIOS-DG SMB veritas unicode little endian andx alter context attempt +3811 || NETBIOS-DG SMB veritas unicode little endian andx bind attempt +3812 || NETBIOS-DG SMB veritas unicode little endian bind attempt +3813 || WEB-CGI awstats.pl configdir command execution attempt || bugtraq,12298 || cve,2005-0116 +3814 || WEB-CLIENT IE javaprxy.dll COM access || bugtraq,14087 || cve,2005-2087 +3815 || SMTP eXchange POP3 mail server overflow attempt || bugtraq,10180 +3816 || WEB-MISC BadBlue ext.dll buffer overflow attempt || bugtraq,7387 +3817 || TFTP GET transfer mode overflow attempt || bugtraq,13821 || cve,2005-1812 +3818 || TFTP PUT transfer mode overflow attempt || bugtraq,13821 || cve,2005-1812 +3819 || WEB-CLIENT multipacket CHM file transfer start || bugtraq,13953 || cve,2005-1208 || nessus,18482 +3820 || WEB-CLIENT multipacket CHM file transfer attempt || bugtraq,13953 || cve,2005-1208 || nessus,18482 +3821 || WEB-CLIENT CHM file transfer attempt || bugtraq,13953 || cve,2005-1208 || nessus,18482 +3822 || WEB-MISC Real Player realtext long URI request +3823 || WEB-MISC Real Player realtext file bad version buffer overflow attempt || bugtraq,14048 || cve,2005-1766 +3824 || SMTP AUTH user overflow attempt || bugtraq,13772 +3825 || POLICY AOL Instant Messenger Message Send +3826 || POLICY AOL Instant Messenger Message Receive +3827 || WEB-PHP xmlrpc.php post attempt || bugtraq,14088 || cve,2005-1921 --- /dev/null +++ b/rules/dns.rules @@ -0,0 +1,54 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: dns.rules,v 1.38.2.3.2.3 2005/05/31 17:13:02 mwatchinski Exp $ +#---------- +# DNS RULES +#---------- + +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:13;) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:6;) + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:7;) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:9;) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:7;) + + + +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:253; rev:4;) +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:254; rev:4;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:6;) + + + +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:303; rev:11;) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; classtype:attempted-admin; sid:262; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; classtype:attempted-admin; sid:264; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; classtype:attempted-admin; sid:265; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; classtype:attempted-admin; sid:266; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; classtype:attempted-admin; sid:267; rev:5;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2922; rev:1;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query"; byte_test:1,<,16,2; byte_test:1,&,8,2; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-recon; sid:2921; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:2;) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:2;) --- /dev/null +++ b/rules/community-icmp.rules @@ -0,0 +1,8 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-icmp.rules,v 1.4 2006/06/01 15:51:28 akirk Exp $ + +#Rule submitted by rmkml +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY ICMP Linux DoS sctp Exploit"; icode:2; itype:3; content:"|28 00 00 50 00 00 00 00 F9 57 1F 30 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:nessus,19777; classtype:attempted-user; sid:100000164; rev:2;) +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"COMMUNITY ICMP undefined code"; icode:>18; classtype:misc-activity; sid:100000197; rev:1;) --- /dev/null +++ b/rules/community-oracle.rules @@ -0,0 +1,6 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-oracle.rules,v 1.2 2005/10/13 14:16:06 akirk Exp $ + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3339 (msg:"COMMUNITY ORACLE TNS Listener shutdown via iSQLPlus attempt"; flow:to_server,established; content:"isqlplus"; nocase; content:"COMMAND"; nocase; distance:0; content:"STOP"; nocase; distance:0; content:"LISTENER"; nocase; distance:0; pcre:"/isqlplus\x2F[^\r\n]*COMMAND\s*\x3D\s*STOP[^\r\n\x26]*LISTENER/si"; reference:bugtraq,15032; reference:url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html; classtype:attempted-user; sid:100000166; rev:1;) --- /dev/null +++ b/rules/community-game.rules @@ -0,0 +1,10 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-game.rules,v 1.8 2005/11/10 14:15:43 akirk Exp $ + +alert udp $EXTERNAL_NET any -> $HOME_NET 2305 (msg:"COMMUNITY GAME Halocon Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12281; sid:100000102; rev:1;) +alert udp $EXTERNAL_NET any -> $HOME_NET 7649 (msg:"COMMUNITY GAME Breed Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12262; sid:100000103; rev:1;) +alert udp $EXTERNAL_NET any -> $HOME_NET 27777 (msg:"COMMUNITY GAME Amp II 3D Game Server Denial of Service Empty UDP Packet"; dsize:0; classtype:attempted-dos; reference:bugtraq,12192; sid:100000104; rev:1;) +alert udp $EXTERNAL_NET any -> $HOME_NET 29000 (msg:"COMMUNITY GAME FlatFrag game dos exploit"; fragbits:D; id:1; content:"|61 61 61|"; dsize:99; reference:bugtraq,15287; reference:cve,2005-3492; classtype:attempted-dos; sid:100000181; rev:1;) +alert udp $EXTERNAL_NET any <> $HOME_NET 7000 (msg:"COMMUNITY GAME Battle Carry attempt"; dsize:>8192; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; reference:cve,2005-3493; reference:bugtraq,15282; classtype:attempted-dos; sid:100000182; rev:1;) --- /dev/null +++ b/rules/oracle.rules @@ -0,0 +1,375 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: oracle.rules,v 1.17.2.3.2.4 2005/05/31 17:13:03 mwatchinski Exp $ +#---------- +# ORACLE RULES +#---------- +# +# These signatures detect unusual and potentially malicious oracle traffic. +# These signatures are based from signatures written by Hank Leininger +# for Enterasys's Dragon IDS that he released +# publicly. +# +# These signatures are not enabled by default as they may generate false +# positive alarms on networks that do oracle development. If you use an +# Oracle based web application, you should set the destination port to +# 80 to catch attackers attempting to exploit your web application. +# + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; classtype:protocol-command-decode; sid:1674; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE misparsed login response"; flow:from_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:1675; rev:4;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select union attempt"; flow:to_server,established; content:"select "; nocase; content:" union "; nocase; classtype:protocol-command-decode; sid:1676; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt"; flow:to_server,established; content:" where "; nocase; content:" like '%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt backslash escaped"; flow:to_server,established; content:" where "; nocase; content:" like |22|%|22|"; nocase; classtype:protocol-command-decode; sid:1678; rev:7;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE describe attempt"; flow:to_server,established; content:"describe "; nocase; classtype:protocol-command-decode; sid:1679; rev:6;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_constraints access"; flow:to_server,established; content:"all_constraints"; nocase; classtype:protocol-command-decode; sid:1680; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_views access"; flow:to_server,established; content:"all_views"; nocase; classtype:protocol-command-decode; sid:1681; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_source access"; flow:to_server,established; content:"all_source"; nocase; classtype:protocol-command-decode; sid:1682; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tables access"; flow:to_server,established; content:"all_tables"; nocase; classtype:protocol-command-decode; sid:1683; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_columns access"; flow:to_server,established; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; sid:1684; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_privs"; nocase; classtype:protocol-command-decode; sid:1685; rev:6;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tablespace access"; flow:to_server,established; content:"dba_tablespace"; nocase; classtype:protocol-command-decode; sid:1686; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tables access"; flow:to_server,established; content:"dba_tables"; nocase; classtype:protocol-command-decode; sid:1687; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user_tablespace access"; flow:to_server,established; content:"user_tablespace"; nocase; classtype:protocol-command-decode; sid:1688; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.all_users access"; flow:to_server,established; content:"sys.all_users"; nocase; classtype:protocol-command-decode; sid:1689; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant attempt"; flow:to_server,established; content:"grant "; nocase; content:" to "; nocase; classtype:protocol-command-decode; sid:1690; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ALTER USER attempt"; flow:to_server,established; content:"alter user"; nocase; content:" identified by "; nocase; classtype:protocol-command-decode; sid:1691; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop table attempt"; flow:to_server,established; content:"drop table"; nocase; classtype:protocol-command-decode; sid:1692; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create table attempt"; flow:to_server,established; content:"create table"; nocase; classtype:protocol-command-decode; sid:1693; rev:6;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter table attempt"; flow:to_server,established; content:"alter table"; nocase; classtype:protocol-command-decode; sid:1694; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE truncate table attempt"; flow:to_server,established; content:"truncate table"; nocase; classtype:protocol-command-decode; sid:1695; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create database attempt"; flow:to_server,established; content:"create database"; nocase; classtype:protocol-command-decode; sid:1696; rev:5;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter database attempt"; flow:to_server,established; content:"alter database"; nocase; classtype:protocol-command-decode; sid:1697; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2576; rev:6;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2599; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22 ]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2600; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2601; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2602; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2603; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2604; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2605; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2606; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2607; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2608; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2609; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2610; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE LINK metadata buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"DATABASE"; nocase; content:"LINK"; nocase; pcre:"/USING\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:bugtraq,7453; reference:cve,2003-0222; reference:url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html; classtype:attempted-user; sid:2611; rev:3;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2612; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE revoke_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2613; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2614; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2615; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2616; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2617; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2618; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2619; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2620; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2621; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2622; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2623; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2624; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2625; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2626; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2627; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2628; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2629; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2630; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2631; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2632; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2633; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2634; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2635; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2636; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2637; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2638; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2639; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2640; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2641; rev:3;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2642; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2643; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2644; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2645; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2646; rev:1;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2647; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2648; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2649; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2650; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt"; flow:to_server,established; content:"NUMTO"; nocase; content:"INTERVAL"; distance:2; nocase; pcre:"/NUMTO(DS|YM)INTERVAL\s*\(\s*\d+\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt; reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt; classtype:attempted-user; sid:2651; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2652; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2653; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2699; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2676; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2690; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2686; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2683; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2694; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2674; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2677; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2696; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2689; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2682; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2691; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2678; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2681; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2695; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2688; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2692; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2697; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2675; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2680; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2679; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2687; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2685; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2693; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2684; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2698; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2700; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2915; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2754; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2864; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2907; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2710; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2845; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2719; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2727; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2808; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2910; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2745; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2736; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2723; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2853; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2796; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2814; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2733; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2882; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2765; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2820; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2774; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2763; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2833; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2712; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2876; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2847; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2865; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2782; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2827; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2758; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2792; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2893; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2801; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2886; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2715; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2791; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2815; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2751; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2919; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2911; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2769; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2806; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2860; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2857; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2837; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2787; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2824; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2739; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2909; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2730; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2867; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2871; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2777; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2800; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2825; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2897; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2846; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2855; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2890; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2728; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2807; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2838; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2883; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2753; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2841; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2775; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2863; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2848; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2764; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2797; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2744; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2762; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2711; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2735; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2854; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2888; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2908; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2813; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2724; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2734; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2750; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2818; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2912; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2877; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2828; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2783; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2879; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2757; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2887; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2903; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2786; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2768; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2742; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2872; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2778; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2805; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2839; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2916; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2793; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2894; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2858; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2720; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2898; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2812; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2830; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2725; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2721; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2831; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2718; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2843; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2889; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2767; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2776; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2901; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2785; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2870; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2859; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2849; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2795; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2798; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2874; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2856; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2752; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2761; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2780; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2842; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2900; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2866; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2905; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2817; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2891; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2917; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2804; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2731; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2738; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2770; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2851; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2835; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2869; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2834; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2821; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2714; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2741; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2772; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2794; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2708; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2789; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2850; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2779; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2873; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2878; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2748; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2862; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2884; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2717; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2756; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2904; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2826; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2709; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2913; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2895; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2784; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2746; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2749; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2743; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2799; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2868; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2811; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2899; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2722; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2829; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2902; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2844; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2726; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2832; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2918; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2803; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2875; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2810; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2781; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2760; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2881; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2713; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2880; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2740; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2788; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2773; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2790; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2819; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2771; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2759; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2840; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2892; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2737; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2822; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2914; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2906; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2732; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2852; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2836; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2816; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2802; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2823; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2896; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2809; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2766; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2747; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2755; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2729; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2861; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2885; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2716; rev:1;) --- /dev/null +++ b/rules/x11.rules @@ -0,0 +1,24 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: x11.rules,v 1.19.2.1.2.1 2005/05/16 22:17:52 mwatchinski Exp $ +#---------- +# X11 RULES +#---------- + +alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; reference:arachnids,396; classtype:attempted-user; sid:1225; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; reference:arachnids,395; classtype:unknown; sid:1226; rev:4;) --- /dev/null +++ b/rules/community-sql-injection.rules @@ -0,0 +1,15 @@ +# Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# These rules are licensed under the GNU General Public License. +# Please see the file LICENSE in this directory for more details. +# $Id: community-sql-injection.rules,v 1.10 2006/10/19 20:19:34 akirk Exp $ + +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 rawdocdata.asp"; flow:to_server,established; uricontent:"/rawdocdata.asp?"; nocase; pcre:"/rawdocdata.asp\x3F[^\r\n]*exec/Ui"; classtype:web-application-attack; reference:bugtraq,7470; reference:cve,2003-0118; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; sid:100000106; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Microsoft BizTalk Server 2002 RawCustomSearchField.asp"; flow:to_server,established; uricontent:"/rawdocdata.asp?"; nocase; pcre:"/RawCustomSearchField.asp\x3F[^\r\n]*exec/Ui"; classtype:web-application-attack; reference:bugtraq,7470; reference:cve,2003-0118; reference:url,www.microsoft.com/technet/security/bulletin/MS03-016.mspx; sid:100000107; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION OpenBB board.php"; flow:to_server,established; uricontent:"/board.php"; pcre:"/board.php\x3F\w+\x3D[0-9]+\s/Ui"; classtype:web-application-attack; reference:bugtraq,7404; sid:100000108; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION OpenBB member.php"; flow:to_server,established; uricontent:"/member.php"; pcre:"/member.php\x3F\w+\x3D[0-9]+\s/Ui"; classtype:web-application-attack; reference:bugtraq,7404; sid:100000109; rev:1;) +#Rules submitted by rmkml +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumTopicDetails Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumTopicDetails.php"; nocase; uricontent:"TopicID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20846; classtype:web-application-attack; sid:100000192; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumAuthDetails Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumAuthDetails.php"; nocase; uricontent:"AuthID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20845; classtype:web-application-attack; sid:100000193; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION WIZZ ForumReply Sql Injection attempt"; flow:to_server,established; uricontent:"/ForumReply.php"; nocase; uricontent:"TopicID|3D|"; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"from"; nocase; uricontent:"ForumUser"; nocase; uricontent:"where"; nocase; reference:bugtraq,15410; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20847; classtype:web-application-attack; sid:100000194; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION BXCP Sql Injection attempt"; flow:to_server,established; uricontent:"/index.php"; nocase; uricontent:"where="; nocase; uricontent:"union"; nocase; uricontent:"select"; nocase; pcre:"/\x2b\w*\x54\w*/"; reference:bugtraq,18765; reference:url,www.milw0rm.com/exploits/1975; classtype:web-application-attack; sid:100000690; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY SQL-INJECTION Diesel Joke Script Sql Injection attempt"; flow:to_server,established; uricontent:"/category.php"; nocase; uricontent:"id="; uricontent:"union"; nocase; uricontent:"select"; nocase; uricontent:"admin"; nocase; reference:bugtraq,18760; classtype:web-application-attack; sid:100000691; rev:2;) --- /dev/null +++ b/rules/tftp.rules @@ -0,0 +1,39 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: tftp.rules,v 1.19.2.1.2.2 2005/07/22 19:19:54 mwatchinski Exp $ +#----------- +# TFTP RULES +#----------- +# +# These signatures are based on TFTP traffic. These include malicious files +# that are distributed via TFTP. +# +# The last two signatures refer to generic GET and PUT via TFTP, which is +# generally frowned upon on most networks, but may be used in some enviornments + +alert udp any any -> any 69 (msg:"TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:1941; rev:9;) +alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2337; rev:8;) +alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:4;) +alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:1441; rev:4;) +alert udp any any -> any 69 (msg:"TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:1442; rev:4;) +alert udp any any -> any 69 (msg:"TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:1443; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:".."; offset:2; reference:arachnids,137; reference:cve,1999-0183; reference:cve,2002-1209; classtype:bad-unknown; sid:519; rev:6;) +alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root directory"; content:"|00 01|/"; depth:3; reference:arachnids,138; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00 02|"; depth:2; reference:arachnids,148; reference:cve,1999-0183; classtype:bad-unknown; sid:518; rev:6;) +alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:2;) --- /dev/null +++ b/rules/policy.rules @@ -0,0 +1,55 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: policy.rules,v 1.38.2.2.2.3 2005/07/22 19:19:54 mwatchinski Exp $ +#------------- +# POLICY RULES +#------------- +# + +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:553; rev:7;) + +alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY WinGate telnet server response"; flow:from_server,established; content:"WinGate>"; reference:arachnids,366; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:8;) + + +# we have started to see multiple versions of this beyond 003.003, so we have +# expanded this signature to take that into account. +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;) + +alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"POLICY PCAnywhere server response"; content:"ST"; depth:2; reference:arachnids,239; classtype:misc-activity; sid:566; rev:4;) +alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:8;) +alert ip 66.151.158.177 any -> $HOME_NET any (msg:"POLICY poll.gotomypc.com access"; reference:url,www.gotomypc.com/help2.tmpl; classtype:misc-activity; sid:1429; rev:3;) + +# NOTES: This signature would be better off using uricontent, and having the +# http decoder looking at 5800 and 5802, but that is on by default +alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:4;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:1445; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:543; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:544; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD ' possible warez site"; flow:to_server,established; content:"CWD "; depth:5; nocase; classtype:misc-activity; sid:546; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD ' possible warez site"; flow:to_Server,established; content:"MKD "; depth:5; nocase; classtype:misc-activity; sid:547; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:548; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:545; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:554; rev:6;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; sid:2044; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY xtacacs login attempt"; content:"|80 01|"; depth:2; content:"|00|"; distance:4; classtype:misc-activity; sid:2040; rev:3;) +alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY xtacacs accepted login response"; content:"|80 02|"; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2042; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:1771; rev:6;) --- /dev/null +++ b/rules/mysql.rules @@ -0,0 +1,31 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: mysql.rules,v 1.10.2.2.2.3 2005/05/31 17:13:02 mwatchinski Exp $ +#---------- +# MYSQL RULES +#---------- +# +# These signatures detect unusual and potentially malicious mysql traffic. +# +# These signatures are not enabled by default as they may generate false +# positive alarms on networks that do mysql development. +# + +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; within:1; distance:3; content:"root|00|"; within:5; distance:5; nocase; classtype:protocol-command-decode; sid:3456; rev:2;) --- /dev/null +++ b/rules/purge-non-gpl.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# Purges non-GPL rules from a common set + +if [ -z "$1" ] ; then + echo "Usage: $0 directory_with_rules" +fi + +if [ ! -d "$1" ] ; then + echo "ERROR: $1 is not a directory" + exit 1 +fi + +for file in $1/*rules; do + if [ -r "$file" ] ; then + name=`basename $file` + if [ ! -e "$name" ] ; then + cat $file |perl remove-non-gpl.pl >$name + else + echo "ERROR: Cowardly refusing to overwrite $name" + fi + fi +done + --- /dev/null +++ b/rules/bad-traffic.rules @@ -0,0 +1,41 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: bad-traffic.rules,v 1.31.2.3.2.1 2005/05/16 22:17:51 mwatchinski Exp $ +#------------------ +# BAD TRAFFIC RULES +#------------------ +# These signatures are representitive of traffic that should never be seen on +# any network. None of these signatures include datagram content checking +# and are extremely quick signatures +# + +alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;) +alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; flow:stateless; dsize:>6; flags:S,12; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:11;) +alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:528; rev:5;) +alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:523; rev:5;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;) +# linux happens. Blah +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; classtype:misc-activity; sid:1322; rev:7;) +alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:3;) +alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flow:stateless; flags:S+; classtype:bad-unknown; sid:1431; rev:9;) +alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2186; rev:3;) +alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2187; rev:3;) +alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2188; rev:3;) +alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2189; rev:3;) --- /dev/null +++ b/rules/generators @@ -0,0 +1,39 @@ +# Master Registry of Snort Generator Ids +# +# +# This file is used to maintain unique generator ids for files even if +# the default snort configuration doesn't include some patch that is +# required for a specific preprocessor to work +# +# +# +# Maintainer: Chris Green +# +# Contact cmg@sourcefire.com for an assignment + +rules_subsystem 1 # Snort Rules Engine +tag_subsystem 2 # Tagging Subsystem +portscan 100 # Portscan1 +minfrag 101 # Minfrag [ removed ] +http_decode 102 # HTTP decode 1/2 +defrag 103 # First defragmenter [ removed ] +spade 104 # SPADE [ not included anymore ] +bo 105 # Back Orifice +rpc_decode 106 # RPC Preprocessor +stream2 107 # 2nd stream preprocessor [removed] +stream3 108 # 3rd stream preprocessor (AVL nightmare) [ removed ] +telnet_neg 109 # telnet option decoder +unidecode 110 # unicode decoder +stream4 111 # Stream4 preprocessor +arpspoof 112 # Arp Spoof detector +frag2 113 # 2nd fragment preprocessor +fnord 114 # NOP detector [ removed ] +asn1 115 # ASN.1 Validator [ removed ] +decode 116 # Snort Internal Decoder +scan2 117 # portscan2 +conversation 118 # conversation +reserved 119 # TBA +reserved 120 # TBA +snmp 121 # Andrew Baker's newer SNMP decoder +sfportscan 122 # Dan Roelkers portscan +frag3 123 # Marty Roesch's ip frag reassembler --- /dev/null +++ b/rules/web-attacks.rules @@ -0,0 +1,74 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: web-attacks.rules,v 1.18.2.2.2.1 2005/05/16 22:17:52 mwatchinski Exp $ +# ---------------- +# WEB ATTACKS +# ---------------- +# These signatures are generic signatures that will catch common commands +# used to exploit form variable vulnerabilities. These signatures should +# not false very often. +# +# Please email example PCAP log dumps to snort-sigs@lists.sourceforge.net +# if you find one of these signatures to be too false possitive. + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; classtype:web-application-attack; sid:1328; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flow:to_server,established; uricontent:"ps%20"; nocase; classtype:web-application-attack; sid:1329; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS wget command attempt"; flow:to_server,established; content:"wget%20"; nocase; classtype:web-application-attack; reference:bugtraq,10361; sid:1330; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS uname -a command attempt"; flow:to_server,established; content:"uname%20-a"; nocase; classtype:web-application-attack; sid:1331; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; classtype:web-application-attack; sid:1332; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; flow:to_server,established; content:"|3B|id"; nocase; classtype:web-application-attack; sid:1333; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; classtype:web-application-attack; sid:1334; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS kill command attempt"; flow:to_server,established; content:"/bin/kill"; nocase; classtype:web-application-attack; sid:1335; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt"; flow:to_server,established; content:"/bin/chmod"; nocase; classtype:web-application-attack; sid:1336; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chgrp command attempt"; flow:to_server,established; content:"/chgrp"; nocase; classtype:web-application-attack; sid:1337; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chown command attempt"; flow:to_server,established; content:"/chown"; nocase; classtype:web-application-attack; sid:1338; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chsh command attempt"; flow:to_server,established; content:"/usr/bin/chsh"; nocase; classtype:web-application-attack; sid:1339; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:1340; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/gcc command attempt"; flow:to_server,established; content:"/usr/bin/gcc"; nocase; classtype:web-application-attack; sid:1341; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS gcc command attempt"; flow:to_server,established; content:"gcc%20-o"; nocase; classtype:web-application-attack; sid:1342; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cc command attempt"; flow:to_server,established; content:"/usr/bin/cc"; nocase; classtype:web-application-attack; sid:1343; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cc command attempt"; flow:to_server,established; content:"cc%20"; nocase; classtype:web-application-attack; sid:1344; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cpp command attempt"; flow:to_server,established; content:"/usr/bin/cpp"; nocase; classtype:web-application-attack; sid:1345; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cpp command attempt"; flow:to_server,established; content:"cpp%20"; nocase; classtype:web-application-attack; sid:1346; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/g++ command attempt"; flow:to_server,established; content:"/usr/bin/g++"; nocase; classtype:web-application-attack; sid:1347; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS g++ command attempt"; flow:to_server,established; content:"g++%20"; nocase; classtype:web-application-attack; sid:1348; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/python access attempt"; flow:to_server,established; content:"bin/python"; nocase; classtype:web-application-attack; sid:1349; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS python access attempt"; flow:to_server,established; content:"python%20"; nocase; classtype:web-application-attack; sid:1350; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/tclsh execution attempt"; flow:to_server,established; content:"bin/tclsh"; nocase; classtype:web-application-attack; sid:1351; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tclsh execution attempt"; flow:to_server,established; content:"tclsh8%20"; nocase; classtype:web-application-attack; sid:1352; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/nasm command attempt"; flow:to_server,established; content:"bin/nasm"; nocase; classtype:web-application-attack; sid:1353; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nasm command attempt"; flow:to_server,established; content:"nasm%20"; nocase; classtype:web-application-attack; sid:1354; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; nocase; classtype:web-application-attack; sid:1355; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flow:to_server,established; content:"perl%20"; nocase; classtype:web-application-attack; sid:1356; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nt admin addition attempt"; flow:to_server,established; content:"net localgroup administrators /add"; nocase; classtype:web-application-attack; sid:1357; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS traceroute command attempt"; flow:to_server,established; content:"traceroute%20"; nocase; classtype:web-application-attack; sid:1358; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ping command attempt"; flow:to_server,established; content:"/bin/ping"; nocase; classtype:web-application-attack; sid:1359; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat command attempt"; flow:to_server,established; content:"nc%20"; nocase; classtype:web-application-attack; sid:1360; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nmap command attempt"; flow:to_server,established; content:"nmap%20"; nocase; classtype:web-application-attack; sid:1361; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS xterm command attempt"; flow:to_server,established; content:"/usr/X11R6/bin/xterm"; nocase; classtype:web-application-attack; sid:1362; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS X application to remote host attempt"; flow:to_server,established; content:"%20-display%20"; nocase; classtype:web-application-attack; sid:1363; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS lsof command attempt"; flow:to_server,established; content:"lsof%20"; nocase; classtype:web-application-attack; sid:1364; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; flow:to_server,established; content:"rm%20"; nocase; classtype:web-application-attack; sid:1365; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"/bin/mail"; nocase; classtype:web-application-attack; sid:1366; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flow:to_server,established; content:"mail%20"; nocase; classtype:web-application-attack; sid:1367; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls| command attempt"; flow:to_server,established; uricontent:"/bin/ls|7C|"; nocase; classtype:web-application-attack; sid:1368; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls command attempt"; flow:to_server,established; uricontent:"/bin/ls"; nocase; classtype:web-application-attack; sid:1369; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; nocase; classtype:web-application-activity; sid:1370; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; classtype:web-application-activity; sid:1371; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; nocase; classtype:web-application-activity; sid:1372; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS conf/httpd.conf attempt"; flow:to_server,established; content:"conf/httpd.conf"; nocase; classtype:web-application-activity; sid:1373; rev:6;) --- /dev/null +++ b/rules/pop3.rules @@ -0,0 +1,58 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: pop3.rules,v 1.22.2.4.2.3 2005/06/29 15:35:04 mwatchinski Exp $ +#-------------- +# POP3 RULES +#-------------- + +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative argument attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; classtype:misc-attack; sid:2121; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative argument attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2122; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50,}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2108; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2109; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2110; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2111; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2112; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:1936; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:1937; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1938; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:13;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:13;) + +# bsd-qpopper.c +# overflow in the reading of a line in qpopper +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:11;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:287; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:288; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+[^\n]*?%/smi"; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:5;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute force attempt"; flow:to_server,established; content:"USER"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2274; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2409; rev:1;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:10;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:13;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2535; rev:6;) +alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2536; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2537; rev:6;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2666; rev:1;) --- /dev/null +++ b/rules/web-misc.rules @@ -0,0 +1,443 @@ +# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved +# +# This file may contain proprietary rules that were created, tested and +# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as +# rules that were created by Sourcefire and other third parties and +# distributed under the GNU General Public License (the "GPL Rules"). The +# VRT Certified Rules contained in this file are the property of +# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. +# The GPL Rules created by Sourcefire, Inc. are the property of +# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights +# Reserved. All other GPL Rules are owned and copyrighted by their +# respective owners (please see www.snort.org/contributors for a list of +# owners and their respective copyrights). In order to determine what +# rules are VRT Certified Rules or GPL Rules, please refer to the VRT +# Certified Rules License Agreement. +# +# +# $Id: web-misc.rules,v 1.118.2.8.2.6 2005/07/22 19:19:54 mwatchinski Exp $ +#--------------- +# WEB-MISC RULES +#--------------- + +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello with pad Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; byte_test:2,<,768,4; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,10; classtype:attempted-admin; sid:2657; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv2 Client_Hello Challenge Length overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; byte_test:2,<,768,3; flowbits:set,sslv2.client_hello.request; byte_test:2,>,32,9; classtype:attempted-admin; sid:2656; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cross site scripting attempt"; flow:to_server,established; content:" + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3144.txt @@ -0,0 +1,77 @@ +Rule: + +-- +Sid: +3144 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft systems using Server Message Block (SMB). + +-- +Impact: +Serious. Execution of arbitrary code leading to unauthorized +administrative access to the target host. Denial of Service (DoS) is +also possible. + +-- +Detailed Information: +SMB is a client - server protocol used in sharing resources such as +files, printers, ports, named pipes and other things, between machines +on a network. + +A vulnerability in the Microsoft implementation of SMB exists due to a +programming error which may present an attacker with the opportunity to +exploit the service and run code of their choosing on an affected +system. The attacker may then cause a DoS condition in the service or +possibly gain unauthorized access to the target host. + +A malicious attacker can exploit the vulnerability by sending a +malicious response from a server in response to a client request using +SMB. + +-- +Affected Systems: + Microsoft Windows 2003 + Microsoft Windows 2000 + Microsoft Windows XP + +-- +Attack Scenarios: +An attacker can supply extra data in the message from the server +containing code of their choosing to be run on the client. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Turn off windows file and print services. + +Use Samba as an alternative. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +eEye: +http://www.eeye.com/html/research/advisories/AD20050208.html + +-- --- /dev/null +++ b/doc/signatures/546.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: +546 + +-- +Summary: +This event is generated when an attempt is made to navigate in an FTP session to a hidden directory name that begins with a space. + +-- +Impact: +Unauthorized file storage. An attacker may attempt to navigate on an FTP server to a directory name that begins with a space to list or store unauthorized files such as unlicensed software. + +-- +Detailed Information: +An attacker may attempt to hide unauthorized files in a hidden directory name that begins with a space. This hidden directory is hard to discover, permitting attackers to store unauthorized "warez" files, such as unlicensed or pirated software. + +-- +Affected Systems: +FTP servers + +-- +Attack Scenarios: +An attacker may navigate to the hidden directory name that begins with a space to list or store unauthorized files. + +-- +Ease of Attack: +Simple + +-- +False Positives: +It is remotely possible that an authorized directory exists with a name that begins with a space. + +-- +False Negatives: +Hidden directories other than those with names that begin with a space may be used to store "warez" files. + +-- +Corrective Action: +Assign restrictive permissions to all directories so unauthorized users cannot navigate or write to them. + +Regularly monitor directories for sudden or drastic increased use of space. + +-- +Contributors: +Original rule writer unknown +Modified by Brian Caswell +Snort documentation contributed by Chaos +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/432.txt @@ -0,0 +1,61 @@ +Rule: + +-- + +Sid: +432 + +-- + +Summary: +This event is generated when a host generates and ICMP Type 40 Code 3 Decryption Failed datagram. + +-- + +Impact: +ICMP Type 40 Code 3 datagrams are an indication that a received datagram failed a decryption check for a given SPI. Normally this is an indication that hosts using IP Security Protocols such as AH or ESP have been configured incorrectly or are failing to establish a session with another host. + +-- + +Detailed Information: +Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition occurs. ICMP Type 40 Code 3 datagrams are generated when a received datagram fails the decryption check for a given SPI (Security Parameters Index). + +-- + +Attack Scenarios: +None known + +-- + +Ease of Attack: +Numerous tools and scripts can generate this type of ICMP datagram. + +-- + +False Positives: +None known + +-- + +False Negatives: +None known + +-- + +Corrective Action: +ICMP Type 40 datagrams not normally seen on the network. Currently Sourcefire is unaware of any hardware that has implemented these types of ICMP datagrams. Hosts generating these types of ICMP datagrams should be investigated for nefarious activity or configuration errors. + +-- + +Contributors: +Original Rule writer unknown +Sourcefire Research Team +Matthew Watchinski (matt.watchinski@sourcefire.com) + +-- + +Additional References: +RFC2521 + + +-- --- /dev/null +++ b/doc/signatures/2534.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +2534 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the Microsoft implementation of SSL Version 3. + +-- +Impact: +Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in the handling of SSL Version 3 requests that +can be manipulated to cause a DoS condition in various software +implementations used on Microsoft operating systems. + +The condition exists because of poor error handling routines in the +Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an +invalid field, sent to vulnerable systems can cause the affected host to stop +handling any further requests. + +-- +Affected Systems: + Microsoft Windows 2000, 2003 and XP systems using SSL + +-- +Attack Scenarios: +An attcker needs to make an SSL request to an affected system that +contains an invalid field. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +-- +Contributors: +Sourcefire Research Team +Matt Watchinski +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3316.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3316 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3034.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: +3034 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a Samba implementation. + +-- +Impact: +Serious. Possible execution of arbitrary code. + +-- +Detailed Information: +Samba is a file and print serving system for heterogenous networks. It +is available for use as a service and client on UNIX/Linux systems and as +a client for Microsoft Windows systems. + +Samba uses the SMB/CIFS protocols to allow communication between client +and server. The SMB protocol contains many commands and is commonly used +to control network devices and systems from a remote location. A +vulnerability exists in the way the smb daemon processes commands sent by +a client system when accessing resources on the remote server.The problem +exists in the allocation of memory which can be exploited by an attacker +to cause an integer overflow, possibly leading to the execution of +arbitrary code on the affected system with the privileges of the user +running the smbd process. + +-- +Affected Systems: + Samba 3.0.8 and prior + +-- +Attack Scenarios: +An attacker needs to supply specially crafted data to the smb daemon to +overflow a buffer containing the information for the access control lists +to be applied to files in the smb query. + +-- +Ease of Attack: +Difficult. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1919.txt @@ -0,0 +1,59 @@ +Rule: +-- +Sid: +1919 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer overflow or denial of service vulnerability associated with FTP CWD command. + +-- +Impact: +Remote access or denial of service. A successful attack can cause a denial of service or allow remote execution of arbitrary commands with privileges of the process running the FTP server. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit various vulnerabilities associated with the FTP CWD command of different FTP servers. It is possible to cause a denial of service attack or gain remote access to execute arbitrary commands with the privileges of the process running the FTP server by sending an overly long argument with the FTP CWD command. + +-- +Affected Systems: +Hosts running BlackMoon FTP Server 1.0 through 1.5. +Hosts running Argosoft FRP server 1.0. +Hosts running TYPSoft FTP Server 0.7x. + +-- +Attack Scenarios: +An attacker can supply an overly long file argument with the CWD command, causing a denial of service or buffer overflow. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0126 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1194 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1035 + +-- --- /dev/null +++ b/doc/signatures/386.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +386 + +-- +Summary: +This event is generated when an internal server replies to an external request for network subnet mask information, which may allow an attacker to learn information about the network for use in later attacks. + +-- +Impact: +Information gathering. + +-- +Detailed Information: +If an attacker sends an ICMP request to an internal server for address mask information (SID 388 should trigger when this activity is seen), an internal server may reply with subnet mask information. This can provide an attacker with information about subnet mask configuration that can be useful for future attacks. + +-- +Affected Systems: +Any system that responds to ICMP address mask requests. + +-- +Attack Scenarios: +An attacker can send an ICMP request for subnet mask information to the internal network. The server replies, providing the attacker with information about network subnet configuration. + +-- +Ease of Attack: +Simple. Tools that use this method of information gathering are freely available. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Use a packet filtering firewall that restricts ICMP type 17 (address mask requests) from entering the protected network, and restricts ICMP type 18 packets (address mask replies) from exiting the protected network. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Matthew Watchinski +Sourcefire Technical Publications Team +Jen Harvey + +-- +Additional References: + +CVE +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0524 + +ArachNIDS +http://www.whitehats.com/cgi/arachNIDS/Show?_id=ids216 + +-- --- /dev/null +++ b/doc/signatures/100000168.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +100000168 + +-- +Summary: +The password-cracking tool Hydra has been detected in HTTP traffic. + +-- +Impact: +An attacker may be attempting to break into one or more web servers monitored +by Snort via a brute-force password attack. If successful, the attacker may +gain unauthorized access to internal networks. + +-- +Detailed Information: +Hydra is a password-cracking tool released by a group of security experts +called THC, "The Hacker's Choice." Requests sent by this tool to a web server +contain the User-Agent string "Mozilla/4.0 (Hydra)". Since normal browsers' +User-Agent strings do not contain the string "(Hydra)", the presence of this +string indicates that the Hydra tool is likely being used. + +-- +Affected Systems: +Any system running a web server. + +-- +Attack Scenarios: +Attackers will use the Hydra password-cracking tool. + +-- +Ease of Attack: +Simple, as the program is publicly available and is well-documented. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Check system logs and Snort alert logs for suspicious activity, particularly +unusual logons. Ensure that secure passwords are being used throughout your +network. + +-- +Contributors: +rmkml +Sourcefire Research Team + +-- +Additional References + +-- --- /dev/null +++ b/doc/signatures/100000146.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +100000146 + +-- +Summary: +This event is generated when an attempt is made to exploit a +directory traversal associated with Imail Web Calendaring +servicel + +-- +Impact: +A successful attack can permit a user to navigate outside +of the web root directory and read files. + +-- +Detailed Information: +The Imail Web Calendaring Server does not properly sanitize +a malformed URL that contains directory traversal characters. +This vulnerability is associated with static objects identified +by names ending in .jsp, .jpg, .gif, .wav, .css, or .htm. This +can permit an unauthorized user to examine files that may contain +sensitive information. + +-- +Affected Systems: +Ipswitch IMail Server 8.2 and prior +Ipswitch IMail Server 8.15 and prior + +-- +Attack Scenarios: +An attacker send a URI containing a directory traversal to view +sensitive files on a vulnerable server. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the most current non-affected version of the product. + +-- +Contributors: +Sourcefire Research Team +Judy Novak + +-- +Additional References +Other: + +-- --- /dev/null +++ b/doc/signatures/355.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +355 + +-- +Summary: +This event is generated when a password of "wh00t" is used to login to an File Transfer Protocol (FTP) server. + +-- +Impact: +Remote root access. The attack may indicate that the FTP server has been compromised. + +-- +Detailed Information: +The password "wh00t" is a common backdoor password associated with a compromised root account. If this password is observed, it may indicate that the FTP server has been compromised and a backdoor root account with a password of "wh00t" has been created. Alternately, this may indicate a failed attempt of an attacker attempting to locate FTP servers compromised by others. + +-- +Affected Systems: +FTP servers. + +-- +Attack Scenarios: +An attacker may compromise a host and create a backdoor account. An attacker may attempt to locate FTP servers with a backdoor account. + +-- +Ease of Attack: +Simple + +-- +False Positives: +It is very remotely possible that a legitimate password of "wh00t" exists. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Examine the suspected compromised host for unauthorized changes. + +Make sure that the suspected compromised host has all security patches applied. + +Log activity to and from the suspected compromised host. + +Examine other systems on the network for evidence of compromise. + +If a compromised is discovered, reinstall the operating system. + +-- +Contributors: +Orignal rule written by Ron Gula +Documented by Steven Alexander +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS324 + +-- --- /dev/null +++ b/doc/signatures/100000550.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +100000550 +-- +Summary: +This event is generated when an attempt is made to access the file "comment.php +which contains known vulnerabilities in the "Project Eros BBSEngine" +application running on a webserver. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to access a file with known +vulnerabilities from a remote machine used by the "Project Eros BBSEngine" +application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Project Eros BBSEngine +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/3428.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3428 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1571.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1571 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/658.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +658 + +-- +Summary: +This event is generated when a denial of service is attempted on a Microsoft Exchange mail server. + +-- +Impact: +Denial of service. This will cause the Exchange server to fail. + +-- +Detailed Information: +A vulnerability exists in Microsoft Exchange 5.5 that causes a denial of service if a MIME header contains the string 'charset = ""'. The Exchange server does not properly handle this MIME header string, causing it to crash. + +-- +Affected Systems: +Microsoft Exchange server 5.5 + +-- +Attack Scenarios: +An attacker can supply a malicious string in the MIME header causing the Exchange server to fail. + +-- +Ease of Attack: +Easy. An attacker can telnet to port 25 of the Exchange server, start a dialogue with the server, and supply the malicious string in the MIME header. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Apply the appropriate patch or upgrade to Exchange 5.5 service Pack 4. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Microsoft: +http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-082.asp + +Miscellaneous: +http://packetstormsecurity.nl/0011-exploits/exchange.dos.txt + + +-- --- /dev/null +++ b/doc/signatures/100000778.txt @@ -0,0 +1,56 @@ + + +Rule: + +-- +Sid: +100000778 +-- +Summary: +This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "PHPMailList" application running on a webserver. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "email" parameter in the "maillist.php" script used by the "PHPMailList" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. + +-- +Affected Systems: +All systems running CGI applications using PHPMailList +-- +Attack Scenarios: +An attacker can supply a malicious link designed to steal information from a user clicking on that link. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +The Cross Site Scripting (XSS) FAQ +http://www.cgisecurity.com/articles/xss-faq.shtml + +-- + --- /dev/null +++ b/doc/signatures/100000500.txt @@ -0,0 +1,72 @@ +Rule: + +-- +Sid: +100000500 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "PictureDis" application running on a webserver. +Access to the file "wpfiles.php" using a remote file being passed as the "lang" +parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "lang" parameter in the "wpfiles.php" script used by the +"PictureDis" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using PictureDis +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/2177.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +2176 + + +-- +Summary: +This event is generated when an attempt is made to access a system +folder via SMB. + +-- +Impact: +Serious. This folder contains important operating system information. + +-- +Detailed Information: +This event indicates that an attempt was made to access a folder +containing important operating system files using SMB across the +network. + +-- +Affected Systems: +Microsoft Windows systems. + +-- +Attack Scenarios: +If this folder is accessible via SMB the attacker can replace or view +important operating system files. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the host for signs of system compromise. + +Turn off file and print sharing on the target host. + +Use a packet filtering firewall to disallow SMB access to the host from +sources external to the protected network. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/2495.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +2495 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the Microsoft RPC service. + +-- +Impact: +Denial of Service (DoS). Possible execution of arbitrary code leading to +unauthorized remote access to the victim host. + +-- +Detailed Information: +It may be possible for an attacker to cause a DoS condition in the +Microsoft RPC service when multiple simultaneous requests are made to a +vulnerable host. This can lead to an exhaustion of system resources +causing the DoS. + +-- +Affected Systems: + Windows systems running RPC services + +-- +Attack Scenarios: +An attacker may attempt to bind to the RPC service many times in an +attempt to cause the DoS condition to occur. + +-- +Ease of Attack: +Difficult. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +Apply the appropriate vendor supplied patches + +-- +Contributors: +Sourcefire Research Team +Matt Watchinski +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3343.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3343 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000315.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +100000315 + +-- +Summary: +This event is generated when an HTTP client issues a PUT request to upload +a document into the web content area. + +-- +Impact: +The PUT method is a legitimate HTTP command that allows an authorized user +to upload a document into the web content tree. It is most often associated +with the WebDAV content management protocol. + +Although there are some legitimate uses for the PUT method, it is also a +frequent source of web site defacement, as attackers can easily abuse +misconfigured web servers that allow unrestricted PUT functionality from +arbitrary users. + +-- +Detailed Information: +The rule searches for HTTP requests using the PUT method, and tracks +these sessions. The rule is intended to be used with SID 100000316 to +track successful PUT requests, which may represent successful defacement +attacks, instead of all PUT requests. + +Administrators who wish to track all PUT requests (successful or not) should +remove the "flowbits:noalert;" section of this rule. + +-- +Affected Systems: +Any web server + +-- +Attack Scenarios: +An attacker can issue a PUT reuqest via a script, many different pieces of +software, or through a manual connection to any web server port. + +-- +Ease of Attack: +Simple. Numerous tools exist for creating PUT requests, including some geared +specifically towards web site defacement. + +-- +False Positives: +Organizations that use WebDAV to manage their web content may experience +false positives, as the PUT method is a normal part of the WebDAV protocol. +Additionally, any other legitimate web applications which use the PUT method +will generate false positives. + +-- +False Negatives: +None + +-- +Corrective Action: +In cases of web site defacement, delete the newly-created file(s) and/or +restore them from a reliable backup. In all cases, be sure to tune web server +configuration to allow PUT requests only where necessary for a legitimate web +application to function. + +-- +Contributors: +David J. Bianco, + +-- +Additional References: +http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6 --- /dev/null +++ b/doc/signatures/2378.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +2378 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Checkpoint VPN-1. + +-- +Impact: +Unauthorized administrative access to Checkpoint VPN-1 systems + +-- +Detailed Information: +Checkpoint VPN-1, SecuRemote and SecureClient contain an error that +affects the processing of large Certificate requests to the VPN service. +By sending a large amount of data in the Certificate Request payload an +attacker may cause a buffer overflow condition to occur, presenting an +opportunity to execute code of their choosing with the privileges of the +user running the service, usually root. + +-- +Affected Systems: + CheckPoint Software FW-1 1.4.1 Service packs prior to SP6 + CheckPoint Software FW-1 Next Generation FP1, FP0 + CheckPoint Software VPN-1 1.4.1 SP5a + CheckPoint Software VPN-1 Next Generation FP1, FP0 + +-- +Attack Scenarios: +An attacker could supply a large Certificate Request payload containing +code to be executed on the system. + +-- +Ease of Attack: +Proof of concept code exists. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software + +Apply the appropriate vendor supplied patches + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3172.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3172 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/642.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: 642 + +-- +Summary: +This event is generated when a buffer overflow attack is attempted against a target machine. + +-- +Impact: +Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. + + +-- +Detailed Information: +This rule tracks the bit combination which may occur in network packets aimed at overflowing HP-UX UNIX network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. + +A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. + +-- +Attack Scenarios: +An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. + +-- +Ease of Attack: +Simple + + +-- +False Positives: +This event may be generated by legitimate traffic to the specified port. + + +-- +False Negatives: +This event is specific to the shell code defined in the rule. +Other shell code sequences may not be detected. + +-- +Corrective Action: +Check the target host for other signs of compromise. + +Look for other events concerning the target host. + +Apply vendor supplied patches and keep the operating system up to date. + +-- +Contributors: +Original Rule Writer Unkown +Snort documentation contributed by Anton Chuvakin +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS358 + +-- --- /dev/null +++ b/doc/signatures/100000445.txt @@ -0,0 +1,61 @@ + + +Rule: + +-- +Sid: +100000445 + +-- +Summary: +Particle Gallery is susceptible to an injection attack due to a lack +of input validation on the imageid variable used in the viewimage.php +component. + +-- +Impact: +The injection attack could result in data leakage, or potential remote +compromise. + +-- +Detailed Information: +Particle Gallery is prone to an SQL-injection vulnerability. This issue is due +to a failure in the application to properly sanitize user-supplied input +before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, +access or modify data, or exploit vulnerabilities in the underlying database +implementation. + +The data type assigned to the column referenced by the variable is int, so +there should never be any text or characters outside of the int used to +identify the image. + +-- +Attack Scenarios: +Variable manipulation can be done with any browser. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Edit code and add input validation. + +-- +Contributors: +Dan Ramaswami + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1012.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +1012 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a web server running Microsoft Internet Information +Server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. Denial of +Service is possible. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running Microsoft Internet Information Server (IIS). Many known +vulnerabilities exist for this platform and the attack scenarios are +legion. + +-- +Affected Systems: + All systems running Microsoft IIS + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Many exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1238.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1238 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1577.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1577 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/385.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +385 + +-- +Summary: +This event is generated when a Windows traceroute (tracert) is detected. + +-- +Impact: +Information gathering. A traceroute can be used to discover live hosts and network topologies. + +-- +Detailed Information: +A Windows traceroute command uses an ICMP echo request with a lower than normal Time to Live (TTL) value to identify live hosts and network topolgies. The TTL value is manipulated by the sending host to discover all routers traversed from the source host to the destination host. Eventually, a TTL value of 1 is observed, which elicits an ICMP error message of time exceeded in-transit. A router sends this ICMP error message to the host running traceroute. The traceroute host will record this as a router and continue to incrementally manipulate the TTL until the destination host is reached. + +Additionally There are at least three different implementations of +traceroute. In one implementation traceroute works by sending an ICMP +Echo Request packet to a destination host with a TTL value of 1. If the +host is more than one hop away, the first route that receives the back +will send back an ICMP packet indicating that the TTL was exceeded. The +address of this router is then listed as the first hop. The packet is +then sent out again with a TTL of 2. This continues until the +destination host is able to reply or some maximum TTL value is reached. + +The other two implementations use the same TTL-based concept with an +ICMP type of 30(traceroute) or with an UDP packet destined for an +ephemeral port. + +-- +Affected Systems: +All + +-- +Attack Scenarios: +An attacker may use a traceroute to discover live hosts and routers on a target network in preparation for an attack. + +-- +Ease of Attack: +Simple + +-- +False Positives: +The traceroute command may be used to legitimately troubleshoot networking problems. + +-- +False Negatives: +None known + +-- +Corrective Action: +Block inbound ICMP echo requests. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Judy Novak +Nigel Houghton +Snort documentation contributed by by Steven Alexander + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS118 + +-- --- /dev/null +++ b/doc/signatures/1961.txt @@ -0,0 +1,58 @@ +Rule: + +-- +Sid: +1961 + +-- +Summary: +This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rquotad is listening. + + +-- +Impact: +Information disclosure. This request is used to discover which port rquotad is using. Attackers can also learn what versions of the rquotad protocol are accepted by rquotad. + +-- +Detailed Information: +The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rquotad run. The rquotad RPC service can be queried for user disk usage and the limits of a local file system which is mounted by a remote machine over NFS. A vulnerability associated with rquotad may permit the execution of arbitrary commands with the privileges of root. + +-- +Affected Systems: +All hosts running the UNIX portmapper. + +-- +Attack Scenarios: +An attacker can query the portmapper to discover the port where rquotad runs. This may be a precursor to accessing rquotad. + +-- +Ease of Attack: +Easy. + +-- +False Positives: +If a legitimate remote user is allowed to access rquotad, this rule may trigger. + +-- +False Negatives: +This rule detects probes of the portmapper service for rquotad, not probes of the rquotad service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rquotad service itself. An attacker may attempt to go directly to the rquotad port without querying the portmapper service, which would not trigger the rule. + +-- +Corrective Action: +Limit remote access to RPC services. + +Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. + +Disable unneeded RPC services. + +-- +Contributors: +Original rule written by Max Vision +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/227.txt @@ -0,0 +1,56 @@ +Rule: +-- +Sid: +227 + +-- +Summary: +This event is generated when a Stacheldraht handler attempts to confirm that an agent has the ability to spoof a source IP. + +-- +Impact: +Severe. This indicates that a Stacheldraht agent exists on the destination host. + +-- +Detailed Information: +The Stacheldraht DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. + +There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack. In order for an agent host to make a good participant in a distributed denial of service, it must be able to spoof source IPs to elude detection. After a host becomes an agent, a test is conducted to see whether the agent can spoof a source IP. If the handler receives such a communication from the agent, it responds with an ICMP echo request with an ICMP identification number of 1000 and a content of "spoofworks" in the payload. + +-- +Affected Systems: +Any Stacheldraht compromised host. + +-- +Attack Scenarios: +A host on which a Stacheldraht agent has been installed will attempt to send a packet with a spoofed source IP to the handler. If the handler receives this communication, it will reply to the agent informing it that all 32 bits of source IP of DDoS traffic can be spoofed. + +-- +Ease of Attack: +Simple. Stacheldraht code is freely available. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Use egress filtering in your network to prevent traffic leaving your network that is not part of the internal address space so source IPs cannot be spoofed. + +-- +Contributors: +Original rule written by Max Vision +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS192 + +-- --- /dev/null +++ b/doc/signatures/497.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: 497 + +-- +Summary: +This event is generated by the successful completion of a file transfer operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for copying files. + +-- +Impact: +Serious. An attacker may have the ability to transfer files from the victim host. + +-- +Detailed Information: +This event indicates that a file was successfully copied using Windows command line shell. The string "1 file(s) copied" is shown after the successful completion of a Windows "copy" command. + +Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed the copy command. Note that the source address of this event is actually the victim and not that of the attacker. + +-- + +Attack Scenarios: +An attacker gains an access to a Windows web server via an IIS vulnerability and then copies "cmd.exe" into the directory accessible by the web server, thus creating a backdoor to access the system. + +-- + +Ease of Attack: +Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. + +-- + +False Positives: +None Known + +-- +False Negatives: +None Known + +-- + +Corrective Action: +Investigate the web server for other signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Original rule writer unknown +Snort documentation contributed by Anton Chuvakin +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3270.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3270 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000463.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000463 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Joomla" application running on a webserver. +Access to the file "joomla.php" using a remote file being passed as the +"includepath" parameter may indicate that an exploitation attempt has been +attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "includepath" parameter in the "joomla.php" script used +by the "Joomla" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Joomla +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/372.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: +372 + +-- +Summary: +This event is generated when an ICMP echo request is made from a Windows host running Delphi software. + +-- +Impact: +Information gathering. An ICMP echo request can determine if a host is active. + +-- +Detailed Information: +An ICMP echo request is used by the ping command to elicit an ICMP echo reply from a listening live host. An echo request that originates from a Windows host running Delphi software contains a unique payload in the message request. + +-- +Affected Systems: +All + +-- +Attack Scenarios: +An attacker may attempt to determine live hosts in a network prior to launching an attack. + +-- +Ease of Attack: +Simple + +-- +False Positives: +An ICMP echo request may be used to legimately troubleshoot networking problems. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Block inbound ICMP echo requests. + +-- +Contributors: +Original rule written by Max Vision +Documented by Steven Alexander +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS155 + +-- --- /dev/null +++ b/doc/signatures/3160.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3160 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1144.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1144 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3235.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3235 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1564.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1564 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2825.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2825 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure validate_flavor_definition +. This procedure is included in +sys.dbms_repcat_fla. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2389.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2389 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer +overflow vulnerability associated with WuFtpd RNTO command. + +-- +Impact: +Remote access. A successful attack may permit the remote execution of +arbitrary commands with system privileges. + +-- +Detailed Information: +WuFtpd is an FTP server based on BSD ftpd. A vulnerability exists +with the RNTO command that can cause a buffer overflow and permit the +execution of arbitrary commands with system privileges. The buffer +overflow can be caused by supplying an overly long argument to the RNTO +command. + +The issue exists in the realpath() function. It is possible for an +attacker to send malformed data to the realpath() function that will +cause the overflow condition to occur. + +-- +Affected Systems: + Multiple systems using affected C libraries, libc + +-- +Attack Scenarios: +An attacker can use one of the publicly available exploit scripts to +cause the overflow to occur. + +-- +Ease of Attack: +Simple. Many exploits exist. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Use scp as an alternative to ftp + +Disallow ftp access to internal resources from external sources + +Recompile binaries statically linked to the system libc implementation + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1857.txt @@ -0,0 +1,64 @@ +Rule: +-- +Sid: +1857 +-- +Summary: +This event is generated when a client is requesting the file "robot.txt" +from a web server. + +-- +Impact: +Information Disclosure. This file may contain data that could provide an +attacker with information that could assist in an attack on the server. + +-- +Detailed Information: +In the early days of the web, when search engines first began indexing +sites, it was often desirable to tell the indexing programs, referred +to as robots, not to index certain parts of a site. A standarized +method of accomplishing this was created; by placing a file called +"robot.txt" or "robots.txt" in the root of your web site which search +engines could read and which would tell them what parts of your site you +did not want indexed. However, this file can also be very valuable to +potential attackers if it contains information such as restricted +directories, cgi-bin locations, etc. + +-- +Affected Systems: +Any web site that uses this method to communicate with robots. + +-- +Attack Scenarios: +An attacker can read the "robot.txt" file and use any sensitive data in +it to profile your site in preparation for an attack. + +-- +Ease of Attack: +Simple. No exploit software required. Any browser can request a copy of +"robot.txt" from the server. + +-- +False Positives: +Many. Most automated search engine indexing programs still request this +file prior to crawling through a web site. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure that your "robot.txt" file, if you need one, does not contain any +sensitive data. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Snort documentation contributed by Kevin Peuhkurinen + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/297.txt @@ -0,0 +1,59 @@ +SID: +297 +-- + +Rule: +-- + +Summary: +This event is triggered when an attempt is made to overflow an imapd +server. +-- + +Impact: +Commands may be run on the IMAP server as the root user, This can lead +to a complete compromise of the targeted system +-- + +Detailed Information: +Failure to check the size of the value passed to the 'AUTHENTICATE' +command on certain IMAPD implementations can lead to a buffer overflow. +This in turn can allow arbitrary commands to be executed on the server. +-- + +Affected Systems: + Netscape Messaging Server 3.55, University of Washington imapd 10.234 +-- + +Attack Scenarios: +An attacker may attempt to exploit a vulnerable imapd server, permitting +the execution of arbitrary commands possibly with the privilege of user +"root". +-- + +Ease of Attack: +Simple. Sample exploit code is available. +-- + +False Positives: +None known +-- + +False Negatives: +None known +-- + +Corrective Action: +Vendors have provided updated versions, upgrading will resolve this problem +-- + +Contributors: +Snort documentation contributed by matthew harvey +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +References: + +-- --- /dev/null +++ b/doc/signatures/1729.txt @@ -0,0 +1,53 @@ +Rule: + +-- +Sid: 1729 + +-- +Summary: +This event is generated when activity relating to network chat clients is detected. + +-- +Impact: +Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations. + +-- +Detailed Information: +Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall. + +Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host. + +-- +Attack Scenarios: +A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client. + +An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: +IRC Protocol +http://www.irchelp.org/irchelp/rfc/ + +-- --- /dev/null +++ b/doc/signatures/973.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +973 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer overflow associated with a file with a .idc extension. + +-- +Impact: +Remote access. This attack may permit the execution of arbitrary commands on the victim server. + +-- +Detailed Information: +Microsoft Internet Information Service (IIS) supports files extensions including .idc that call the ISM.DLL. A buffer overflow vulnerability exists in ISM.DLL code when it receives a malformed request, permitting the execution of arbitrary code. + +-- +Affected Systems: +IIS 4.0 hosts + +-- +Attack Scenarios: +An attacker can send a malformed request of a .idc file that causes a buffer overflow. + +-- +Ease of Attack: +Simple. Exploit code is freely available. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to a more current version of IIS. + +-- +Contributors: +Original rule writer unknown +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +CVE +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0874 + +Bugtraq: +http://www.securityfocus.com/bid/307 + +-- --- /dev/null +++ b/doc/signatures/2506.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2506 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the Microsoft implementation of SSL Version 3. + +-- +Impact: +Denial of Service (DoS). +-- +Detailed Information: +A vulnerability exists in the handling of SSL Version 3 requests that +can be manipulated to cause a DoS condition in various software +implementations used on Microsoft operating systems. + +The condition exists because of poor error handling routines in the +Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an +invalid field, sent to vulnerable systems can cause the affected host to stop +handling any further requests. + +-- +Affected Systems: + Microsoft Windows 2000, 2003 and XP systems using SSL + +-- +Attack Scenarios: +An attcker needs to make an SSL request to an affected system that +contains an invalid field. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +-- +Contributors: +Sourcefire Research Team +Matt Watchinski +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3220.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3220 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1072.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1072 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/640.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: 640 + +-- +Summary: +This event is generated when a buffer overflow attack is attempted against a target machine. + +-- +Impact: +Serious. The attacker may be able to gain remote access to the system or have the ability to execute arbitrary code with the privileges of a system user. + + +-- +Detailed Information: +This rule tracks the bit combination which may occur in network packets aimed at overflowing IRIX MIPS network services. The buffer overflow attack attempts to force the vulnerable application to execute attacker-controlled code in order to gain interactive access or run arbitrary commands on the vulnerable system. + +A specific string used during the overflow is application-dependent however, a platform-specific command or code may be present and is detected by this rule. + +-- +Attack Scenarios: +An attacker launches an overflow exploit against a vulnerable FTP server and gains the ability to start a shell session, thus obtaining interactive access to the target. + +-- +Ease of Attack: +Simple + + +-- +False Positives: +This event may be generated by legitimate traffic to the specified port. + + +-- +False Negatives: +This event is specific to the shell code defined in the rule. +Other shell code sequences may not be detected. + +-- +Corrective Action: +Check the target host for other signs of compromise. + +Look for other events concerning the target host. + +Apply vendor supplied patches and keep the operating system up to date. + +-- +Contributors: +Original Rule Writer Unkown +Snort documentation contributed by Anton Chuvakin +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1288.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1288 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a web server running Microsoft FrontPage +Server Extensions. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. Denial of +Service is possible. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running Microsoft FrontPage Server Extensions. Many known +vulnerabilities exist for this platform and the attack scenarios are +legion. In particular this rule generates events when the directory +_vti_bin is accessed. This directory contains sensitive files that may +be utilized in an attack against the server. + +-- +Affected Systems: + All systems running Microsoft FrontPage Server Extensions + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Many exploits exist. + +-- +False Positives: +A user who is using the "discuss" toolbar in Microsoft Internet Explorer +may inadvertently generate an event from this rule, due to the browser +making a check for Office Server Extensions. See this URI for more +details. + + http://www.webmasterworld.com/forum39/2158.htm + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000484.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +100000484 +-- +Summary: +This event is generated when an attempt is made to exploit a cross site +scripting vulnerability in the "Confixx" application running on a webserver. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit a cross site +scripting vulnerability via the "lpath" parameter in the "ftp_index.php" script +used by the "Confixx" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to retrieve sensitive data, execute system binaries +or malicious code of the attackers choosing. + +-- +Affected Systems: +All systems running CGI applications using Confixx +-- +Attack Scenarios: +An attacker can supply a malicious link designed to steal information from a +user clicking on that link. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +The Cross Site Scripting (XSS) FAQ +http://www.cgisecurity.com/articles/xss-faq.shtml + +-- + --- /dev/null +++ b/doc/signatures/100000713.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000713 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "roster.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "roster.php" script used by the "PHPRaid" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using PHPRaid +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/609.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: 609 + +-- +Summary: +This event is generated due to the use of a suspicious login attempt + +-- +Impact: +Serious. If successful the attacker may have gained superuser access to the host. + +-- +Detailed Information: +This rule generates an event when a connection is made using "rsh" whilst passing the parameter "-froot". + +A bug in some implementations of the "rsh" daemon software allowed remote root access using the "-froot" parameter for the "rsh command" + +-- +Attack Scenarios: +If a UNIX machine has the "rsh" service running and is vulnerable to this bug, in can be exploited simply by running the "rsh" command with "-froot" flag. For example, rlogin host.foo.com -l -froot + +-- +Ease of Attack: +Simple, no exploit software required + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Investigate logs on the target host for further details and more signs of suspicious activity + +Use ssh for remote access instead of rlogin. + +Disable the "rsh" service if not used, apply a patch if appropriate. + +-- +Contributors: +Original rule by Max Vision modified from a signature written by Ron Gula +Snort documentation contributed by Anton Chuvakin +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0113 + +Arachnids: +http://www.whitehats.com/info/IDS387 + +-- --- /dev/null +++ b/doc/signatures/100000555.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +100000555 +-- +Summary: +This event is generated when an attempt is made to exploit a cross site +scripting vulnerability in the "VebiMiau" application running on a webserver. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit a cross site +scripting vulnerability via the "lid" parameter in the "error.php" script used +by the "VebiMiau" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to retrieve sensitive data, execute system binaries +or malicious code of the attackers choosing. + +-- +Affected Systems: +All systems running CGI applications using VebiMiau +-- +Attack Scenarios: +An attacker can supply a malicious link designed to steal information from a +user clicking on that link. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +The Cross Site Scripting (XSS) FAQ +http://www.cgisecurity.com/articles/xss-faq.shtml + +-- + --- /dev/null +++ b/doc/signatures/158.txt @@ -0,0 +1,103 @@ +Rule: + +-- +Sid: +152, 157-158 + +-- +Summary: +Backdoor.Backconstruction is a Trojan Horse. + +-- +Impact: +Possible theft of data via download, upload of files, execution of files +and reboot the targeted machine. + +-- +Detailed Information: +This Trojan affects the following operating systems: + + Windows 95 + Windows 98 + Windows ME + +The Trojan changes system registry settings to add the Backconstruction +sever to programs normally started on boot. Due to the nature of this +Trojan it is unlikely that the attacker's client IP address has been +spoofed. + + SID Message + --- ------- + 152 BackConstruction 2.1 Connection (outgoing TCP +connection) + 157 BackConstruction 2.1 Client FTP Open Request (incoming +TCP connection) + 158 BackConstruction 2.1 Server FTP Open Reply (outging TCP +connection) + +This Trojan is commonly used to install other Trojan programs. + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This +event is indicative of an existing infection being activated. Initial +compromise can be in the form of a Win32 installation program that may +use the extension ".jpg" or ".bmp" when delivered via e-mail for +example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. +Updated virus definition files are essential in detecting this Trojan. + +The Trojan server is located at :\WINDOWS\Cmctl32.exe + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Edit the system registry to remove the extra keys or restore a +previously known good copy of the registry. + +Affected registry keys are: + + HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ + +Registry keys added are: + + Shell = ":\WINDOWS\Cmctl32.exe" + +Removal of this entry is required. + +Delete the file :\WINDOWS\Cmctl32.exe + +Ending the Trojan process is also necessary. A reboot of the infected +machine is recommended. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Whitehats arachNIDS +http://www.whitehats.com/info/IDS505 + +Dark-e: +http://www.dark-e.com/archive/trojans/backc/21/index.shtml + +Pest Patrol: +www.pestpatrol.com/PestInfo/b/back_construction.asp + +-- --- /dev/null +++ b/doc/signatures/3443.txt @@ -0,0 +1,54 @@ +Rule: + +-- +Sid: +3443 + +-- +Summary: +This rule does not generate an event. It is used in conjunction with +other rules to reduce the possibility of false postives from occuring. + +-- +Impact: +Unknown. + +-- +Detailed Information: +This rule does not generate an event. It is used in conjunction with +other rules to reduce the possibility of false postives from occuring. + +-- +Affected Systems: + NA + +-- +Attack Scenarios: +NA + +-- +Ease of Attack: +NA + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +NA + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2892.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2892 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure drop_priority_nvarchar2 +. This procedure is included in +sys.dbms_repcat_conf. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000648.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000648 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "whos.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the "whos.php" script +used by the "Indexu" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/100000510.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +100000510 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection +vulnerability in the "VBZoom" application running on a webserver. Access to the +file "rank.php" with SQL commands being passed as the "MemberID" parameter may +indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a +remote machine via the "MemberID" parameter in the "rank.php" script used by +the "VBZoom" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to compromise the database backend for the +application, the attacker may also be able to execute system binaries or +malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using VBZoom +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application +if user input is not correctly sanitized or checked before passing that input +to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- /dev/null +++ b/doc/signatures/898.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +898 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2669.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +2669 + +-- +Summary: +This event is generated when an attempt is made to access the file +ibillpm.pl. + +-- +Impact: +Possible unauthorized administrative access to the victim host. +Information disclosure. + +-- +Detailed Information: +The script ibillpm.pl is used to process billing and payment via a CGI +application over the Internet. + +The application suffers from a weak default password scheme that could +be used by an attacker to take control of a user account and view +billing details. + +-- +Affected Systems: + iBill Internet Billing Company Processing Plus + +-- +Attack Scenarios: +An attacker can supply the username and default password for a user to +the script to gain control. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Uninstall the script ibillpm.pl + +Only allow usage from authenticated users + +-- +Contributors: +Sourcefire Vulnerability Research Team +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2554.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +2554 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Oracle Application Server Web Cache. + +-- + +Impact: +Serious. Possible execution of arbitrary code leading to remote +administrative access. + +-- +Detailed Information: +The Oracle Application Server Web Cache is vulnerable to a buffer +overrun caused by poor checking of the length of an HTTP Header. If a +large invalid HTTP Request Method is supplied to a vulnerable system, an +attacker may be presented with the opportunity to overrun a fixed length +buffer and subsequently execute code of their choosing on the server. + +-- +Affected Systems: +Oracle Application Server Web Cache 10g 9.0.4 .0 +Oracle Oracle9i Application Server Web Cache 2.0 .0.4 +Oracle Oracle9i Application Server Web Cache 9.0.2 .3 +Oracle Oracle9i Application Server Web Cache 9.0.2 .2 +Oracle Oracle9i Application Server Web Cache 9.0.3 .1 + +-- + +Attack Scenarios: +An attacker might supply an HTTP Request Method of more than 432 bytes, +causing the overflow to occur. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +None Known + +-- +False Negatives: +This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible +to configure the Oracle Web Cache server to run on different ports. The rule +should be configured to reflect the appropriate ports of Oracle Web Cache +servers on your network. + +-- + +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Judy Novak +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1083.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1083 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000820.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: +100000820 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "SaPHPLesson" application running on a webserver. Access to the file "add.php" with SQL commands being passed as the "forumid" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a remote machine via the "forumid" parameter in the "add.php" script used by the "SaPHPLesson" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using SaPHPLesson +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- /dev/null +++ b/doc/signatures/1353.txt @@ -0,0 +1,46 @@ +Rule: + +-- +Sid: +1353 + +-- +Summary: +Attempted nasm command access via web. + +-- +Impact: +Attempt to compile a binary on a host. + +-- +Detailed Information: +This is an attempt to compiile a program source on a host. NASM is the Netwide Assembler which is capable of compiling a variety of sources on a variety of platforms into executable binary files. The attacker could possibly compile a program needed for other attacks on the system or install a binary program of his choosing. + +-- +Attack Scenarios: +The attacker can make a standard HTTP request that contains '/bin/nasm'in the URI. + +-- +Ease of Attack: +Simple HTTP request. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. Whenever possible, sensitive files and certain areas of the filesystem should have the system immutable flag set to prevent files from being added to the host. On BSD derived systems, setting the systems runtime securelevel also prevents the securelevel from being changed. (note: the securelevel can only be increased). +-- +Contributors: +Sourcefire Research Team + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2780.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2780 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure drop_site_priority +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1200.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +1200 + +-- +Summary: +This event is generated when an invalid URL response is sent from a +webserver to a client. + +-- +Impact: +Information gathering and possible Denial of Service (DoS). + +-- +Detailed Information: +This event is generated when an invalid URL response is sent from a +webserver to a client. It is possible under some circumstances, to cause +a DoS condition by supplying an invalid URL to a web server running an +affected version of Microsoft IIS 4.0. Certain invalid URLs can cause +the system to make an invalid memory request that will in turn stop the +IIS service from running. + +-- +Affected Systems: + Microsoft IIS 4.0 on NT systems + +-- +Attack Scenarios: +The attacker would merely need to make a web request using an invalid +URL. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade the system to the latest non-affected version of the software. + +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1803.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +1803 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a web server running Microsoft Internet Information +Server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. Denial of +Service is possible. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running Microsoft Internet Information Server (IIS). Many known +vulnerabilities exist for this platform and the attack scenarios are +legion. + +-- +Affected Systems: + All systems running Microsoft IIS + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Many exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/239.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +239 + +-- +Summary: +This event is generated when a DDoS Shaft handler communicates with a Shaft agent. It is also possible that this event may be generated when any host attempts to discover a Shaft agent. + +-- +Impact: +Attempted DDoS. If the listed source IP is in your network, it may be a Shaft handler or a host attempting to discover Shaft agents. If the listed destination IP is in your network, it may be a Shaft agent. + +-- +Detailed Information: +The Shaft DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Handlers communicate with agents to direct them to launch attacks. A handler may communicate with an agent using a UDP packet to destination port 18753 with a content of "alive tijgu. This communication checks if an agent is alive and uses a default password of "tijgu". + +-- +Affected Systems: +Any Shaft compromised host. + +-- +Attack Scenarios: +A Shaft handler needs to discover if an agent is alive before directing it to launch an attack. + +-- +Ease of Attack: +Simple. Shaft code is freely available. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. + +Rebuild a confirmed compromised host. + +Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. + + +-- +Contributors: +Original rule written by Max Vision +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS255 + +Miscellaneous: +http://biocserver.cwru.edu/~jose/shaft_analysis/ + + + +-- --- /dev/null +++ b/doc/signatures/2999.txt @@ -0,0 +1,66 @@ +Rule: + +-- +Sid: +2999 + +-- +Summary: +This event is generated when an attempt is made to shutdown a Windows +system via SMB. + +-- +Impact: +Serious. + +-- +Detailed Information: +This event indicates that an attempt was made to shutdown a Windows +system via SMB across the network. + +It may be possible for an attacker to manipulate a Windows system +from a remote location. Shutting down a system may lead to a Denial of +Service for the target host. + +-- +Affected Systems: + Microsoft Windows systems. + +-- +Attack Scenarios: +An attacker may be able to manipulate a target system using SMB. The +attacker may gain complete control over the affected system. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the host for signs of system compromise. + +Turn off file and print sharing on the target host. + +Use a packet filtering firewall to disallow SMB access to the host from +sources external to the protected network. + +Disallow remote registry manipulation. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1627.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +1627 + +-- +Summary: +This event is generated when packets on the network are using an +unassigned or reserved IP protocol. + +-- +Impact: +Possible prelude to system compromise. + +-- +Detailed Information: +Under normal circumstances IP packets do not use unassigned or reserved +protocols. + +an indicator of unauthorized network use, reconnaisance activity or +system compromise. These rules may also generate an event due to +improperly configured network devices. + +-- +Affected Systems: + All + +-- +Attack Scenarios: +The attacker may send specially crafted packets using an unassigned or +reserved protocol. + +-- +Ease of Attack: +Simple + +-- +False Positives: +Research or testing of new protocols may trigger this event. + +Novell use protocol 224 for the Cluster heart beat + +-- +False Negatives: +None Known + +-- +Corrective Action: +Use a packet filtering device to reject packets using an unknown +protocol. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +IANA +http://www.iana.org/assignments/protocol-numbers + +-- --- /dev/null +++ b/doc/signatures/1718.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1718 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000468.txt @@ -0,0 +1,72 @@ +Rule: + +-- +Sid: +100000468 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "WebprojectDB" application running on a webserver. +Access to the file "lang.php" using a remote file being passed as the "INCDIR" +parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "INCDIR" parameter in the "lang.php" script used by the +"WebprojectDB" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using WebprojectDB +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/724.txt @@ -0,0 +1,90 @@ +Rule: + +-- +Sid: +724 + +-- +Summary: +This event is generated when worm activity is detected. More specifcally +this event indicates possible "My Romeo" propogation. + +-- +Impact: +Serious. The victim host may be infected with a worm. + +-- +Detailed Information: +This worm propogates via electronic mail and exploits a known +vulnerability in the way that versions of Microsoft Outlook and Internet +Explorer handle trusted HTML pages. The worm is launched via a compiled +HTML file (.chm) which is used by Microsoft WIndows Help. + +The executable part of the worm is called from within the trusted +compiled HTML file. The worm attempts to propagate using hard coded +addresses of SMTP servers. + +This worm is also Known As: Romeo and Juliet, W32/Verona, TrojBlebla.A + +-- +Affected Systems: + Microsoft Windows 9x + Microsoft Windows 2000 + +-- +Attack Scenarios: +Symantec Anti-Virus center states that the worm arrives as an email +message that has an HTML body and two attachments named Myjuliet.chm +and Myromeo.exe. The subject of the email is selected at random from +the following set: + +Romeo&Juliet +hello world +subject +ble bla, bee +I Love You ;) +sorry... +Hey you ! +Matrix has you... +my picture +from shake-beer + +-- +Ease of Attack: +Simple. This is worm activity. + +-- +False Positives: +Legitimate electronic mail containing the known subject lines used by +MyRomeo may cause this rule to generate an event. + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches and service packs. + +Use Anti-Virus software to detect and delete virus laden email. + +This worm makes changes to the system registry, removal of the affected +registry keys should be done using an appropriate virus removal tool or +by an experienced Windows administrator. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +McAfee +http://vil.nai.com/vil/content/v_98894.htm + +Symantec Security Response +http://securityresponse.symantec.com/avcenter/venc/data/w32.blebla.worm.html + +-- --- /dev/null +++ b/doc/signatures/1046.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: 1046 + + +-- +Summary: +This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). + +-- +Impact: +Information gathering possible administrator access. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. + +The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. + +The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. + +Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. + +-- +Affected Systems: +Any host using IIS. + +-- +Attack Scenarios: +An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. + +Ensure that the IIS implementation is fully patched. + +Ensure that the underlying operating system is fully patched. + +Employ strategies to harden the IIS implementation and operating system. + +Check the host for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/2409.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +2409 + +-- +Summary: +This event is generated when an attempt is made to overflow a buffer by +supplying a very long username to an APOP POP3 service. + +-- +Impact: +Serious. Several POP3 servers are vulnerable to USER buffer overflows. + +-- +Detailed Information: +By supplying more than 626 bytes of data to the APOP USER command on 1st +Class Internet Solutions' 1st Class Mail Server, an attacker may +overflow a buffer resulting in the opportunity to execute code of their +choosing on the targeted machine with the privileges of the user running +the service. + +Other Mail software may be prone to this attack. + +-- +Affected Systems: + 1st Class Mail Server + +-- +Attack Scenarios: +An attacker may connect to the service and supply an over-long username +to overflow the buffer. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Upgrade to the latest non-affected version of the software. + +Check for other events generated by the source IP address. + +-- +Contributors: +Sourcefire Research Team +Matt Watchinski +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/2689.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2689 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure disable_receiver_trace +. This procedure is included in +sys.dbms_internal_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000742.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000742 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "functions.inc" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "functions.inc" script used by the "Geeklog" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Geeklog +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/3080.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +3080 + +-- +Summary: +This event is generated when a remote attacker sends an overly long "secure" +query to a host acting as an Unreal engine server. This may +indicate an attempt to exploit a buffer overflow vulnerability. + +-- +Impact: +Serious. A successful buffer overflow can permit the execution of arbitrary +code on a vulnerable system. + +-- +Detailed Information: +Unreal Tournament 2003 and 2004 are popular games developed by EpicGames and +available for Linux, Windows and Macintosh platforms. The Unreal engine is +used for both client and server functionality. An overly long "secure" +query can be sent to the game server, causing a buffer overflow and the +subsequent execution of arbitrary code. + +-- +Affected Systems: + Multiple versions of the Unreal Engine running on Linux, Microsoft + Windows and Macintosh platforms. + +-- +Attack Scenarios: +An attacker can send an overly long "secure" query to a vulnerable host, causing +a buffer overflow and the subsequent execution of arbitrary code. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +Unreal servers can be configured to run on arbitrary ports. +Administrators should either change the port used in the rule or create +a variable for the ports to be used in the rule. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the most current nonaffected version of the software. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Judy Novak + +-- +Additional References: + +OSVDB +http://www.osvdb.org/displayvuln.php?osvdb_id=7217&Lookup=Lookup + +-- --- /dev/null +++ b/doc/signatures/3286.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3286 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2458.txt @@ -0,0 +1,52 @@ +Rule: + +-- +Sid: +2458 + +-- +Summary: +This event is generated when a host in your network that has Yahoo Instant Messenger running has joined a chat room or is examining chat rooms to join. + +-- +Impact: +Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. + +-- +Detailed Information: +Yahoo IM provides a means of allowing users who share similar interests to join a chat room and exchange messages. While there are no known exploits associated with exchanging messages, this type of activity may not be appropriate in certain network environments. + +-- +Affected Systems: +Any host running Yahoo Instant Messenger. + +-- +Attack Scenarios: +No known attacks. + +-- +Ease of Attack: +No known attacks. + +-- +False Positives: +None Known. + +-- +False Negatives: +It may be possible for Yahoo IM traffic to use other ports than the default expected ones. + +-- +Corrective Action: +Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. + +-- +Contributors: +Sourcefire Research Team +Judy Novak +-- +Additional References: +Yahoo Protocol +http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm + +-- --- /dev/null +++ b/doc/signatures/1590.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1590 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1920.txt @@ -0,0 +1,57 @@ +Nigel: Old reference pointed to something totally unrelated. +Rule: +-- + +Sid: +1920 + +-- +Summary: +This event is generated when an attempt is made to exploit a vulnerability associated with the FTP SITE NEWER command that may cause a denial of service or allow the upload of executable files. + +-- +Impact: +Remote access or denial of service. A successful attack can cause a denial of service or allow the upload of executable files on the vulnerable FTP server. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a vulnerability associated with the WU-FTP server version of the SITE NEWER command. It is possible to cause a denial of service attack that consumes memory or upload files to execute arbitrary commands with the privileges of the process running the FTP server. + +-- +Affected Systems: +Hosts running WU-FTPD 2.5.0. + +-- +Attack Scenarios: +An attacker can cause a denial of service or upload files to execute arbitrary commands on the vulnerable FTP server. + +-- +Ease of Attack: +Difficult. No known exploits available. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/737 + +-- --- /dev/null +++ b/doc/signatures/3156.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3156 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/696.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +696 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft SQL. + +-- +Impact: +Information gathering and data integrity compromise. Possible unauthorized +administrative access to the server or application. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to an implementation of Microsoft SQL server or client. This can +lead to unauthorized access and possibly escalated privileges to that of +the administrator. Data stored on the machine can be compromised and +trust relationships between the victim server and other hosts can be +exploited by the attacker. + +-- +Affected Systems: + +-- +Attack Scenarios: +An attacker can access the authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Disallow administrative access from sources external to the protected +network. + +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/326.txt @@ -0,0 +1,72 @@ +Rule: + +-- +Sid: 326 + +-- + +Summary: +This event is generated when a remote command execution exploit against +a finger daemon is attempted. + +-- +Impact: +Serious. The attacker may be presented with the opportunity to run a +command of his choice on the target UNIX system + +-- +Detailed Information: +This event is generated when a specific attack against a vulnerable +version of finger daemon is detected. + +The Finger daemon is used to provide information about users on a UNIX +system. It used to be installed and enabled by default on most +UNIX/Linux systems. The attack may allow an attacker to execute a +command remotely on a target system with the privileges of the user +running the "finger" daemon. The user is usually defined in the +/etc/inetd.conf file and is commonly designated as "nobody". + +-- +Attack Scenarios: +An attacker may try the attack and then executes a command to download a +backdoor to the target system. He then connects to the system and may +attempt to escalate his privileges by exploiting a local SUID +application to gain "root" privileges. + +-- +Ease of Attack: +Simple, no exploit software is required, just a specially formatted finger query + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disable the finger daemon or limit the addresses that can access the +service via firewall or TCP wrappers. + +-- +Contributors: +Original rule written by Max Vision +Snort documentation contributed by Anton Chuvakin +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS379 + +Bugtraq: +http://online.securityfocus.com/bid/974 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0150 + +-- --- /dev/null +++ b/doc/signatures/100000355.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000355 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "eSyndiCat" application running on a webserver. Access to the file "cron.php" using a remote file being passed as the "path_to_config" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "path_to_config" parameter in the "cron.php" script used by the "eSyndiCat" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using eSyndiCat + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/2887.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2887 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure drop_delete_resolution +. This procedure is included in +sys.dbms_repcat_conf. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/881.txt @@ -0,0 +1,72 @@ +Rule: + +-- +Sid: +881 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Guide to network resource tools: +http://www.acad.bg/beginner/gnrt/specialist/archie.html + +-- --- /dev/null +++ b/doc/signatures/993.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: 993 + + +-- +Summary: +This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). + +-- +Impact: +Information gathering possible administrator access. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. + +The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. + +The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. + +Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. + +-- +Affected Systems: +Any host using IIS. + +-- +Attack Scenarios: +An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. + +Ensure that the IIS implementation is fully patched. + +Ensure that the underlying operating system is fully patched. + +Employ strategies to harden the IIS implementation and operating system. + +Check the host for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/2629.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +2629 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a Oracle database implementation. + +-- +Impact: +Serious. Execution of arbitrary code may be possible. A Denial of +Service (DoS) condition may also be caused. + +-- +Detailed Information: +Oracle databases may use a built-in procedure to assist in database +replication. The "register_user_repgroup" procedure contains a +programming error that may allow an attacker to execute a buffer +overflow attack. + +This overflow is triggered by a long string in a parameter for the +procedure. + +If you are running Oracle on a Windows server, make sure that the +variable $ORACLE_PORTS is set to a value of "any". + +-- +Affected Systems: + Oracle 9i + +-- +Attack Scenarios: +An attacker can supply a long string to the "privilege_type" variable +to cause the overflow. The result could permit the attacker to gain +escalated privileges and run code of their choosing. This attack +requires an attacker to logon to the database with a valid username +and password combination. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Matt Watchinski +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +Other: +http://www.appsecinc.com/Policy/PolicyCheck94.html + +-- --- /dev/null +++ b/doc/signatures/313.txt @@ -0,0 +1,57 @@ +Rule: + +-- +Sid: 313 + +-- +Summary: +This event is generated when an attempt to exploit a buffer overflow condition in ntalkd is made. + +-- +Impact: +Serious. System compromize presenting the attacker with the opportunity to gain remote access to the victim host or execute arbitrary code with the privileges of the superuser account. + +-- +Detailed Information: +Some versions of the Network Talk Daemon (ntalkd) are vulnerable to a buffer overflow condition which can present the attacker with a root shell. + +Talk is used to communicate between users of UNIX based operating systems. A vulnerability exists such that a buffer overflow condition in talk can be exploited by a malicious user. This may then present the attacker with the opportunity to gain root access to the target system. + +Affected Versions: + Multiple vendors + +-- +Attack Scenarios: +Once the overflow has been created, the attacker is able to supply incorrect hostname information to the target system and gain root access. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Apply vendor supplied patches. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/210 + +-- --- /dev/null +++ b/doc/signatures/100000847.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000847 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Sitemap" application running on a webserver. Access to the file "sitemap.xml.php" using a remote file being passed as the "mosConfig_absolute_path" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "mosConfig_absolute_path" parameter in the "sitemap.xml.php" script used by the "Sitemap" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Sitemap +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/100000677.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000677 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Harpia" application running on a webserver. +Access to the file "topics.php" using a remote file being passed as the +"header_prog" parameter may indicate that an exploitation attempt has been +attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "header_prog" parameter in the "topics.php" script used +by the "Harpia" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Harpia +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/1052.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1052 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/2214.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: +2214 + +-- +Summary: +This event is generated when an attempt is made to access mailview.cgi on an internal web server. This may indicate an attempt to exploit a directory traversal vulnerability in MailStudio 2000 2.0 and earlier. + +-- +Impact: +Information disclosure. + +-- +Detailed Information: +MailStudio 2000 is mail server software for Solaris or Linux operating systems. It contains a vulnerability where data sent to mailview.cgi is not properly parsed. This can allow an attacker to use directory traversal techniques (/../) within the "html" parameter to view arbitrary files on the system, including other users' email, configuration files, and password files. + +-- +Affected Systems: +Systems running MailStudio 2000 2.0 and earlier. + +-- +Attack Scenarios: +An attacker sends a specially crafted HTTP request to a vulnerable web server with another user's email file as the html argument. The attacker will then be able to view the file. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +If a legitimate remote user accesses mailview.cgi, this rule may generate an event. + +-- +False Negatives: +None known. + +-- +Corrective Action: +It is not known if this vulnerability has been fixed. Contact the vendor, 3R Soft (http://www.3rsoft.com), for more information. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Sourcefire Technical Publications Team +Jennifer Harvey + +-- +Additional References: +Bugtraq +http://www.securityfocus.com/bid/1335 + +-- --- /dev/null +++ b/doc/signatures/3053.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +3053 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Ethereal. + +-- +Impact: +Serious. Denial of Service (DoS). + +-- +Detailed Information: +Ethereal is a multi-platform network protocol analyser capable of +displaying network data to the user in a graphical user interface. + +An error in the processing of access control lists (ACLs) concerning the +size of the access control entries (ACEs) may lead to a Denial of Service +(DoS) condition in Ethereal. The ACL parsing routine trusts the size of +the ACE given in the packet during processing. If a sufficiently large ACL +structure is supplied combined with a specified ACE size of 0, it is +possible to cause the DoS condition to occur. + +-- +Affected Systems: + Ethereal 0.10.7 and prior + +-- +Attack Scenarios: +An attacker needs to craft packet data containing large NT ACLs, the +attacker then needs to specify one of the ACEs as having a size of 0. + +-- +Ease of Attack: +Moderate. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2698.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: +2698 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure create file. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/686.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: + +-- + +Summary: +This event is generated when a command is issued to an SQL database server that may result in a serious compromise of the data stored on that system. + +-- +Impact: +Serious. An attacker may have gained administrator access to the system. + +-- +Detailed Information: +This event is generated when an attacker issues a special command to an SQL database that may result in a serious compromise of all data stored on that system. + +Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. + +This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. + +-- + +Attack Scenarios: +Simple. These are SQL database commands. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. + +-- +False Negatives: +None Known + +-- + +Corrective Action: +Disallow direct access to the SQL server from sources external to the protected network. + +Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000174.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +100000174 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in RSA Security RSA Authentication Agent For Web. + +-- +Impact: +Cross site scripting leading to possible inclusion of code of the attackers +choosing. + +-- +Detailed Information: +A vulnerability exists in RSA Security RSA Authentication Agent For Web that +may allow an attacker to include code of their choosing due to the improper +checking of user supplied input. + +-- +Affected Systems: +RSA Security RSA Authentication Agent For Web 5.2 + +-- +Attack Scenarios: +An attacker can supply a link to include code of their choosing in data +supplied to RSA Security RSA Authentication Agent For Web. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Original Rule writer rmkml +Sourcefire Vulnerability Research Team +Alex Kirk +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/100000740.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000740 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "Import.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "Import.Admin.class.php" script used by the "Geeklog" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Geeklog +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/100000596.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +100000596 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "inv_config_payment.php" using a remote file being passed as +the "admin_template_path" parameter may indicate that an exploitation attempt +has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the +"inv_config_payment.php" script used by the "Indexu" application running on a +webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/220.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +220 + +-- +Summary: +This event is generated when an attacker attempts to connect to a +Telnet server using the phrase "wank". This is a known password for +the HideSource rootkit. + +-- +Impact: +Possible theft of data and control of the targeted machine leading to a +compromise of all resources the machine is connected to. + +-- +Detailed Information: +This Trojan affects UNIX operating systems: + +Due to the nature of this Trojan it is unlikely that the attacker's +client IP address has been spoofed. + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This +event is indicative of an existing infection being activated. Initial +compromise may be due to the exploitation of another vulnerability and +the attacker is leaving another way into the machine for further use. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow Telnet access from external sources. + +Use SSH as opposed to Telnet for access from external locations + +Delete the Trojan and kill any associated processes. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2069.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: +2069 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in devices using the IPC@CHIP from Beck IPC GmbH. + +-- +Impact: +Information disclosure + +-- +Detailed Information: +The IPC@CHIP from Beck IPC GmbH is used in network appliances for use in +controlling those devices via a web interface. + +The embedded webserver uses the system root as its default webserver +root directory. This means an attacker can request any file on the +system by making an http request for the file. + +-- +Affected Systems: +All devices using this chip. + +-- +Attack Scenarios: +The attacker needs to craft a special URI including chip.ini with a +request for a file on the system. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Network devices using this chip should be closely monitored, access to +the embedded webserver should be carefully controlled using a firewall +or disabled where possible. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/2775 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0749 + +-- --- /dev/null +++ b/doc/signatures/3011.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +3011 +-- +Summary: +This event is generated when an attempt is made to find the System +directory on a target host with the RUX the Tick Trojan. + +-- +Impact: +If successful, the attacker would gain unauthorized access to the system, +to upload and execute file on the target system. The attacker can use +this function to upload additional backdoors to the victim's system and +execute them. + +-- +Detailed Information: +When executed, RUX the Tick opens up its assigned port (default is +22222) for communication with the attacker. RUX the Tick has three +functions: Get Windows Directory, Get System Directory, and Upload And +Execute File. Get Windows Directory and Get System Directory are used +for reconnaissance. Upload And Execute File is mainly used to upload and +run other backdoors onto the victim's computer. + +-- +Affected Systems: + Windows 95/98/ME/NT/2000 + +-- +Attack Scenarios: +The victim must first install the server. Be wary of suspicious files +because they often can be backdoors in disguise. Once the victim +mistakenly installs the server program, the attacker usually will employ +an IP scanner program to find the IP addresses of victims that have +installed the program. Then the attacker enters the IP address, port +number (which is assigned to the server program by the attacker: +default is 22222), and presses the connect button and he has access to +the computer. + +-- + +Ease of Attack: +Simple. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Using Windows Task Manager, kill these processes: ruxserver.exe and server.exe. +Use Windows Explorer to find ruxserver.exe and delete the file. + +Keep anti-virus programs updated with the latest definitions. + +-- +Contributors: +Sourcefire Research Team +Ricky Macatee + +-- +Additional References: + +PestPatrol: +http://www.pestpatrol.com/PestInfo/R/RUX.ASP + +-- --- /dev/null +++ b/doc/signatures/1716.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1716 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1400.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: 1400 + + +-- +Summary: +This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). + +-- +Impact: +Information gathering possible administrator access. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. + +The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. + +The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. + +Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. + +-- +Affected Systems: +Any host using IIS. + +-- +Attack Scenarios: +An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. + +Ensure that the IIS implementation is fully patched. + +Ensure that the underlying operating system is fully patched. + +Employ strategies to harden the IIS implementation and operating system. + +Check the host for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/1967.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1967 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a PHP web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a PHP application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the PHP application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running PHP applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying PHP script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2398.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +2398 + +-- +Summary: +This event is generated when an attempt is made to exploit the PHP web +application WAnewsletter. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in the WAnewsletter PHP web application running on a server. +Multiple vulnerabilities exist in the application which can lead to the +execution of arbitrary code of the atttackers choosing. + +-- +Affected Systems: + WAnewsletter + +-- +Attack Scenarios: +An attacker can supply code of their choice by including a file in +parameters supplied to the script newsletter.php or db_type.php. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000177.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +100000177 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a Linksys WRT54G wireless router. + +-- +Impact: +Unauthorized administrative access to the router and it's configuration. + +-- +Detailed Information: +A vulnerability exists in the Linksys WRT54G wireless router that may present +an attacker with the opportunity to take control of the victim hardware via a +POST request to the web interface. + +This is due to the apply.cgi script not performing proper checks on user +supplied input that may allow the attacker to overflow a fixed length buffer +and execute code of their choosing. + +-- +Affected Systems: +Linksys WRT54G Wireless Router firmware 4.0.4.20.6 and prior + +-- +Attack Scenarios: +An attacker can supply a malformed POST request to the apply.cgi script on an +affected piece of hardware. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Apply the appropriate vendor supplied firmware upgrade. + +-- +Contributors: +Original Rule writer rmkml +Sourcefire Vulnerability Research Team +Alex Kirk +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/3159.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3159 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3369.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3369 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1811.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +1811 + +-- +Summary: +This event is generated when a remote user has exploited a flaw in a +local SSH server. + +-- +Impact: +Serious + +-- +Detailed Information: +OpenSSH has a flaw in the challenge-response mechanism when configured +with either the "PAMAuthenticationViaKbdInt" or the +"ChallengeResponseAuthentication" options. This flaw can be exploited by +a user who is not authenicated and can lead to the attacker obtaining a +root shell. + +-- +Affected Systems: +OpenSSH versions 1.2 to 3.3, Solaris 9.0, IBM Linux +Affinity Toolkit, and HP HP-UX Secure Shell A.03.10. + +-- +Attack Scenarios: +An attacker can cause the service to restart or hang, leaving the +service unavailable to users. + +-- +Ease of Attack: +Simple. Exploit code available. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to latest version of OpenSSH + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Josh Sakofsky + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/5093 + +-- --- /dev/null +++ b/doc/signatures/100000388.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000388 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "topman.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "topman.php" script used by the "Ovidentia" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Ovidentia + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/798.txt @@ -0,0 +1,62 @@ + +Rule: + +-- +Sid: +798 + +-- +Summary: +This rule has been placed in deleted.rules. It has been superceded by +sid 721. + +-- +Impact: +Mail worms may spread rapidly because users execute them. + +-- +Detailed Information: +Windows systems are often configured not to display file extensions. +By adding a second extension, users get confused and think that an +executable is a picture - e.g. nicegirl.gif.vbs gets displayed as +nicegirl.gif but is a visual basic script and not a picture. + +-- +Affected Systems: + +-- +Attack Scenarios: +Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. + +-- +Ease of Attack: +Very easy. One needs to attach a file and hope that it gets executed. + +-- +False Positives: +None Known +Could be an error on sender's side. + +-- +False Negatives: +None Known +- + +-- +Corrective Action: +Use antivirus software. Configure mail clients securely, especially when +using windows desktops. Educate your mail users. Deny all attachments at +the gateway if you can. + +-- +Contributors: +Original rule writer unknown +Snort documentation contributed by tobias.haecker@to.com +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: +See websites of antivirus companies. + +-- --- /dev/null +++ b/doc/signatures/350.txt @@ -0,0 +1,63 @@ +SID: +350 +-- + +Rule: +-- + +Summary: +This event is generated when an attack attempt is made against an ftp +server possibly running a vulnerable ftpd +-- + +Impact: +Possible execution of commands on the affected server as with elevated user privileges +-- + +Detailed Information: +The Washington University ftp daemon (wu-ftpd) has a problem with very +log directory names. There is insufficent checking on directories +created by users allowing possible insertion of data into the stack.This +can lead to execution of code with root / elevated user privileges. +-- + +Affected Systems: +NcFTP Software NcFTPD 2.3.5 +Washington University wu-ftpd 2.4.2 (beta 18) VR10 +RedHat wu-ftpd 2.4.2 b18-2 +Washington University wu-ftpd 2.4.2 academ[BETA-18] +Probably others as well, susspect anything under Washington University wu-ftpd 2.6.0 for this particular exploit. +-- + +Attack Scenarios: +A local attacker will attempt to create long named directories on the +ftp server wich are not checked correctly in the server code. This can +allow commands to be executed with elevated user privileges +-- + +Ease of Attack: +simple, Exploit code exists +-- + +False Positives: +None known +-- + +False Negatives: +None known +-- + +Corrective Action: +Upgrade to newest version of wuftpd, or replace with something more secure. +-- + +Contributors: +Snort documentation contributed by matthew harvey +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +References: + +-- --- /dev/null +++ b/doc/signatures/2329.txt @@ -0,0 +1,78 @@ +Rule: + +-- +Sid: +2329 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft Windows Data Access Components. + +-- +Impact: +Serious. Execution of arbitrary code is possible. Denial of Service +(DoS) + +-- +Detailed Information: +It may be possible for an attacker to send a specially crafted response +to a client broadcast query searching for an SQL server. This response +could take advantage of a buffer overrun condition in an MDAC component +which may result in the attacker being presented with the opportunity to +execute code of their choosing with the privileges of the user running +the service on the client system. + +A DoS condition may also manifest in MDAC version 2.8. + +MDAC is included by default on many Microsoft Windows systems. Client +workstations may make regular broadcast announcements in an attempt to +find SQL servers. + +-- +Affected Systems: + Microsoft Data Access Components 2.5 + Microsoft Data Access Components 2.6 + Microsoft Data Access Components 2.7 + Microsoft Data Access Components 2.8 + +-- +Attack Scenarios: +The attacker may spoof the response from an SQL server to exploit the +vulnerability. + +-- +Ease of Attack: +Moderate.. + +-- +False Positives: +Since this rule cannot be constrained using ports and the connection +state for MSDAC is not tracked, false positive events may occur under +normal circumstances. The $SQL_SERVERS variable in snort.conf should be +configured correctly to eliminate this behavior. + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches and service packs. + +Disallow access to database servers from sources external to the +protected network. + +Disallow access to database servers from untrusted hosts. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/244.txt @@ -0,0 +1,57 @@ +Rule: +-- +Sid: +244 + +-- +Summary: +This event is generated when a DDoS mstream handler directs an mstream agent to begin an attack against a specified target. + +-- +Impactn: +Severe. If the listed source IP is in your network, it may be an mstream handler. If the listed destination IP is in your network, it may be an mstream agent. + +-- +Detailed Information: +The mstream DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack.  There are "handler" hosts that are used to coordinate the attacks and "agent" hosts that launch the attack.  A handler can direct a particular agent to attack a target. It directs the agent by sending it a UDP packet to destination port 10498 with a string of "stream/" in the payload. The target IP and duration of the attack will also be included in the payload. + +-- +Affected Systems: +Any mstream compromised host. + +-- +Attack Scenarios: +After a host becomes an mstream agent, it will likely be directed to participate in a DDoS attack. +-- +Ease of Attack: +Simple. mstream code is freely available. + +-- +False Positives: +None Known. + +-- +False Negatives: +There are other known handler-to-agent ports in addition to 10498. + +-- +Corrective Action: +Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. + +Rebuild a confirmed compromised host. + +Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0138 + +-- --- /dev/null +++ b/doc/signatures/1889.txt @@ -0,0 +1,56 @@ +Nigel, Removed isc.incidents.org reference since it is no longer active. +Rule: + +-- +Sid: +1889 + +-- +Summary: +This event is generated when a web server infected by the slapper worm attempts to send traffic via a communication channel. + +-- +Impact: +Remote access and potentially denial of service. A slapper worm infection indicates a successful compromise of the host. A communication channel established between infected hosts can be used as a vehicle for a distributed denial of service attack of a target host or network. + +-- +Detailed Information: +The Apache/mod_ssl worm, also known as slapper, exploits a vulnerability associated with certain versions of OpenSSL. Once a host has been infected by the worm, the worm then attempts to establish a communication channel using UDP port 2002 (both source and destination) to the infecting host. This communication channel is used to create a network for infected hosts to communicate with each other to identify other infected hosts and to deliver attack instructions for other sites. + +-- +Affected Systems: +Linux hosts running Apache with mod_ssl using SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86 architectures. + +-- +Attack Scenarios: +The communication channel created by the slapper worm allows infected hosts to receive direction from other infected hosts. This can be used, for instance, to coordinate a DDoS attack. + +-- +Ease of Attack: +Simple. Exploit code exists. + +-- +False Positives: +None Known. + +-- +False Negatives: +It has been observed that the port number for the communication channel may vary. Ports 1978 and 4156 have also been seen. + +-- +Corrective Action: +Apply the appropriate patch or upgrade to the most current version of OpenSSL. + +-- +Contributors: +Original rule writer unknown. +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +CERT +http://www.cert.org/advisories/CA-2002-27.html + +-- --- /dev/null +++ b/doc/signatures/100000172.txt @@ -0,0 +1,66 @@ +Rule: + +-- +Sid: +100000172 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the Lynx text-based web browser. + +-- +Impact: +Code execution on the victim machine with the privileges of the user running +Lynx. + +-- +Detailed Information: +A vulnerability exists in the way that Lynx handles links when browsing NNTP +resources. The function that handles the display of information from article +headers when listing available files on the server, inserts extra characters to +handle certain character sets. This function does not properly check how much +extra data is inserted and it is possible to overflow a static buffer and +execute code in the context of the browser process. + +-- +Affected Systems: +Lynx versions 2.8.6 and prior + +-- +Attack Scenarios: +An attacker would need to supply a malicious link on an nntp server to the user +using Lynx. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Apply the appropriate patch. + +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Original Rule writer rmkml +Sourcefire Vulnerability Research Team +Alex Kirk +Nigel Houghton + +-- +Additional References: + +Original advisory posting: +http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038019.html + +-- --- /dev/null +++ b/doc/signatures/2589.txt @@ -0,0 +1,93 @@ +Rule: + +-- +Sid: +2589 + +-- +Summary: +This event is generated when an attempt is made to return to +a web client a file in the Content-Disposition Header with a +Class ID (CLSID) embedded in the file name. + +-- +Impact: +A successful attack may trick a client on a vulnerable host to download +a malicious file that will be executed by the Windows Shell. + +-- +Detailed Information: +Internet Explorer does not correctly handle or display specially +crafted files in the browser dialogue where the user choses the +action (e.g., open, save, cancel) for a downloaded file. +Specifically, these are overly long file names that employ URL +encoding of "." %2E before the file extension and contain the +Class ID (CLSID) associated with the Windows Shell in the file name. + +This serves two purposes; the first is that the file name will +be truncated in the user dialog so the user doesn't see the +CLSID reference, making it appear to be a more innocuous file +with a known extension such as mpg or pdf. Second, the downloaded +file will actually contain malcious commands that will be +executed by the Windows Shell when opened because of the hidden +CLSID in the file name. + +Currently, the only known CLSID that exploits this vulnerability +is associated with the Windows Shell. Yet, it may be possible +for another CLSID to be discovered in the future that would be +associated with a COM component that could be used for malicious +purposes. + +-- +Affected Systems: + Windows NT Workstation/Server 4.0 SP6a + Windows NT Workstation/Server 4.0 SP6a with Active Desktop + Windows NT Server 4.0 Terminal Server Edition SP6 + Windows 2000 SP2-SP4 + Windows XP and XP SP1 + Windows XP 64-Bit Edition SP1 + Windows XP 64-Bit Edition Version 2003 + Windows Server 2003 + Windows Server 2003 64-Bit Edition + +-- +Attack Scenarios: +An attacker can entice a user to visit a web server that +will return a malicious file with a file name that contains +a CLSID, perhaps enabling the execution of the malicious +code when the file is opened. + +-- +Ease of Attack: +Simple. Exploit code is publicly available. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Judy Novak + +-- +Additional References +CVE: +http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0420 + +Bugtraq: +http://www.securityfocus.com/bid/9510 + +Other: +http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx + +-- --- /dev/null +++ b/doc/signatures/100000382.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000382 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_users.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_users.php" script used by the "phpNuke" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using phpNuke + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/1784.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: + +1784 + +-- +Summary: +This rule indicates that a webpage was visited the included the content "nude celeb". + +-- +Impact: +Someone could be violating your company's policy regarding the browsing of inappropriate content. + +-- +Detailed Information: + +This rule looks for a response from a webserver containing "nude celeb". + +-- +Affected Systems: + +All + +-- +Attack Scenarios: + +Not an attack. + +-- +Ease of Attack: + +N/A. + +-- +False Positives: + +This could have been caused by a pop-up window or spam with an embedded link to a pornographic website. This could also be caused by somebody visiting the snort rule descriptions on the snort website. etc.etc. + +-- +False Negatives: + +None known. +-- +Corrective Action: + +Dependent on your company's policies. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Steven Alexander +-- +Additional References: + + + + + + + +-- --- /dev/null +++ b/doc/signatures/2188.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +2188 + +-- +Summary: +This event is generated when a suspicious packet using an unusual +protocol is sent to a router. + +-- +Impact: +Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in multiple Cisco IOS versions such that a Denial +of Service condition can be issued against a device by sending multiple +packets using IP protocols 53, 55, 77 and 103 directly to that device. + +Cisco IOS processes these packets and under certain circumstances, can +be made to incorrectly flag an input interface as being full. + +-- +Affected Systems: +Multiple versions of Cisco IOS. + +-- +Attack Scenarios: +An attacker may send a large number of IP packets using one of the +protocols 53, 55, 77 or 103 directly to a router. Exploit code exists. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/3308.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3308 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2721.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2721 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure add_columns_to_flavor +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000321.txt @@ -0,0 +1,78 @@ + + +Rule: + +-- +Sid: +100000321 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "ScozNet ScozNews" application running on a +webserver. Access to the file "help.php" using a remote file being passed as +the "main_path" parameter may indicate that an exploitation attempt has been +attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "main_path" parameter in the "help.php" script used by +the "ScozNet ScozNews" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using ScozNet ScozNews + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/2895.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2895 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure drop_priority_varchar2 +. This procedure is included in +sys.dbms_repcat_conf. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3043.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +3043 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Ethereal. + +-- +Impact: +Serious. Denial of Service (DoS). + +-- +Detailed Information: +Ethereal is a multi-platform network protocol analyser capable of +displaying network data to the user in a graphical user interface. + +An error in the processing of access control lists (ACLs) concerning the +size of the access control entries (ACEs) may lead to a Denial of Service +(DoS) condition in Ethereal. The ACL parsing routine trusts the size of +the ACE given in the packet during processing. If a sufficiently large ACL +structure is supplied combined with a specified ACE size of 0, it is +possible to cause the DoS condition to occur. + +-- +Affected Systems: + Ethereal 0.10.7 and prior + +-- +Attack Scenarios: +An attacker needs to craft packet data containing large NT ACLs, the +attacker then needs to specify one of the ACEs as having a size of 0. + +-- +Ease of Attack: +Moderate. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1599.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1599 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/301.txt @@ -0,0 +1,57 @@ +Rule: + +-- +Sid: 301 + +-- +Summary: +This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in LPRng. + +-- +Impact: +System compromize presenting the attacker with escalated system privileges . + +-- +Detailed Information: +LPRng is an implementation of the Berkeley lpr print spooling protocol. Some versions are vulnerable to a format-string attack that takes advantage of a bug in the syslog() wrapper. Successfull exploitation may present a remote attacker with the ability to execute arbitrary code using the privileges of the LPD daemon owner (typically root). + +Arbitrary addresses in the lpd process address space can be overwritten by sending specially crafted packets to the LPRng daemon listening on port 515 to execute arbitrary code or generate a segmentation violation. + +-- +Attack Scenarios: +Exploit scripts are available + +-- +Ease of Attack: +Simple. Exploits are available. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Disallow access to LPRng port 515 from external sources using a packet filtering firewall. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/1712 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 + +-- --- /dev/null +++ b/doc/signatures/3456.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +3456 + +-- + +Summary: +This event is generated when the user "root" logs in to a MySQL database from an external source. + +-- +Impact: +Serious. An attacker may have gained superuser access to the system. + +-- +Detailed Information: +This event is generated when someone using the name "root" logs in to a MySQL database. + +The 'root' user may have access to all databases on the system, with full privileges to add users, delete data, add information, etc. + +This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. + +-- + +Attack Scenarios: +Simple. The user logs in with the username 'root', full access is then granted to that user for all databases served by the MySQL daemon. The attacker may then continue to gain sensitive information from any database in the system. + +-- + +Ease of Attack: +Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. + +-- + +False Positives: +This event may be generated by a database administrator logging in as the root user from a location outside the protected network. + +-- +False Negatives: +None Known + +-- + +Corrective Action: +Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2019.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2019 + +-- +Summary: +The RPC service mountd enables clients to connect to networked file +dismounted via UDP. + +-- +Impact: +Denial of network resources to users on the local area network. + +-- +Detailed Information: +This may be an attempt to deny access to network resources from an +unauthorized source. It may also be indicative of an attacker probing +for RPC services on a host in an attempt to discover a possible entry +point to network resources via a vulnerable daemon. + +-- +Affected Systems: +All systems allowing network shares to be unmounted by anonymous hosts, +all systems allowing RPC services to be stopped by ordinary users and +systems already compromised by an attacker via another vulnerability. + +-- +Attack Scenarios: +This is an intelligence gathering activity, the attacker could remotely +unmount a shared resource to deny a resource to the local area network +or a probe to discover possible routes of entry into a system. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +When allowing hosts to mount an external network share, consider using a +hosts.allow file. + +Do not allow shares to be unmounted by unauthorized hosts or users. + +RPC services should not be available outside the local area network, +filter RPC ports at the firewall to ensure access is denied to RPC +enabled machines. + +RPC services should also be disabled where not needed. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/159.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: +159 + +-- +Summary: +This event is generated when an attempt is made to list files on a host infected with the NetMetro Trojan Horse. + +-- +Impact: +Limited control of the target host. + +-- +Detailed Information: +Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed. + +The server portion opens TCP port 5031 by default to establish a connection between client and server. + +-- +Affected Systems: + Windows 95 + Windows 98 + Windows ME + Windows NT + Windows 2000 + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. + +The Trojan server is named NMS.exe. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +A reboot of the infected machine is recommended. The Trojan does not start automatically at boot time nor does it change any system registry settings. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Whitehats arachNIDS +http://www.whitehats.com/info/IDS79 + +Dark-e: +http://www.dark-e.com/archive/trojans/NetMetro/index.html + +-- --- /dev/null +++ b/doc/signatures/100000627.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +100000627 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "message_send.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the +"message_send.php" script used by the "Indexu" application running on a +webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/1119.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1119 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1417.txt @@ -0,0 +1,77 @@ +Rule: + +-- +Sid: +1417 + +-- + +Summary: +This event is generated when an SNMP-Trap connection over UDP to an SNMP +daemon is made. + +-- + +Impact: +Information gathering + +-- + +Detailed Information: +The SNMP (Simple Network Management Protocol) Trap daemon usually +listens on port 161, tcp or udp. + +An attacker may attempt to send this request to determine if a device is +using SNMP. + +-- + +Affected Systems: +Devices running SNMP daemons on well known ports. + +-- + +Attack Scenarios: +An attacker sends a packet directed to udp port 161, if sucessful a +reply is generated and the attacker may then launch further attacks +against the SNMP daemon. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +None known. + +-- + +False Negatives: +None known. + +-- + +Corrective Action: +Use a packet filtering firewall to protect devices using the SNMP +protocol and only allow connections from well-known hosts. + +-- + +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Chaos + +-- + +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012 + + +-- --- /dev/null +++ b/doc/signatures/122-7.txt @@ -0,0 +1,93 @@ + + +Rule: + +-- +Sid: +122-7 + +-- +Summary: +This event is generated when the pre-processor sfPortscan detects +network traffic that may constitute an attack. Specifically a tcp +filtered portsweep was detected. + +-- +Impact: +Unknown. This is normally an indicator of possible network +reconnaisance and may be the prelude to a targeted attack against the +targeted systems. + +-- +Detailed Information: +This event is generated when the sfPortscan pre-processor detects +network traffic that may consititute an attack. + +A portscan is often the first stage in a targeted attack against a +system. An attacker can use different portscanning techniques and tools +to determine the target host operating system and application versions +running on the host to determine the possible attack vectors against +that host. + +More information on this event can be found in the individual +pre-processor documentation README.sfportscan in the docs directory of +the snort source. Descriptions of different types of portscanning +techniques can also be found in the same documentation, along with +instructions and examples on how to tune and use the pre-processor. + +-- +Affected Systems: + All. + +-- +Attack Scenarios: +An attacker often uses a portscanning technique to determine operating +system type and version and also application versions to determine +possible effective attack vectors that can be used against the target +host. + +-- +Ease of Attack: +Simple. Many portscanning tools are freely available. + +-- +False Positives: +While not necessarily a false positive, a security audit or penetration +test will often employ the use of a portscan in the same way an +attacker might use the technique. If this is the case, the +pre-processor should be tuned to ignore the audit if so desired. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check for other events targeting the host. + +Check the target host for signs of compromise. + +Apply any appropriate vendor supplied patches as appropriate. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Daniel Roelker +Marc Norton +Jeremy Hewlett +Nigel Houghton + +-- +Additional References: + +Nmap: +http://www.insecure.org/nmap/ + +Port Scanning Techniques and the Defense Against Them - Roger +Christopher, SANS: +http://www.sans.org/rr/whitepapers/auditing/70.php + +Hypervivid Tiger Team - Port-Scanning: A Practical Approach +http://www.hcsw.org/reading/nmapguide.txt + +-- --- /dev/null +++ b/doc/signatures/2864.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2864 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure add_priority_raw +. This procedure is included in +sys.dbms_repcat_conf. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000734.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000734 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "MassDelete.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "MassDelete.Admin.class.php" script used by the "Geeklog" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Geeklog +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/100000513.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +100000513 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection +vulnerability in the "SAPHPLesson" application running on a webserver. Access +to the file "showcat.php" with SQL commands being passed as the "forumid" +parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a +remote machine via the "forumid" parameter in the "showcat.php" script used by +the "SAPHPLesson" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to compromise the database backend for the +application, the attacker may also be able to execute system binaries or +malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using SAPHPLesson +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application +if user input is not correctly sanitized or checked before passing that input +to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- /dev/null +++ b/doc/signatures/1501.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1501 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/1248.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +1248 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a web server running Microsoft FrontPage +Server Extensions. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. Denial of +Service is possible. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running Microsoft FrontPage Server Extensions. Many known +vulnerabilities exist for this platform and the attack scenarios are +legion. + +-- +Affected Systems: + All systems running Microsoft FrontPage Server Extensions + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Many exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000509.txt @@ -0,0 +1,72 @@ +Rule: + +-- +Sid: +100000509 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "RahnemaCo" application running on a webserver. +Access to the file "page.php" using a remote file being passed as the "pageid" +parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "pageid" parameter in the "page.php" script used by the +"RahnemaCo" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using RahnemaCo +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/440.txt @@ -0,0 +1,59 @@ +Rule: + +-- + +Sid: +440 + +-- + +Summary: +This event is generated when an ICMP Type 19 datagram with an undefined ICMP Code is detected on the network. + +-- + +Impact: +ICMP Type 19 datagrams are not currently used by any known devices. + +-- + +Detailed Information: +ICMP Type 19 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. + +-- + +Attack Scenarios: +None known + +-- + +Ease of Attack: +Numerous tools and scripts can generate this type of ICMP datagram. + +-- + +False Positives: +None known + +-- + +False Negatives: +None known +-- + +Corrective Action: +Ingress filtering should be utilized to block incoming ICMP Type 19 datagrams +-- + +Contributors: +Original Rule writer unknown +Sourcefire Research Team +Matthew Watchinski (matt.watchinski@sourcefire.com) + +-- + +Additional References: +None + + +-- --- /dev/null +++ b/doc/signatures/899.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +899 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/926.txt @@ -0,0 +1,62 @@ +SID: +926 +-- + +Rule: +-- + +Summary: +This even indicates an attempt to exploit undocumented CFML tags on a +Allaire ColdFusion Server +-- + +Impact: +Extensive server data retrieval including settings and passwords +-- + +Detailed Information: +Undocumented CFML tags allow reading and decryption of sensitive data +contained on servers running Allaire ColdFusion Server 2.0 - 4.0.1. This +data can be accesses by constructing a hosted application that accesses +these undocumented tags with the possibility of changing values on the +server and reading admin and studio passwords +-- + +Affected Systems: + Allaire ColdFusion Server 2.0 - 4.0.1 +-- + +Attack Scenarios: +A user with permission to create pages on the server installs an +application that accesses the undocumented CFML tags, accessing this +application would allow viewing and possible modifications of these +settings +-- + +Ease of Attack: +Medium, Attackers need the ability to add files to the server. No "In +the Wild" exploits were available at type of writing +-- + +False Positives: +None known +-- + +False Negatives: +None known +-- + +Corrective Action: +Patches are available from Allaire, install them. +-- + +Contributors: +Snort documentation contributed by matthew harvey +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +References: + +-- --- /dev/null +++ b/doc/signatures/1563.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1563 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1514.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1514 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1386.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1386 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft SQL. + +-- +Impact: +Information gathering and data integrity compromise. Possible unauthorized +administrative access to the server or application. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to an implementation of Microsoft SQL server or client. This can +lead to unauthorized access and possibly escalated privileges to that of +the administrator. Data stored on the machine can be compromised and +trust relationships between the victim server and other hosts can be +exploited by the attacker. + +-- +Affected Systems: + +-- +Attack Scenarios: +An attacker can access the authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Disallow administrative access from sources external to the protected +network. + +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1812.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: 1812 + +-- +Summary: +Secure Shell (SSH) is used to remotely manage systems over encrypted TCP +sessions. This event is generated when an attempt is made to exploit +vulnerable versions of the SSH daemon. + +-- +Impact: +System compromize presenting the attacker with either the opportunity to +execute arbitrary code with the privileges of the user running the SSH daemon (usually root) or a possible Denial of Service (DoS). + +-- +Detailed Information: +OpenSSH versions prior to 3.3 contain a flaw that could allow a remote attacker to compromise a vulnerable SSH daemon via an integer overflow on systems with BSD_AUTH or SKEY options compiled and PAM authentication or Challenge Response Authentication enabled. + +Affected Systems: + OpenSSH versions 2.9 to 3.2 + +-- +Attack Scenarios: +Exploit scripts are available + +-- +Ease of Attack: +Simple. Exploits are available. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Apply the appropriate vendor supplied patches. + +Enable the privilege separation option in OpenSSH 3.3 if possible. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Securityfocus: +http://www.securityfocus.com/bid/5093 + +-- --- /dev/null +++ b/doc/signatures/1534.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1534 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3465.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +3465 + +-- +Summary: +This event is generated when an attempt is made to access the cgi script +show.pl. + +-- +Impact: +Use of script as an open proxy. + +-- +Detailed Information: +RiSearch is a collection of cgi scripts written in Perl to facilitate +web site search functionality. Some versions of the script show.pl do +not correctly sanitize user input. This may present an attacker with the +opportunity to use the script as an open proxy server, possibly in +attempts to execute web attacks against other systems anonymously. + +Specifically, it may be possible for an attacker to supply their own +input to the "uri" parameter. + +-- +Affected Systems: + RiSearch 0.99.8 and prior + RiSearch Pro 3.2.6 + +-- +Attack Scenarios: +An attacker can supply a URI of their choosing as a value for the +uri parameter + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software. + +-- +Contributors: +Sourcefire Research Team +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3048.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +3048 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Ethereal. + +-- +Impact: +Serious. Denial of Service (DoS). + +-- +Detailed Information: +Ethereal is a multi-platform network protocol analyser capable of +displaying network data to the user in a graphical user interface. + +An error in the processing of access control lists (ACLs) concerning the +size of the access control entries (ACEs) may lead to a Denial of Service +(DoS) condition in Ethereal. The ACL parsing routine trusts the size of +the ACE given in the packet during processing. If a sufficiently large ACL +structure is supplied combined with a specified ACE size of 0, it is +possible to cause the DoS condition to occur. + +-- +Affected Systems: + Ethereal 0.10.7 and prior + +-- +Attack Scenarios: +An attacker needs to craft packet data containing large NT ACLs, the +attacker then needs to specify one of the ACEs as having a size of 0. + +-- +Ease of Attack: +Moderate. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3038.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: +3038 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a Samba implementation. + +-- +Impact: +Serious. Possible execution of arbitrary code. + +-- +Detailed Information: +Samba is a file and print serving system for heterogenous networks. It +is available for use as a service and client on UNIX/Linux systems and as +a client for Microsoft Windows systems. + +Samba uses the SMB/CIFS protocols to allow communication between client +and server. The SMB protocol contains many commands and is commonly used +to control network devices and systems from a remote location. A +vulnerability exists in the way the smb daemon processes commands sent by +a client system when accessing resources on the remote server.The problem +exists in the allocation of memory which can be exploited by an attacker +to cause an integer overflow, possibly leading to the execution of +arbitrary code on the affected system with the privileges of the user +running the smbd process. + +-- +Affected Systems: + Samba 3.0.8 and prior + +-- +Attack Scenarios: +An attacker needs to supply specially crafted data to the smb daemon to +overflow a buffer containing the information for the access control lists +to be applied to files in the smb query. + +-- +Ease of Attack: +Difficult. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1653.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1653 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +If the webserver has pages or directories by the name of campus this rule will +fire often. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +False positive information contributed by Colin Harford + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000706.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000706 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SmartSiteCMS" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "root" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "root" parameter in the "index.php" script used by the "SmartSiteCMS" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using SmartSiteCMS +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/1186.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +1186 + +-- +Summary: +This event is generated when an attempt is made to exploit a +vulnerability in some versions of Netscape Enterprise Server. + +-- +Impact: +Information leak which could provide an attacker with the data needed to +launch further attacks or gain more detailed information about your web server. + +-- +Detailed Information: +A user can see a directory listing by appending a Web Publishing command +to the end of a directory URL, for example: "http://www.sun.com/?wp-ver-diff". + +This exploit will work on Netscape Enterprise Server regardless of +directory indexing settings. + +It will not work on iPlanet Web Server if directory indexing is set to +"none" or "fancy" (the default). Web Publishing need not be enabled for +this exploit to work. + +-- +Affected Systems: + Netscape Enterprise Server 3.0, 3.51 and 3.6 + +-- +Attack Scenarios: +The gathering of information such as directory listings is valuable when +planning to attack a web server. + +-- +Ease of Attack: +Simple. No exploit software required however, an automated tool for +scanning exists as does an exploit script. + +-- +False Positives: +A web server that uses URLs which contain web publishing commands. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Disable directory indexing. For earlier versions of Netscape Enterprise +Server, this may not fix the problem. On iPlanet, you can also change +the indexing type to "fancy". + +To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8. + +-- +Contributors: +Snort documentation contributed by Kevin Peuhkurinen +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +iPlanet Knowledge Base Article 4302: +http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html + +iPlanet Knowledge Base Article 7761: +http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html + +-- --- /dev/null +++ b/doc/signatures/1190.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +1190 + +-- +Summary: +This event is generated when an attempt is made to exploit a +vulnerability in some versions of Netscape Enterprise Server. + +-- +Impact: +Information leak which could provide an attacker with the data needed to +launch further attacks or gain more detailed information about your web server. + +-- +Detailed Information: +A user can see a directory listing by appending a Web Publishing command +to the end of a directory URL, for example: "http://www.sun.com/?wp-uncheckout". + +This exploit will work on Netscape Enterprise Server regardless of +directory indexing settings. + +It will not work on iPlanet Web Server if directory indexing is set to +"none" or "fancy" (the default). Web Publishing need not be enabled for +this exploit to work. + +-- +Affected Systems: + Netscape Enterprise Server 3.0, 3.51 and 3.6 + +-- +Attack Scenarios: +The gathering of information such as directory listings is valuable when +planning to attack a web server. + +-- +Ease of Attack: +Simple. No exploit software required however, an automated tool for +scanning exists as does an exploit script. + +-- +False Positives: +A web server that uses URLs which contain web publishing commands. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Disable directory indexing. For earlier versions of Netscape Enterprise +Server, this may not fix the problem. On iPlanet, you can also change +the indexing type to "fancy". + +To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8. + +-- +Contributors: +Snort documentation contributed by Kevin Peuhkurinen +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +iPlanet Knowledge Base Article 4302: +http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html + +iPlanet Knowledge Base Article 7761: +http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html + +-- --- /dev/null +++ b/doc/signatures/100000591.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +100000591 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "editor_delete.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the +"editor_delete.php" script used by the "Indexu" application running on a +webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/2139.txt @@ -0,0 +1,57 @@ +Rule: + +-- +Sid: 2139 + + +-- +Summary: +This event is generated when an attempt is made to exploit a vulnerabliity in BEA Systems WebLogic server. + +-- +Impact: +Information gathering, source code disclosure. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit a vulnerabliity in BEA Systems WebLogic server. + +A weakness in the configuration of the WebLogic server from BEA Systems allows an attacker to view the source code of .jsp and .jhtml pages that reside in the root directory of the webserver. A request for these documents prefixed with /*.shtml/ will exploit a vulnerability in the handling of Server Side Include Servlet (SSIServlet) such that the webserver will return the documents unparsed, rendering the source code viewable. + +-- +Affected Systems: +BEA Systems WebLogic Enterprise 5.1 and 5.1.x + +-- +Attack Scenarios: +An attacker can retrieve the source code of a .jsp file by making a web request in the form: http://www.foo.com/*.shtml/target.jsp. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade to the latest non-affected version of the software + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/3227.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3227 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3304.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3304 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2088.txt @@ -0,0 +1,87 @@ +Rule: + +-- +Sid: +2088 + +-- +Summary: +vulnerability in the rcp service ypupdated. + +-- +Impact: +Information disclosure and possible code execution. + +Unauthorized super user access to the vulnerable host resulting in a +compromise of all data on the host and any network resources that host +is connected to. Full control of the victim is gained. + +-- +Detailed Information: +The ypupdated service is used in conjunction with NIS servers to +remotely update changes made in NIS databases. + +On recieving a request the yupdated service executes a make command +using the Bourne shell. It is possible to execute code using +metacharacters in the request. + +Commands and code after the metacharacters in the request will be +executed with the privileges of the super user on the vulnerable system. + +-- +Affected Systems: + HP-UX 10.1, 10.10 and 10.20 + + IBM AIX 3.2 and 4.1 + + NEC EWS-UX/V (Rel4.2MP), (Rel4.2) + NEC UP-UX/V (Rel4.2MP) + NEC UX/4800 (64) + + SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3 + SGI IRIX 4.0, 4.0.1 T, 4.0.1,4.0.2, 4.0.3, 4.0.4 T, 4.0.4 B, 4.0.4, 4.0.5 IPR, 4.0.5 H, 4.0.5 G, 4.0.5 F, 4.0.5 E, 4.0.5 D, 4.0.5 A, 4.0.5 (IOP), 4.0.5 + SGI IRIX 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3 XFS, 5.3 + SGI IRIX 6.0, 6.0.1 XFS, 6.0.1 + + Sun SunOS 4.1 PSR_A, 4.1, 4.1.1, 4.1.2, 4.1.3 c, 4.1.3 _U1, 4.1.3, 4.1.4 -JL, 4.1.4 + +-- +Attack Scenarios: +The attacker needs to craft a specially formulated request to the +rpc.ypupdated service containing a long username. An exploit for this +vulnerability exists. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply pacthes for the affected systems as soon as possible. + +Disable the rpc.ypupdated daemon. + +Disallow all RPC requests from external sources and use a firewall to +block access to RPC ports from outside the LAN. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/1749 + +-- --- /dev/null +++ b/doc/signatures/1644.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1644 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1323.txt @@ -0,0 +1,55 @@ +Rule: + +-- +Sid: 1323 + +-- +Summary: +This event is generated when an attempt is made to exploit a format string vulnerability in the rwhois daemon from Network Solutions. + +-- +Impact: +Serious. System compromize presenting the attacker with the opportunity to execute arbitrary code. + +-- +Detailed Information: +Certain versions of rwhoisd from Network Solutions contain a programming error that allows an attacker to execute arbitrary code. The error is present when used with the Start of Authority (soa) file directive. + +Referral Whois (rwhois) is a directory service used to provide information on hosts and networks connected to the internet. + +-- +Attack Scenarios: +Exploit scripts are available + +-- +Ease of Attack: +Simple. Exploits are available. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0838 + +Bugtraq: +http://www.securityfocus.com/bid/3474 + +-- --- /dev/null +++ b/doc/signatures/2966.txt @@ -0,0 +1,68 @@ +Rule: + +-- +Sid: +2966 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) +services. + +-- +Impact: +Serious. Execution of arbitrary code with system level privileges + +-- +Detailed Information: +A vulnerability exists in Microsoft NetDDE that may allow an attacker to +run code of their choosing with system level privileges. A programming +error in the handling of network messages may give an attacker the +opportunity to overflow a fixed length buffer by using a specially +crafted NetDDE message. + +This service is not started by default on Microsoft Windows systems, but +this issue can also be exploited locally in an attempt to escalate +privileges after a successful attack from an alternate vector. + +-- +Affected Systems: + Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. + +-- +Attack Scenarios: +An attacker needs to craft a special NetDDE message in order to overflow +the affected buffer. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Disable the NetDDE service. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft Security Bulletin MS04-031: +http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx + +-- --- /dev/null +++ b/doc/signatures/3307.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3307 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/459.txt @@ -0,0 +1,60 @@ +Rule: + +-- + +Sid: +459 + +-- + +Summary: +This event is generated when an ICMP Type 1 datagram with an undefined ICMP Code is detected on the network. + +-- + +Impact: +ICMP Type 1 datagrams are not currently used by any known devices. + +-- + +Detailed Information: +ICMP Type 1 is not defined for use and is not expected network activity. Any ICMP datagram with an undefined ICMP Code should be investigated. + +-- + +Attack Scenarios: +None known + +-- + +Ease of Attack: +Numerous tools and scripts can generate this type of ICMP datagram. + +-- + +False Positives: +None known + +-- + +False Negatives: +None known +-- + +Corrective Action: +Ingress filtering should be utilized to block incoming ICMP Type 1 datagrams +-- + +Contributors: +Original Rule writer unknown +Sourcefire Research Team +Matthew Watchinski (matt.watchinski@sourcefire.com) +Nigel Houghton + +-- + +Additional References: +None + + +-- --- /dev/null +++ b/doc/signatures/2110.txt @@ -0,0 +1,53 @@ +Rule: + +-- +Sid: +2110 +-- +Summary: +This event is generated when an attempt is made to exploit a buffer +overflow condition in the Post Office Protocol (POP) command STAT. + +-- +Impact: +Possible remote execution of arbitrary code leading to a remote root +compromise. + +-- +Detailed Information: +A vulnerability exists such that an attacker may overflow a buffer by +sending a line feed character to a POP server via the STAT command. + +-- +Attack Scenarios: +Simple. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +RFC 1939: +http://www.faqs.org/rfcs/rfc1939.html + +-- --- /dev/null +++ b/doc/signatures/2051.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +2051 + +-- +Summary: +designated root directory of a web server. + +-- +Impact: +Theft of data and important system information may be disclosed to an +unauthorized party. + +-- +Detailed Information: +The script handling file viewing from the vendor moreover.com contains an error that allows files outside the designated root directory to be viewed in a browser. + +The script does not perform checks for the characters ".." when supplied +by a user in a URL. This allows a classic directory traversal attack to +be performaed against the server. + +-- +Affected Systems: +Version 1.0 from moreover.com + +-- +Attack Scenarios: +The attacker merely needs to enter a URL using ../ to traverse the file +system for example: +http://www.foo.com/cgi-bin/cached_feed.cgi?../../../etc/passwd + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to version 2.0 or later + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/1762 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0906 + +-- --- /dev/null +++ b/doc/signatures/1070.txt @@ -0,0 +1,75 @@ +Rule: + +Sid: +1070 + +-- + +Summary: +This event is generated when an attempt is made to initiate a WebDAV SEARCH +on a web server. + +-- +Impact: +Information gathering. Potential Denial of Service (DoS). + +-- +Detailed Information: +IIS 5.0 includes an implementation of WebDAV for purposes of web publishing. +As shipped, it contains two vulnerabilities that can allow an attacker +to get a complete directory listing from the web root and to DoS the +web server. + +If the target is IIS 5.0, then an attacker may have gotten a complete +directory listing from within the web root, which can be useful information +for attackers (could be a prelude to a more serious attack). IIS 5.0's +WebDAV implementation is also vulnerable to a Denial of Service vulnerability +if the search string is too long. + +-- +Affected Systems: + IIS 5.0 + Any web server running WebDAV, though no exploits are known for servers + other than IIS 5.0. + +-- +Attack Scenarios: +Attacker gets a listing by sending something like: +SEARCH / HTTP/1.1 +Attacker DoSes the web server using pre-existing tools. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known + +-- +Corrective Action: +Check the host for signs of compromise. + +Upgrade to the latest non-affected version of the software. + +Apply the appropriate vendor supplied patches. + +Disallow WebDAV access to the server from resources external to the +protected network. + +-- +Contributors: +Original rule writer unknown +Original document author unkown +Sourcefire Vulnerability Research Team +Nigel Houghton +Alex Kirk + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000759.txt @@ -0,0 +1,56 @@ + + +Rule: + +-- +Sid: +100000759 +-- +Summary: +This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "QTO File Manager" application running on a webserver. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "edit" parameter in the "qtofm.php" script used by the "QTO File Manager" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. + +-- +Affected Systems: +All systems running CGI applications using QTO File Manager +-- +Attack Scenarios: +An attacker can supply a malicious link designed to steal information from a user clicking on that link. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +The Cross Site Scripting (XSS) FAQ +http://www.cgisecurity.com/articles/xss-faq.shtml + +-- + --- /dev/null +++ b/doc/signatures/100000420.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000420 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Informium" application running on a webserver. Access to the file "common-menu.php" using a remote file being passed as the "CONF[local_path]" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "CONF[local_path]" parameter in the "common-menu.php" script used by the "Informium" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Informium + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/105-1.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +105-1 + +-- +Summary: +This event is generated when the pre-processor spp_bo detects network +traffic that may constitute an attack. Specifically back orifice +traffic was detected. + +-- +Impact: +Unknown. This is possible Trojan activity. + +-- +Detailed Information: +This event is generated when the spp_bo pre-processor detects network +traffic that may consititute an attack. + +Back Orifice is a Trojan horse program for Microsoft systems. This event +may indicate that this Trojan is active and in use on the protected +network. + +-- +Affected Systems: + Microsoft Windows 95, 98, ME, NT, 2000 + +-- +Attack Scenarios: +This is Trojan activity. An attacker can use this Trojan to control the +target host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the target host for signs of compromise. + +Apply any appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/2745.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2745 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure alter_snapshot_propagation +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000140.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +100000140 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer overflow in +the MySQL MaxDB web server. + +-- + +Impact: +A denial of service will occur, and arbitrary code may be executed with the +privileges of the user running the web server. + +-- +Detailed Information: +If an HTTP GET request beginning with a "%" character and followed by at least +215 non-newline characters is sent to the MySQL MaxDB web server, a buffer +overflow will occur. This will result in a denial of service, and possibly +execution of arbitrary code with the privileges of the user running the web +server. + +-- +Affected Systems: +MySQL MaxDB >= 7.5.00.24 + +-- + +Attack Scenarios: +This vulnerability may be exploited with a web browser or an automated script. + +-- + +Ease of Attack: +Simple, as a web browser can be used. + +-- + +False Positives: +None Known + +-- +False Negatives: +None Known + +-- + +Corrective Action: +Upgrade to version 7.5.00.26 or higher. + +-- +Contributors: +Alex Kirk + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/895.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +895 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3437.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3437 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000577.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +100000577 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "cat_path_update.php" using a remote file being passed as +the "admin_template_path" parameter may indicate that an exploitation attempt +has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the +"cat_path_update.php" script used by the "Indexu" application running on a +webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/675.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +675 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft SQL. + +-- +Impact: +Information gathering and data integrity compromise. Possible unauthorized +administrative access to the server or application. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to an implementation of Microsoft SQL server or client. This can +lead to unauthorized access and possibly escalated privileges to that of +the administrator. Data stored on the machine can be compromised and +trust relationships between the victim server and other hosts can be +exploited by the attacker. + +-- +Affected Systems: + +-- +Attack Scenarios: +An attacker can access the authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Disallow administrative access from sources external to the protected +network. + +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/267.txt @@ -0,0 +1,58 @@ +Rule: + +-- +Sid: +267 + +-- +Summary: +This event is generated when spurious DNS traffic is detected on the network. + +-- +Impact: +Ranges from harmless to severe. A successful corrupted DNS IP and name pairing can range from harmless (if the IP is not used) to severe (if a user is misdirected to a hostile host). + +-- +Detailed Information: +This event indicates that abnormal DNS traffic has been detected. The implications are varied and careful investigation of the source and destination should be undertaken. + +This may be the result of an improperly configured DNS server or it may be an indication that an attack against the DNS server is underway. + +-- +Affected Systems: +Any DNS server. + +-- +Attack Scenarios: +An attacker can spoof a DNS response to misrepresent an IP to host/name pairing. The forged host name can direct a user to a potentially hostile host. + +-- +Ease of Attack: +Simple to Difficult depending on the DNS implementation. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Consider using DNSSEC where appropriate. + +Keep all DNS software up to date and correctly configured. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton +Judy Novak + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/2313.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +2313 + +-- +Summary: +This event is generated when suspicious shell code is detected in +network traffic. + +-- +Impact: +Denial of Service (DoS) possible execution of arbitrary code. + +-- +Detailed Information: +This event is generated when suspicious shell code is detected. Many +buffer overflow attacks contain large numbers of NOOP instrucions to pad +out the request. Other attacks contain specific shell code sequences +directed at certain applications or services. + +The shellcode in question may also use Unicode encoding. + +-- +Affected Systems: + Any software running on x86 architecture. + +-- +Attack Scenarios: +An attacker may exploit a DCERPC service by sending shellcode in the RPC +data stream. Sending large amounts of data to the Microsoft Workstation +service can cause a buffer overflow condition in the logging function +thus presenting an attacker with the opportunity to issue a DoS attack +or in some cases, to execute code of their choosing. + +-- +Ease of Attack: +Simple. Many exploits exist. + +-- +False Positives: +False positives may be generated by binary file transfers. + +-- +False Negatives: +None known + +-- +Corrective Action: +Make sure the target host has all current patches applied and has the +latest software versions installed. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2748.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2748 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure comment_on_column_group +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2772.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2772 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure drop_priority_date +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3411.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3411 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2959.txt @@ -0,0 +1,68 @@ +Rule: + +-- +Sid: +2959 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) +services. + +-- +Impact: +Serious. Execution of arbitrary code with system level privileges + +-- +Detailed Information: +A vulnerability exists in Microsoft NetDDE that may allow an attacker to +run code of their choosing with system level privileges. A programming +error in the handling of network messages may give an attacker the +opportunity to overflow a fixed length buffer by using a specially +crafted NetDDE message. + +This service is not started by default on Microsoft Windows systems, but +this issue can also be exploited locally in an attempt to escalate +privileges after a successful attack from an alternate vector. + +-- +Affected Systems: + Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. + +-- +Attack Scenarios: +An attacker needs to craft a special NetDDE message in order to overflow +the affected buffer. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Disable the NetDDE service. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft Security Bulletin MS04-031: +http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx + +-- --- /dev/null +++ b/doc/signatures/2817.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2817 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure add_column_group_to_flavor +. This procedure is included in +sys.dbms_repcat_fla_mas. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000327.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000327 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "ScozNet ScozNews" application running on a webserver. Access to the file "admin_import.php" using a remote file being passed as the "main_path" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "main_path" parameter in the "admin_import.php" script used by the "ScozNet ScozNews" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using ScozNet ScozNews + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/2297.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +2297 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2 +running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt may have been made to exploit a +known vulnerability in the PHP application Proxy2.de Advanced Poll +2.0.2. This application does not perform stringent checks when handling +user input, this may lead to the attacker being able to execute PHP +code, include php files and possibly retrieve sensitive files from the +server running the application. + +-- +Affected Systems: + All systems running Proxy2.de Advanced Poll 2.0.2 + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying PHP script. + +-- +Ease of Attack: +Simple. No exploit code is required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/875.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +875 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000823.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000823 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "ignore-pm.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "ignore-pm.php" script used by the "VBZooM" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using VBZooM +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- /dev/null +++ b/doc/signatures/611.txt @@ -0,0 +1,58 @@ +Rule: + +-- +Sid: 611 + +-- +Summary: +This event is generated when a remote login attempt using rlogin fails. + +-- +Impact: +Someone has tried to login using rlogin and failed + +-- +Detailed Information: +This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution. + +Multiple events may indicate that an attacker is attempting a brute force password guessing attack. + +-- +Attack Scenarios: +An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times. + +-- +Ease of Attack: +Simple, no exploit software required + +-- +False Positives: +A legitimate user may generate an event by entering an incorrect password. + +-- +False Negatives: +None Known + +-- +Corrective Action: +Investigate logs on the target host for further details and more signs of suspicious activity + +Use ssh for remote access instead of rlogin. + +-- +Contributors: +Original rule by Max Vision modified from a signature written by Ron Gula +Snort documentation contributed by Anton Chuvakin +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 + +Arachnids: +http://www.whitehats.com/info/IDS392 + +-- --- /dev/null +++ b/doc/signatures/100000344.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000344 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "SocketMail" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "site_path" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "site_path" parameter in the "index.php" script used by the "SocketMail" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using SocketMail + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/100000622.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000622 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "mail_modify.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the "mail_modify.php" +script used by the "Indexu" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/100000393.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000393 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Ovidentia" application running on a webserver. Access to the file "start.php" using a remote file being passed as the "babInstallPath" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "babInstallPath" parameter in the "start.php" script used by the "Ovidentia" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Ovidentia + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/1257.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +1257 + +-- +Summary: +This event is generated when an attempt is made to use WinNuke against a +host. + +-- +Impact: +Serious. Possible Denial of Service (DoS), this can cause a system to +crash or lose network connectivity + +-- +Detailed Information: +An attacker can send a malformed data packet to and networked host over +TCP and cause a DoS, loss of network connectivity, or a system crash. + +-- +Affected Systems: + Windows NT Workstation and Server 4.0 + Windows NT Workstation and Server 3.5.x + Windows 3.1x + Windows 95 +-- +Attack Scenarios: +Program is run against a system in an attempt to knock the system off +the network. + +-- +Ease of Attack: +Simple. An attacker runs WinNuke and enters an IP address of a target +system. + +-- +False Positives: +None Known. +-- +False Negatives: +None Known + +-- +Corrective Action: +Since there is no known fix for several of the affected operating +systems, SMB traffic should be blocked at the firewall and all TCP +traffic on ports 139/135 should be dropped. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Mike Rivett ebiz@rivett.org + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1209.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1209 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1855.txt @@ -0,0 +1,68 @@ +Rule: + +-- +Sid: +1855 + +-- +Summary: +This event is generated when activity indicating the presence of a +variant of the Stacheldraht DDOS tool is detected. + +-- +Impact: +Distributed Denial of Service (DDoS) is possible. + +-- +Detailed Information: +Stracheldraht is a Distributed denial of service tool normally found on +Sun Solaris machines. It is made up of a Client, handler and agent. The +clients connects to the handler. Handlers can connect with up to 1000 +agents. Communication between the client and the handler is conducted +using tcp and the communication between the handler and the agent can be +either tcp or icmp_echoreply. This rule detects the a message sent from +the agent to the handler. This message is used to tell the handler that +the machine is still alive and able to take requests. The handler will +then reply with the string "ficken". This traffic differs from the +traffic described on +http://staff.washington.edu/dittrich/misc/stacheldraht.analysis because the +packets have an icmp id of 6666 rather than 666 as noted in the analysis. + +-- +Affected Systems: + Sun Solaris + +-- +Attack Scenarios: +The agent can be used to mount a distributed denial of service attack. It +also indicates that a machine is compromised. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +The icmp id along with the keywords may be changed in the +source code which would then evade this rule. + +-- +Corrective Action: +Disconnect power from the machine and perform forensic analysis on the +hard drives. + +-- +Contributors: +Snort documentation contributed by Ian Macdonald +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1815.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1815 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a PHP web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a PHP application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the PHP application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running PHP applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying PHP script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1704.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1704 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/884.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: +884 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the CGI web application Formmail running on a server. + +-- +Impact: +Several vulnerabilities include server access, information +disclosure, spam relaying and mail anonymizing. + +-- +Detailed Information: +This event is generated when an attempt is made to access the perl cgi +script Formmail. Early versions (1.6 and prior) had several vulnerabilities +(Spam engine, ability to run commands under server id and set +environment variables) and should be upgraded immediately. Newer +versions can still be used by spammers for anonymizing email and +defeating email relay controls. + +-- +Affected Systems: + All systems running Formmail + +-- +Attack Scenarios: +Information can be appended to the URL to use your +mail gateway avoiding SMTP relay controls. HTTP header information can +be manipulated to avoid access control methods in script. Allows SMTP +exploits that are normally available only to trusted (local) users such +as Sendmail % hack. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +Legitimate use of the script can cause alerts. Verify +packet payload and watch web/mailserver logfiles. + +-- +False Negatives: +If the name of the script has been changed this rule will not generate +an event. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Kevin Binsfield (IDS@Safedge.com) + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/107.txt @@ -0,0 +1,119 @@ +Rule: + +-- +Sid: +107 + +-- +Summary: +Subseven22 is a Trojan Horse. + +-- +Impact: +Possible theft of data and control of the targeted machine leading to a +compromise of all resources the machine is connected to. This Trojan +also has the ability to delete data, steal passwords and disable the +machine. Other versions are capable of launching DDoS attacks. + +-- +Detailed Information: +This Trojan affects the following operating systems: + + Windows 95 + Windows 98 + Windows ME + Windows NT + Windows 2000 + Windows XP + +No other systems are affected. This is a windows exceutable that makes +changes to the system registry, Win.ini and System.ini. When first +executed the Trojan replicates itself and in most cases, gives the copy +a random name. This Trojan may use the file extensions ".exe" or ".dll". + +Subseven is an improved version of the Netbus Trojan (see sids 114, +115), Subseven DEFCON8 2.1 is an improved version of Subseven that +affects Windows 95 and 98 implementations. + +The Trojan changes system startup files and registry settings to add the +Subseven sever to programs normally started on boot. + + SID Message + --- ------- + 103 subseven 22 (incoming TCP connection) + 107 subseven DEFCON8 2.1 access (outgoing TCP connection) + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This +event is indicative of an existing infection being activated. Initial +compromise can be in the form of a Win32 installation program that may +use the extension ".jpg" or ".bmp" when delivered via e-mail for +example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. +Updated virus definition files are essential in detecting this Trojan. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +This is a particularly difficult Trojan to remove and should only be +attempted by an experienced Windows Administrator. + +Edit the system registry to remove the extra keys or restore a +previously known good copy of the registry. + +Affected registry keys are: + + HKEY_CLASSES_ROOT\exefile\shell\open\command + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices + HKEY_LOCAL_MACHINE\Hardware\Data + HKEY_LOCAL_MACHINE\Hardware\Enum + HKEY_LOCAL_MACHINE\Software\Microsoft\DirectXMedia + +Registry keys added are: + + HKEY_CLASSES_ROOT\.dl + +Removal of the replicant is also required, look for files ending in +".exe" or ".dll" in the :\Windows\ or :\Windows\System\ +folders that use alphanumeric file names. The name of the replicant may +be in one of the registry keys above. + +A machine reboot is required to clear the existing process from running +in memory. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Hackfix +http://www.hackfix.org/subseven/ + +McAfee +http://vil.mcafee.com/dispVirus.asp?virus_k=10566 +http://vil.nai.com/vil/content/v_10566.htm + +Symantec Security Response +http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subseven22.html + +F-Secure: +http://www.f-secure.com/v-descs/subseven.shtml + +-- --- /dev/null +++ b/doc/signatures/100000100.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +100000100 + +-- +Summary: +This event is generated when a URI of 1,050 bytes ore more is requested from an +internal web server. + +-- + +Impact: +Unknown. + +-- +Detailed Information: +This rule is used in conjunction with SID 100000101 to detect buffer overflow +attacks against the Adobe Acrobat/Acrobat Reader ActiveX Control, pdf.ocx. This +rule should never generate an alert. + +-- +Affected Systems: +Adobe Acrobat 5.0 +Adobe Acrobat 5.0.5 +Adobe Acrobat 6.0 +Adobe Acrobat 6.0.1 +Adobe Acrobat Reader 5.0 +Adobe Acrobat Reader 5.0.5 +Adobe Acrobat Reader 5.1 +Adobe Acrobat Reader 6.0 +Adobe Acrobat Reader 6.0.1 + +-- + +Attack Scenarios: +A web browser or automated script may be used to exploit this vulnerability. + +-- + +Ease of Attack: +Simple, as simply typing a long URI into a web browser will suffice. + +-- + +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- + +Corrective Action: +Upgrade to Adobe Acrobat/Acrobat Reader 6.0.2. +An alternate workaround is available: disable "Display PDF in browser" under +Edit -> Preferences. + +-- +Contributors: +Sourcefire Research Team +Judy Novak +Alex Kirk + +-- +Additional References: +http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=2589&fileID=2433 + +-- --- /dev/null +++ b/doc/signatures/100000595.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000595 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "inv_config.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the "inv_config.php" +script used by the "Indexu" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/1363.txt @@ -0,0 +1,58 @@ +Rule: + +-- +Sid: 1363 + +-- +Summary: +This event is generated when execution of a common X Window system command is attempted via HTTP. + +-- +Impact: +The attacker may be able to initiate an X session on the web server. + +-- +Detailed Information: +This rule generates an event when an X Windows system command command is used with a parameter to set the display location over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. + +The "display" parameter is used to specify an address for the X server to listen for connections. + +The rule looks for the "display" parameter in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the parameter in the URL indicates that an attacker attempted to trick the web server into executing a system command in non-interactive mode i.e. without a valid shell session. + +This rule may also generate an event if it detects this command in an unencrypted HTTP tunneling connection to the server or a shell connection through an exploit of the web server. + +-- +Attack Scenarios: +An attacker launches an "xterm" as the web server user and points it to his machine via the 'display" parameter. + +-- +Ease of Attack: +Simple, no exploit software required + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Webservers should not be allowed to view or execute files and binaries outside of its designated web root or cgi-bin. + +This command may also be requested on a command line should the attacker gain access to the machine. + +Non-essential binaries should be removed from a webserver once it is in production. + +-- +Contributors: +Original rule writer unknown +Snort documentation contributed by Anton Chuvakin +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1333.txt @@ -0,0 +1,80 @@ +Rule: + +-- +Sid: +1333 + +-- +Summary: +Attempted id command access via web + +-- +Impact: +Attempt to gain information on users and groups that exist on the host +using the id command. + +-- +Detailed Information: +This is an attempt to gain intelligence about the users on a webserver. +id is a UNIX command that will return information about the system's +users and groups. This information is valuable to an attacker who can +use it to plan further attacks based on the users possible login +information or be more effective in targeting specific users and groups +who possess elevated privileges . The id command will return information +on the user, the groups the user belings to and the users' "gid" and "uid". + +The rule looks for the "id" command in the client to web server network +traffic and does not indicate whether the command was actually +successful in showing the user information. The presence of the "id" +command web traffic indicates that an attacker attempted to trick the +web server into executing system in non-interactive mode i.e. without a +valid shell session. + +Alternatively this rule may trigger in an unencrypted HTTP tunneling +connection to the server or a shell connection via another exploit +against the web server. + +-- +Attack Scenarios: +1. The attacker can make a standard HTTP request that contains +'/usr/bin/id' in the URI which can then return sensitive information on +groups and users present on the host. + +2. This command may also be requested on a command line should the +attacker gain access to the machine. + +3. An attacker uses a "id" command via a web server connection to test +what username the web server runs under. He then looks for all the files +writable by this user and find a web server configuration file with +wrong permissions. + +-- +Ease of Attack: +Simple HTTP request. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. + +-- +Contributors: +Sourcefire Research Team +Nigel Houghton +Additional information from Anton Chuvakin + +-- +Additional References: +sid: 1332 + +man id + +-- --- /dev/null +++ b/doc/signatures/1675.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: 1675 + +-- + +Summary: +This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. + +-- +Impact: +Serious. An attacker may have gained superuser access to the system. + +-- +Detailed Information: +This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. + +Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. + +This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. + +Oracle servers running on a Windows platform may listen on any arbitrary +port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this +is applicable to the protected network. + +-- + +Attack Scenarios: +Simple. These are Oracle database commands. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. + +-- +False Negatives: +Configure your ORACLE_PORTS variable correctly for the environment you are in. +In many situations ORACLE negotiates a communication port. This means that 1521 +and 1526 are not used for communication during the entire transaction. A new +port is negotiated after the initial connect message, all communication after +that uses this other port. If you are in an environment such as this, you should +set ORACLE_PORTS to "any" in snort.conf. + +Otherwise, there are no known false negatives. + +-- + +Corrective Action: +Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. +Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2197.txt @@ -0,0 +1,58 @@ +Rule: + +-- +Sid: +2197 + +-- +Summary: +This event is generated when an attempt is made to access cvsview2.cgi on an internal web server. This may indicate an attempt to exploit an information disclosure vulnerability in Mozilla Bonsai 1.3. + +-- +Impact: +Information gathering. + +-- +Detailed Information: +Mozilla Bonsai, a CVS query tool, contains an information disclosure vulnerability in cvsview2.cgi. An attacker can discover the location of the Mozilla Bonsai application by sending a malformed request to the application, which produces an error. The error message shows the full path of the cvsview2.cgi file, providing the attacker with information about the server directory structure. + +-- +Affected Systems: +Any system running Mozilla Bonsai 1.3. + +-- +Attack Scenarios: +An attacker sends an erroneous request to cvsview2.cgi on the Bonsai server. The error message returns the full path of the script, allowing the attacker to discover more information about the server directory structure for possible use in later attacks. + +-- +Ease of Attack: +Simple. A proof of concept exists. + +-- +False Positives: +If a legitimate remote user accesses cvsview2.cgi, this rule may generate an event. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to a newer build of Mozilla Bonsai 1.3. + +If you are running Mozilla Bonsai on Debian 3.0, Debian has provided patches at http://security.debian.org/pool/updates/main/b/bonsai/. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Sourcefire Technical Publications Team +Jennifer Harvey + +-- +Additional References: +Bugtraq +http://www.securityfocus.com/bid/5517 + +-- --- /dev/null +++ b/doc/signatures/2991.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +2991 + +-- +Summary: +This event is generated when an attempt is made to bind to the winreg +service. + +-- +Impact: +Unknown. + +-- +Detailed Information: +This event is generated when an attempt is made to bind to the RPC +service for winreg. + +-- +Affected Systems: + Windows systems + +-- +Attack Scenarios: +An attacker may attempt to bind to the service to manipulate host +settings. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: +Microsoft Technet +http://support.microsoft.com/support/kb/articles/q153/1/83.asp +CVE +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0562 +Winreg +http://www.rutherfurd.net/python/winreg/ + +-- --- /dev/null +++ b/doc/signatures/1379.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +1379 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer +overflow vulnerability associated with IPSWITCH WS_FTP server for +Windows hosts. + +-- +Impact: +Remote administrator access. A successful attack can allow remote +execution of arbitrary commands with privileges of administrator. + +-- +Detailed Information: +A buffer overflow exists in WS_FTP server that may permit the execution +of arbitrary commands with the privileges of administrator. The exploit +can be generated by FTP client sending a STAT command accompanied by an +argument greater than 479 bytes long. This exploit requires login +access to the FTP server. + +-- +Affected Systems: +Hosts running WS_FTP server 2.0.3. + +-- +Attack Scenarios: +An attacker may login to a vulnerable WS_FTP server and supply an overly +long file argument to cause a buffer overflow, allowing execution of +arbitrary commands with the privileges of administrator. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +Security Focus: +http://www.securityfocus.com/advisories/3641 + +-- --- /dev/null +++ b/doc/signatures/3175.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3175 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1163.txt @@ -0,0 +1,60 @@ +Rule: + +Sid: +1163 + +-- + +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a Web server running on an IRIX platform. + +-- +Impact: +Serious. Execution of arbitrary code is possible. + +-- +Detailed Information: +IRIX versions 5.0 through 6.3 contain a CGI script (/var/www/cgi-bin/webdist.cgi) +for remote administration purposes. This script, as originally released by +SGI, contains a vulnerability that can allow an attacker to run any +arbitrary command that the web server user has access to. + +-- +Affected Systems: + IRIX systems 5.0 to 6.3 + +-- +Attack Scenarios: +An attacker makes a request for the script followed by a semi-colon +character ";" and then the command to be executed. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow the use of this script on the server. + +Check for further signs of compromise. + +-- +Contributors: +Original rule writer unknown +Original document author unkown +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1841.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +1841 + +-- +Summary: +This event is generated when a client on the protected network has +possibly visited a website containing malicious javascript code. + +-- +Impact: +Minimal + +-- +Detailed Information: +Certain versions of Mozilla and Netscape may allow script code to access +local cookie data. + +By accessing a maliciously coded webpage, a users cookie data from any +domain may be viewed by the website's administrator. + +-- +Affected Systems: + Mozilla versions prior to 1.0.1 + Netscape versions prior to 6.2.1 + +-- +Attack Scenarios: +A devious website admin creates a webpage with malicious code and +obtains sensitive cookie data from a visiting user's web browser about +any domain he wishes. + +-- +Ease of Attack: +Simple + +-- +False Positives: +Some peer-to-peer applications may cause this rule to generate an event. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Josh Sakofsky +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/5293 + +-- --- /dev/null +++ b/doc/signatures/2356.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +2356 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the PHP web application WebChat. + +-- +Impact: +Execution of arbitrary code on the affected system + +-- +Detailed Information: +WebChat contains a flaw such that it may be possible for an attacker +to include code of their choosing by manipulating the variable +WEBCHATPATH when making a GET or POST request to a vulnerable system. + +It may be possible for an attacker to execute that code with the +privileges of the user running the webserver, usually root by supplying +their code in the file db_mysql.php. + +-- +Affected Systems: + Webdev Webchat 0.77 + +-- +Attack Scenarios: +An attacker can make a request to an affected script and define their +own path for the WEBCHATPATH variable. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade to the latest non-affected version of the software + +-- +Contributors: +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/348.txt @@ -0,0 +1,61 @@ +SID: +348 +-- + +Rule: +-- + +Summary: +This event is generated when an attack attempt is made against an ftp +server possibly running a vulnerable ftpd +-- + +Impact: +Possible remote execution of commands on the affected server as the root user +-- + +Detailed Information: +The Washington University ftp daemon (wu-ftpd) does not perform proper +checking in its SITE EXEC implementation, and allows user input to be +sent directly to printf. This allows an attacker to overwrite data and +eventually execute code on the server. + +This rule detects code from a published exploit called bobek.c +-- + +Affected Systems: +Any system running wu-ftpd 2.6 .0 or below +-- + +Attack Scenarios: +A remote attacker will attempt to execute commands on the ftp server +with root user privileges, over writing or modifying system files. This +can be done with anonymous and real user logins. +-- + +Ease of Attack: +Simple, Exploits exist +-- + +False Positives: +None known +-- + +False Negatives: +None known +-- + +Corrective Action: +Upgrade to latest version which has fixes for this problem. Maybe even get rid of wu-ftp with something more secure +-- + +Contributors: +Snort documentation contributed by matthew harvey +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +References: + +-- --- /dev/null +++ b/doc/signatures/2282.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2282 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the PHP web application MediaWiki running on a server. + +-- +Impact: +Possible execution of arbitrary code and unauthorized administrative +access to the target system. + +-- +Detailed Information: +This event indicates that an attempt may have been made to exploit a +known vulnerability in the PHP application MediaWiki . This application +does not perform stringent checks when handling user input, this may +lead to the attacker being able to execute PHP code and include php files +of the attackers choosing. + +-- +Affected Systems: + MediaWiki MediaWiki-stable 20031107 + MediaWiki MediaWiki-stable 20030829 + +-- +Attack Scenarios: +An attacker can exploit weaknesses to gain access as the administrator +by supplying input of their choosing to the underlying PHP script. + +-- +Ease of Attack: +Simple. No exploit code is required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000732.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000732 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "Geeklog" application running on a webserver. Access to the file "EditIPofURL.Admin.class.php" using a remote file being passed as the "$_CONF[path]" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "$_CONF[path]" parameter in the "EditIPofURL.Admin.class.php" script used by the "Geeklog" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Geeklog +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/2416.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +2416 + +-- +Summary: +This event is generated when activity relating to spurious ftp traffic +is detected on the network. + +-- +Impact: +Varies from information gathering to a serious compromise of an ftp +server. + +-- +Detailed Information: +FTP is used to transfer files between hosts. This event is indicative of +spurious activity in FTP traffic between hosts. + +The event may be the result of a transfer of a known protected file or +it could be an attempt to compromise the FTP server by overflowing a +buffer in the FTP daemon or service. + +-- +Attack Scenarios: +A user may transfer sensitive company information to an external party +using FTP. + +An attacker might utilize a vulnerability in an FTP daemon to gain +access to a host, then upload a Trojan Horse program to gain control of +that host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow access to FTP resources from hosts external to the protected +network. + +Use secure shell (ssh) to transfer files as a replacement for FTP. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2581.txt @@ -0,0 +1,77 @@ +Rule: + +-- +Sid: +2581 + +-- +Summary: +This event is generated when an attempt is made to exploit a directory +traversal associated with the Crystal Reports web viewer. + +-- +Impact: +A successful attack may allow unauthorized files to be viewed or +possibly deleted. + +-- +Detailed Information: +A vulnerability exists in the Crystal Reports web viewer that may permit +an attacker to view or delete unauthorized files. The is due to a +failure to ensure that that a requested Crystal Report file location +is in the web root directory, permitting unauthorized files to be +viewed. + +In addition, Crystal Reports assumes that the requested report +file for viewing is a temporary file and deletes it after the +web version has been viewed. This problem combined with the +directory traversal vulnerability may allow sensitive or valuable +files to be deleted. + +-- +Affected Systems: +Crystal Reports 8.5 JAVA SDK +Crystal Reports RAS 8.5 for UNIX +Crystal Reports 9.0 +Crystal Enterprise 9.0 +Crystal Reports 10 +Crystal Reports 10.0 + +-- +Attack Scenarios: +An attacker can request to view a file not in the web root +directory, permitting unauthorized information disclosure. +The viewed file will be deleted subsequently possibly causing +harm to the server. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Judy Novak + +-- +Additional References + +CVE: +http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0204 + +Other: +http://www.microsoft.com/security/bulletins/200406_crystal.mspx + +-- --- /dev/null +++ b/doc/signatures/568.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +568 + +-- +Summary: +This event is generated when an attempt is made to change the message on +the LCD display on a JetDirect enabled HP printer. + +-- +Impact: +User confusion and comedy, mostly. + +-- +Detailed Information: +HP JetDirect printers allow remote machines to change the message that +is displayed on the LCD panel via the PJL command. This event indicates +that this command has been used in network traffic. + +-- +Affected Systems: + HP JetDirect enabled printers + +-- +Attack Scenarios: +As part of an attempt to confuse and annoy users, an attacker may +attempt to change the message displayed on the printers LCD screen. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Update to the latest JetDirect, and investigate the possibility of +restricting access to a central print-server using the "allow: +" directive in a printer config file. + +Disallow printer use from hosts outside the protected network. + +-- +Contributors: +Original rule writer unknown +Snort documentation contributed by Jon Hart +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2410.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2410 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a PHP web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a PHP application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the PHP application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running PHP applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying PHP script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2196.txt @@ -0,0 +1,55 @@ +Rule: + +-- +Sid: +2196 + +-- +Summary: +This event is generated when an attempt is made to access catgy.cgi on an internal web server. This may indicate an attempt to exploit a cross-site scripting vulnerability in Aktivate e-commerce software. + +-- +Impact: +Arbitrary code execution, possible session hijack. + +-- +Detailed Information: +Aktivate 1.03 is an e-commerce application for use on Linux and other UNIX-based operating systems. An attacker can craft a URL with malicious code in the "desc" command's argument that passes the commands to catgy.cgi. If a legitimate user activates the URL, malicious code may be executed on the client computer. + +-- +Affected Systems: +Systems running Aktivate 1.03. + +-- +Attack Scenarios: +An attacker may craft a URL that, when activated by a legitimate user, obtains the user's session cookie, thereby allowing the attacker to pose as the user for the duration of the session. + +-- +Ease of Attack: +Simple. A proof of concept exists. + +-- +False Positives: +If a legitimate remote user accesses catgy.cgi, this rule may generate an event. + +-- +False Negatives: +None known. + +-- +Corrective Action: +It is not known if this vulnerability has been fixed. Contact the vendor, Allen & Keul Web Solutions (http://www.allen-keul.net) for more information. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Sourcefire Technical Publications Team +Jennifer Harvey + +-- +Additional References: +http://www.securityfocus.com/bid/3714 + +-- --- /dev/null +++ b/doc/signatures/2016.txt @@ -0,0 +1,66 @@ +Rule: + +-- +Sid: +2016 + +-- +Summary: +Remote Procedure Call (RPC) is a facility that enables a machine to +request a service from another remote machine. This is done without the +request for available services on a host. + +-- +Impact: +This may be an intelligence gathering activity that could be the prelude +to an attack against a vulnerable service on the host. + +-- +Detailed Information: +This RPC status request returns information pertaining to available RPC +services running on a host. This is not an attack against a host by +itself but may be an intelligence gathering activity in prelude to an +attack against a vulnerable service running on a target host. + +-- +Affected Systems: +All machines running RPC services. + +-- +Attack Scenarios: +The attacker merely needs to request information about services being +offered on a target machine using "rpcinfo" for example. + +-- +Ease of Attack: +Simple + +-- +False Positives: +When seen on a local area network a legitimate rpcinfo request will + +-- +False Negatives: +None Known + +-- +Corrective Action: +RPC services should not be available outside the local area network, +filter RPC ports at the firewall to ensure access is denied to RPC +enabled machines. + +Disable all RPC services where not needed. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Whitehats: +http://www.whitehats.com/info/IDS15/ + +-- --- /dev/null +++ b/doc/signatures/100000132.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +100000132 + +-- +Summary: +This event is generated when a connection is made to the Internet via a proxy +server on your internal network. + +-- + +Impact: +If the server is not legitimate, anyone with access to it can use your +bandwidth to access the Internet; if users conduct malicious activity on the +Internet through this server, the activity will appear to have come from the +misconfigured machine. + +-- +Detailed Information: +This rule looks for pieces of HTTP requests being made by a misconfigured +Squid, ISA, or NetCache proxy server. If it fires, and the machine the alert is +coming from is not a known proxy server, it indicates that the machine in +question is either improperly configured or has been compromised. + +False positives associated with this rule may be reduced considerably, or even +eliminated, by the use of a custom variable. By editing your snort.conf to +include "var KNOWN_PROXY_SERVERS = [ +Alex Kirk + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1060.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +1060 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: +NGS Whitepaper - Advanced SQL Injection +www.nextgenss.com/papers/advanced_sql_injection.pdf + +-- --- /dev/null +++ b/doc/signatures/2202.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: +2202 + +-- +Summary: +This event is generated when an attempt is made to access edit_action.cgi on an internal web server. This may indicate an attempt to exploit a directory traversal vulnerability in Webmin 0.91. + +-- +Impact: +Information gathering, possible execution of system utilities to which Webmin has rights. + +-- +Detailed Information: +Webmin is a web-based system administration tool for Linux and UNIX-based operating systems. A malicious user could use directory traversal techniques within an argument sent to the edit_action.cgi script in order to view hidden files on the server or execute programs to which Webmin has security privileges. + +-- +Affected Systems: +Systems running Webmin 0.91. + +-- +Attack Scenarios: +An attacker creates a specially crafted an edit_action.cgi URL and transmits it to a vulnerable server. The attacker can then view or execute any arbitrary file included in the parameter, provided that Webmin has rights to access it. + +-- +Ease of Attack: +Simple. A proof of concept exists. + +-- +False Positives: +If a legitimate remote user accesses edit_action.cgi, this rule may generate an event. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to Webmin 0.92 or higher. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Sourcefire Technical Publications Team +Jennifer Harvey + +-- +Additional References: +Bugtraq +http://www.securityfocus.com/bid/3698 + +-- --- /dev/null +++ b/doc/signatures/2254.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +2254 + +-- +Summary: +This rule has been deleted in favor of sid 2253. + +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft Exchange Server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service +(DoS). + +-- +Detailed Information: +A vulnerability exists in versions of Microsoft Exchange Server such +that it is possible for an attacker to execute arbitrary code or cause a +DoS condition on the server without the need for prior authentication as +a valid user. + +It is possible for an attacker to connect to the Exchange server on port +25 and send an extended verb request to the server that will cause a +large amount of memory to be allocated. In Exchange Server 5.5 this may +cause a DoS, whilst in Exchange Server 2000 this same condition could +present the attacker with an opportunity to execute arbitrary code. + +-- +Affected Systems: + MIcrosoft Exchange Server 5.5 + Microsoft Exchange Server 2000 + +-- +Attack Scenarios: +The attacker can connect to port 25 of the server and send a specially +crafted verb request. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft Corp. +http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-046.asp + +CVE: +http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0714 + +-- --- /dev/null +++ b/doc/signatures/2609.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +2609 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a Oracle database implementation. + +-- +Impact: +Serious. Execution of arbitrary code may be possible. A Denial of +Service (DoS) condition may also be caused. + +-- +Detailed Information: +Oracle databases may use a built-in procedure to assist in database +replication. The "cancel_statistics" procedure contains a +programming error that may allow an attacker to execute a buffer +overflow attack. + +This overflow is triggered by long strings in some parameters for the +procedure. + +If you are running Oracle on a Windows server, make sure that the +variable $ORACLE_PORTS is set to a value of "any". + +-- +Affected Systems: + Oracle 9i + +-- +Attack Scenarios: +An attacker can supply a long string to either the "sname" or +"oname" variables to cause the overflow. The result could +permit the attacker to gain escalated privileges and run code of their +choosing. This attack requires an attacker to logon to the database +with a valid username and password combination. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Matt Watchinski +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +Other: +http://www.appsecinc.com/Policy/PolicyCheck633.html + +-- --- /dev/null +++ b/doc/signatures/1905.txt @@ -0,0 +1,68 @@ +Rule: +-- +Sid: +1905 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer +overflow associated with the Remote Procedure Call (RPC) amd service. + +-- +Impact: +Remote root access. This attack can permit execution of arbitrary +commands with the privileges of the user running amd, typically root. + +-- +Detailed Information: +The amd RPC service implements the automounter daemon on UNIX hosts. The +amd service automatically mounts and unmounts requested file systems. +There is a buffer overflow associated with amd logging that can allow +execution of arbitrary commands with the privileges of the user running +amd, typically root. + +-- +Affected Systems: + BSDI BSD/OS 3.1, 4.0.1 + FreeBSD 3.0, 3.1, 3.2 + Red Hat Linux 4.2, 5.0, 5.1, 5.2, 6.0 + +-- +Attack Scenarios: +An attacker can query the portmapper to discover the port where amd runs +and then attack the amd port. Alternatively, an attacker may attempt to +execute the exploit code on any listening port in the RPC range if the +portmapper is blocked. + +-- +Ease of Attack: +Simple. Exploit code is freely available. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Limit remote access to RPC services. + +Filter RPC ports at the firewall to ensure access is denied to +RPC-enabled machines. + +Disable unneeded RPC services. + +-- +Contributors: +Original rule written by Max Vision +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2828.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2828 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure comment_on_repgroup +. This procedure is included in +sys.dbms_repcat_mas. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2190.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +2190 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft: +http://www.microsoft.com/technet/security/bulletin/MS03-026.asp + +CVE: +http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 + +-- --- /dev/null +++ b/doc/signatures/2333.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +2333 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an FTP server. + +-- +Impact: +Possible execution of arbitrary code. + +-- +Detailed Information: +FTP is used to transfer files between hosts. This event is indicative of spurious +activity in FTP traffic between hosts. + +It is possible for a user to supply data to an FTP ommand and have it +interpreted as code. The attacker might then be able to run code of +their choosing with the privileges of the user running the FTP service. + +-- +Affected Systems: + PlatinumFTP PlatinumFTPserver 1.0.18 + +-- +Attack Scenarios: +An attacker might utilize a vulnerability in an FTP daemon to gain access to a +host, then upload a Trojan Horse program to gain control of that host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Upgrade to the latest non-affected version of the software. + +Disallow access to FTP resources from hosts external to the protected network. + +Use secure shell (ssh) to transfer files as a replacement for FTP. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1592.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1592 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1352.txt @@ -0,0 +1,48 @@ +Rule: + +-- +Sid: +1352 + +-- +Summary: +Attempted tclsh command access via web + +-- +Impact: +Attempt to gain information on system processes on webserver + +-- +Detailed Information: +This is an attempt to execute a tclsh command or script on a webserver. tclsh is a shell application that reads tcl commands and evaluates them. The attacker could possibly execute a command or script on the host. + +-- +Attack Scenarios: +The attacker can make a standard HTTP request that contains 'tclsh'in the URI. + +-- +Ease of Attack: +Simple HTTP request. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. + +-- +Contributors: +Sourcefire Research Team + +-- +Additional References: +sid: 1351 + +-- --- /dev/null +++ b/doc/signatures/3060.txt @@ -0,0 +1,54 @@ +Rule: + +-- +Sid: +3060 + +-- +Summary: +This event is generated when an attempt is made to initiate a TLS +connection via SSL version 2. + +-- +Impact: +Unknown. + +-- +Detailed Information: +This rule indicates that an attempt has been made to initiate a TLS +connection via SSL v2. This rule should not generate an event. + +-- +Affected Systems: + All implementations using SSL. + +-- +Attack Scenarios: +NA + +-- +Ease of Attack: +NA + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +NA + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000839.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000839 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHP Event Calendar" application running on a webserver. Access to the file "calendar.php" using a remote file being passed as the "path_to_calendar" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "path_to_calendar" parameter in the "calendar.php" script used by the "PHP Event Calendar" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using PHP Event Calendar +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/3127.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +3127 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft License Logging Service. + +-- +Impact: +Serious. Execution of arbitrary code leading to unauthorized +administrative access to the target host. Denial of Service (DoS) is +also possible. + +-- +Detailed Information: +Microsoft License Logging Service is used to manage licenses for +Microsoft server products. + +A vulnerability in the service exists due to a programming error such +that an unchecked buffer may present an attacker with the opportunity to +exploit the service and run code of their choosing on an affected +system. The attacker may then cause a DoS condition in the service or +possibly gain administrative access to the target host. + +The unchecked buffer exists when processing the length of messages sent +to the logging service. + +-- +Affected Systems: + Microsoft Windows Server 2003 + Microsoft Windows Server 2000 + Microsoft Windows NT Server + +-- +Attack Scenarios: +An attacker can supply extra data in the message to the service +containing code of their choosing to be run on the server. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- + +Corrective Action: +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2143.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: 2143 + + +-- +Summary: +This event is generated when an attempt is made to exploit a weakness in the cafelog php application. + +-- +Impact: +Arbitrary code execution. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a vulnerability in the cafelog PHP application. + +It is possible for an attacker to include a PHP file of his choosing via a URL, the script is processed and executed with the privileges of the user running the webserver. This is due to poor checking of user supplied variables in the gm-2-b2.php script. + +-- +Affected Systems: +Any host using cafelog. + +-- +Attack Scenarios: +An attacker could include a PHP file of his choice by including the file name in a URI supplied to the webserver that would in turn process the script via gm-2-b2.php. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the php implementation on the host. + +Check the webserver log files for signs of this activity. + +Where possible, ensure the webserver is run as an unprivileged process. + +Check the host for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/2701.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +2701 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +-- +Affected Systems: + Oracle iSQLPlus + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3223.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3223 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/153.txt @@ -0,0 +1,88 @@ +Rule: + +-- +Sid: +153 + +-- +Summary: +Donald Dick is a Trojan Horse allowing the attacker to access various +resources on the victim host. This event is generated when the attackers +client connects to the Trojan server. + +-- +Impact: +Possible theft of data and control of the targeted machine leading to a +compromise of all resources the machine is connected to. + +-- +Detailed Information: +This Trojan affects the following operating systems: + + Windows 95 + Windows 98 + Windows NT + +The Trojan changes system registry settings to add the Donald Dick +server to programs normally started on boot. Due to the nature of this +Trojan it is unlikely that the attacker's client IP address has been +spoofed. + +The default name of the server application is vmldir.vxd. + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This +event is indicative of an existing infection being activated. Initial +compromise can be in the form of a Win32 installation program that may +use the extension ".jpg" or ".bmp" when delivered via e-mail for +example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. +Updated virus definition files are essential in detecting this Trojan. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Edit the system registry to remove the extra keys or restore a +previously known good copy of the registry. + +Affected registry keys are: + +HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\VxD\ + +Registry keys added: + + VMLDR + +This contains the key StaticVxD = "vmldir.vxd" + +Delete the registry key VMLDR. + +Delete the Troajn application vmldir.vxd. + +A reboot of the infected machine is needed. + +-- +Contributors: +Original rule written by unknown persons. +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Hackfix +http://www.hackfix.org/miscfix/dd.shtml + +-- --- /dev/null +++ b/doc/signatures/847.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +847 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/317.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: 317 + +-- +Summary: +This event is generated when an attempt is made to escalate privileges remotely using a vulnerability in mountd. + +-- +Impact: +System compromize presenting the attacker with escalated system privileges . + +-- +Detailed Information: +Some implementations of the Network File System (NFS) on Linux systems use a vulnerable version of mountd that is subject to a buffer overflow condition in the logging subsystem. + +The mountd logging facility also logs failed attempts to mount shared resources, even if NFS is not enabled on the system. This means that exploitation of this issue is possible wether or not NFS is being used. + +Affected Systems: + Caldera OpenLinux Standard 1.2 + RedHat Linux 2.0, 2.1, 3.0.3, 4.0, 4.1, 4.2, 5.0, 5.1 + +-- +Attack Scenarios: +Exploit scripts are available + +-- +Ease of Attack: +Simple. Exploits are available. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/121 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0917 + +CERT: +http://www.cert.org/advisories/CA-1998-12.html +http://www.cert.org/summaries/CS-98-08.html + +-- --- /dev/null +++ b/doc/signatures/1515.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1515 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2043.txt @@ -0,0 +1,77 @@ +Rule: + +-- +Sid: +2043 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the Internet Security Association and Key Management +Protocol (ISAKMP). + + +-- +Impact: +Unknown. + +-- +Detailed Information: +ISAKMP is a framework for authentication using cryptographic keys. It +specifically defines the process of key exchange as opposed to the +generation of a cryptographic key. + +ISAKMP also details the procedures for the required security +associations in network security services. + +This event indicates that a key exchange using ISAKMP failed. + +-- +Affected Systems: +All systems using cryptographic key exchange as an authentication +method. + +-- +Attack Scenarios: +The attacker may have a store of keys associated with valid users and +may attempt to authenticate using a combination of username and key. + +-- +Ease of Attack: +Simple + +-- +False Positives: +A user may mistype a username or may be trying to authenticate using an +expired key. + +-- +False Negatives: +None Known + +-- +Corrective Action: +Ensure that key exchanges are only allowed between trusted hosts. + +Check log files for disallowed login attempts. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +ISAKMP: +http://www.networksorcery.com/enp/protocol/isakmp.htm + +RFC: +http://www.ietf.org/rfc/rfc2407.txt +http://www.ietf.org/rfc/rfc2408.txt + +IANA: +http://www.iana.org/assignments/isakmp-registry + +-- --- /dev/null +++ b/doc/signatures/698.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +698 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft SQL. + +-- +Impact: +Information gathering and data integrity compromise. Possible unauthorized +administrative access to the server or application. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to an implementation of Microsoft SQL server or client. This can +lead to unauthorized access and possibly escalated privileges to that of +the administrator. Data stored on the machine can be compromised and +trust relationships between the victim server and other hosts can be +exploited by the attacker. + +-- +Affected Systems: + +-- +Attack Scenarios: +An attacker can access the authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Disallow administrative access from sources external to the protected +network. + +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000454.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +100000454 +-- +Summary: +This event is generated when an attempt is made to exploit a cross site +scripting vulnerability in the "KAPhotoservice" application running on a +webserver. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit a cross site +scripting vulnerability via the "New Category" parameter in the "edtalbum.asp" +script used by the "KAPhotoservice" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to retrieve sensitive data, execute system binaries +or malicious code of the attackers choosing. + +-- +Affected Systems: +All systems running CGI applications using KAPhotoservice +-- +Attack Scenarios: +An attacker can supply a malicious link designed to steal information from a +user clicking on that link. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +The Cross Site Scripting (XSS) FAQ +http://www.cgisecurity.com/articles/xss-faq.shtml + +-- + --- /dev/null +++ b/doc/signatures/1728.txt @@ -0,0 +1,57 @@ +Rule: + +-- +Sid: +1728 + +-- +Summary: +This event is generated when an attempt is made to exploit a known vulnerability in the ftp server included with version 2.6 of the Sun Solaris operating system. + +-- +Impact: +Serious. + +-- +Detailed Information: +An error in the ftp daemon supplied with version 2.6 of Sun's Solaris operating system can cause the daemon to overflow a buffer and generate a core file that is world readable. + +The attacker may also be able to fill the disk partition by generating core files. + +-- +Affected Systems: +Sun Solaris 2.6 + +-- +Attack Scenarios: +An attacker can use a non-standard ftp client or initiate a session with the ftp server and issue a CWD ~ command. The attacker may then be able to read the core file and recover usernames and passwords for other users on the system + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade to the latest non-affected version of the software + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/494.txt @@ -0,0 +1,58 @@ +Rule: + +-- +Sid: 494 + +-- +Summary: +This event is generated by a successful attempt to execute a command. This may be indicative of post-compromise behavior indicating the use of a Windows command shell. + +-- + +Impact: +Serious. An attacker may have the ability to execute commands remotely + +-- +Detailed Information: +This event is generated by an unsuccessful attempt to execute a Windows command which generates the response "The command completed successfully". For example, it is generated in Windows 2000/XP after the "net" command (such as "net use") is used. The net commands are used for a wide variety of system tasks of interest to attackers and can be started from the windows shell (cmd.exe, command.com). + +Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has sucessfully executed a command. Note that the source address of this event is actually the victim and not that of the attacker. + +-- + +Attack Scenarios: +An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to map the DMZ network via "net use" commands. + +-- + +Ease of Attack: +Simple. This post-attack behavior can accompany different attacks. + +-- + +False Positives: +This rule will generate an event if the string "Command completed" appears in the content distributed by the web server, in which case the rule should be tuned. + +-- +False Negatives: +None Known + +-- +Corrective Action: +Investigate the web server for signs of compromise. + +Look for other IDS events involving the same IP addresses. + +-- +Original rule writer unknown +Snort documentation contributed by Anton Chuvakin +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Microsoft Technet: +http://www.microsoft.com/technet/prodtechnol/windows2000serv/support/FAQW2KCP.asp + +-- --- /dev/null +++ b/doc/signatures/570.txt @@ -0,0 +1,71 @@ +SID: +570 +-- + +Rule: +-- + +Summary: +This event indicates an attempt to exploit the tool talk RPC database +service +-- + +Impact: +Possible unauthorized administrative access to the server or application +or a denial of service to the affected application +-- + +Detailed Information: +ToolTalk RPC database service (rpc.ttdbserverd) does not perform +adequate input validation or provide a format string specifier argument +when writing to syslog. This means a specifically crafted RPC request to +the ToolTalk RPC database service overwriting specific locations in +memory and therefore allowing execution of code with the same permission +level as the user running ttdbserverd, usually root. +-- + +Affected Systems: + HP-UX 10.10 - 11.0 + AIX 4.1 - 4.3 + IRIX 5.2 - 6.4 + Solaris 1.1 - 2.6 + TriTeal TED CDE 4.3 + Xi Graphics Maximum CDE 1.2.3 + +Possibly other vendors, if you are running Tool Talk (rpc.ttdbserverd) check with your vendor. +-- + +Attack Scenarios: +An attacker will send a specially crafted RPC call to the +rpc.ttdbserverd daemon running on an affected system. A sucessful +attack will then run code on the server with the access level of the +root user. +-- + +Ease of Attack: +Simple, Exploit code is available. +-- + +False Positives: +None known +-- + +False Negatives: +None known +-- + +Corrective Action: +Updates packages and patches are available from vendors, install them or +disable the service if not needed. +-- + +Contributors: +Snort documentation contributed by matthew harvey +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +References: + +-- --- /dev/null +++ b/doc/signatures/3255.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3255 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1974.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: +1974 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer overflow vulnerability associated with CesarFTPD FTP server REST command. + +-- +Impact: +Remote access. A successful attack may permit the remote execution of arbitrary commands with system privileges. + +-- +Detailed Information: +CesarFTPD offers FTP servers for Windows hosts. A vulnerability exists with the REST command that can cause a buffer overflow and permit the execution of arbitrary commands with system privileges. The buffer overflow can be caused by supplying an overly long argument to the REST command. + +-- +Affected Systems: +Hosts running CesarFTP 0.98b. + +-- +Attack Scenarios: +An attacker can supply an overly long file argument with the REST command, causing a buffer overflow. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0826 + +-- --- /dev/null +++ b/doc/signatures/157.txt @@ -0,0 +1,103 @@ +Rule: + +-- +Sid: +152, 157-158 + +-- +Summary: +Backdoor.Backconstruction is a Trojan Horse. + +-- +Impact: +Possible theft of data via download, upload of files, execution of files +and reboot the targeted machine. + +-- +Detailed Information: +This Trojan affects the following operating systems: + + Windows 95 + Windows 98 + Windows ME + +The Trojan changes system registry settings to add the Backconstruction +sever to programs normally started on boot. Due to the nature of this +Trojan it is unlikely that the attacker's client IP address has been +spoofed. + + SID Message + --- ------- + 152 BackConstruction 2.1 Connection (outgoing TCP +connection) + 157 BackConstruction 2.1 Client FTP Open Request (incoming +TCP connection) + 158 BackConstruction 2.1 Server FTP Open Reply (outging TCP +connection) + +This Trojan is commonly used to install other Trojan programs. + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This +event is indicative of an existing infection being activated. Initial +compromise can be in the form of a Win32 installation program that may +use the extension ".jpg" or ".bmp" when delivered via e-mail for +example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. +Updated virus definition files are essential in detecting this Trojan. + +The Trojan server is located at :\WINDOWS\Cmctl32.exe + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Edit the system registry to remove the extra keys or restore a +previously known good copy of the registry. + +Affected registry keys are: + + HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ + +Registry keys added are: + + Shell = ":\WINDOWS\Cmctl32.exe" + +Removal of this entry is required. + +Delete the file :\WINDOWS\Cmctl32.exe + +Ending the Trojan process is also necessary. A reboot of the infected +machine is recommended. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Whitehats arachNIDS +http://www.whitehats.com/info/IDS505 + +Dark-e: +http://www.dark-e.com/archive/trojans/backc/21/index.shtml + +Pest Patrol: +www.pestpatrol.com/PestInfo/b/back_construction.asp + +-- --- /dev/null +++ b/doc/signatures/932.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +932 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a ColdFusion web server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. Denial of +Service is possible. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running Coldfusion. Many known vulnerabilities exist for this platform and +the attack scenarios are legion. + +-- +Affected Systems: + All systems running ColdFusion + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Many exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1349.txt @@ -0,0 +1,47 @@ +Rule: + +-- +Sid: +1349 + +-- +Summary: +Attempted /bin/python access via web + +-- +Impact: +Attempt to execute a python script on a host. + +-- +Detailed Information: +This is an attempt to execute a python script on a host. Python is a scripting language that is available on a wide variety of platforms. By default Python code runs with full access to all libraries and inbuilt commands available to the language. When combined with the access permissions of the user executing the script, the consequences of running arbitrary code can be devastating + +-- +Attack Scenarios: +The attacker can make a standard HTTP transaction that includes a reference to Python in the URI. + +-- +Ease of Attack: +Simple HTTP. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Python may also be requested on a command line should the attacker gain access to the machine. Whenever possible, all python scripts on the host should be written using the restriceted access mode. This forces Python to execute the scripts in a "sandbox" which will disallow unsafe operations in the code. +-- +Contributors: +Sourcefire Research Team + +-- +Additional References: +sid: 1350 + +-- --- /dev/null +++ b/doc/signatures/1454.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1454 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server, in this case +the wwwwais cgi application. + +-- +Impact: +Possible execution of arbitrary code of the attackers choosing. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Securiteam: +http://www.securiteam.com/unixfocus/5SP140035A.html + +-- --- /dev/null +++ b/doc/signatures/501.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +501 + +-- +Summary: +This event is generated when a packet is discovered with loose source routing set in the IP options. + +-- +Impact: +Loose source routing permits the dictation of a route to and from the destination rather than relying on standard dynamic routing. + +-- +Detailed Information: +Loose source routing instructs the packet to traverse identified routers in transit to and from the desired destination. Normal routing sends a packet one hop at a time allowing each interim router to determine the next hop. This may permit an attacker to spoof a source IP yet receive the response by sniffing from a network associated with an identified loose source router. A vulnerability exist in Windows 95, 98, and NT hosts that permits a vulernable destination host to accept a specially crafted source routed packet even though the host has a registry setting to drop it. + +-- +Affected Systems: +Unless loose source routing is disabled, all hosts can accept them. + +-- +Attack Scenarios: +An attacker can craft a special source routed packet to cause Windows 95, 98, and NT hosts to accept them even though a registry setting exists to drop source routed packets. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +This even will trigger if you allow loose source routed packets into your network. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Block all source routed (loose or strict) packets from entering your network. + +-- +Contributors: +Original rule written by Max Vision +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Bugtraq +http://www.securityfocus.com/bid/646 + +CVE +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0909 + +Whitehats +www.whitehats.com/info/IDS470 + +-- --- /dev/null +++ b/doc/signatures/2921.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +2921 + +-- +Summary: +This event is generated when an inverse query attempt is made using UDP. + +-- + +Impact: +Possible execution of arbitrary code. + +-- +Detailed Information: +Bind 8 contains a programming error that may present an attacker with +the opportunity to execute code of their choosing on an affected server. + +The error occurs in the handling of malformed transactions. When using +UDP this can result in the attacker causing a stack overflow in named. + +-- +Affected Systems: + Bind 8. + +-- +Attack Scenarios: +An attacker needs to send a specially crafted and malformed query to an +affected server. + +-- +Ease of Attack: +Moderate. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/217.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +217 + +-- +Summary: +This event is generated when an attacker attempts to connect to a +Telnet server using the phrase "hax0r". This is a known password for +the sm4ck Linux rootkit. + +-- +Impact: +Possible theft of data and control of the targeted machine leading to a +compromise of all resources the machine is connected to. + +-- +Detailed Information: +This Trojan affects Linux operating systems: + +Due to the nature of this Trojan it is unlikely that the attacker's +client IP address has been spoofed. + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This +event is indicative of an existing infection being activated. Initial +compromise may be due to the exploitation of another vulnerability and +the attacker is leaving another way into the machine for further use. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow Telnet access from external sources. + +Use SSH as opposed to Telnet for access from external locations + +Delete the Trojan and kill any associated processes. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1733.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +1733 + +-- +Summary: +This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) rwalld is listening. + + +-- +Impact: +Information disclosure. This request is used to discover which port rwalld is using. Attackers can also learn what versions of the rwalld protocol are accepted by rwalld. + +-- +Detailed Information: +The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as rwalld run. The rwalld RPC service is used by UNIX hosts to send a message to current users on the host. There is a format string vulnerability associated with rwalld error messages, allowing an attacker to execute abitrary code with the privileges of rwalld, possibly root. According to CERT, this is both a local and remote exploit, but the remote exploit is more difficult to perform. + +-- +Affected Systems: +Sun Solaris 2.5.1, 2.6, 7, and 8 + +-- +Attack Scenarios: +An attacker can query the portmapper to discover the port where rwalld runs. This may be a precursor to an attack to exploit the rwalld format string vulnerability. + +-- +Ease of Attack: +Easy. + +-- +False Positives: +If a legitimate remote user is allowed to access rwalld, this rule may trigger. + +-- +False Negatives: +This rule detects probes of the portmapper service for rwalld, not probes of the rwalld service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the rwalld service itself. An attacker may attempt to go directly to the rwalld port without querying the portmapper service, which would not trigger the rule. + +-- +Corrective Action: +Limit remote access to RPC services. + +Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. + +Disable unneeded RPC services. + +-- +Contributors: +Original rule written by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +CERT: +http://www.cert.org/advisories/CA-2002-10.html + + +-- --- /dev/null +++ b/doc/signatures/357.txt @@ -0,0 +1,54 @@ +Rule: + +-- +Sid: +357 + +-- +Summary: +This event is generated when activity relating to spurious ftp traffic is detected on the network. + +-- +Impact: +Varies from information gathering to a serious compromise of an ftp server. + +-- +Detailed Information: +FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts. + +The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service. + +-- +Attack Scenarios: +A user may transfer sensitive company information to an external party using FTP. + +An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow access to FTP resources from hosts external to the protected network. + +Use secure shell (ssh) to transfer files as a replacement for FTP. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1474.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1474 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1391.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1391 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1110.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1110 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1384.txt @@ -0,0 +1,57 @@ +Rule: + +-- +Sid: +1384 + +-- +Summary: +This event is generated when a remote user attempts to send a NOTIFY directive to an internal host's Universal Plug and Play (UPnP) server. + +-- +Impact: +Attempted administrator access or denial of service. A successful attack may cause a denial of service or permit the execution of arbitrary code with administrator privileges. + +-- +Detailed Information: +The UPnP is used to find network-based devices. Specifically, UPnP NOTIFY directives are employed to advertise the existence of UPnP devices on the network. A vulnerability exists that permits a malformed NOTIFY directive to cause a buffer overflow on the remote host listening on UPnP. Alternately, a malformed NOTIFY directive may be used to exhaust resources on a remote host listening on UPnP. The buffer overflow attack may permit the execution of arbitrary code on the host with administrator privileges. + +-- + +Affected Systems: +Microsoft Windows 98, 98SE, ME, XP + +-- +Attack Scenarios: +An attacker may obtain craft a malformed NOTIFY directive to cause a denial of service or attempt to execute arbitrary code on the victim host. + +-- +Ease of Attack: +Simple. Exploit code is freely available. + +-- +False Positives: +This event will be generated if external hosts are permitted to query for UPnP devices. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Block inbound UPnP traffic. + +-- +Contributors: +Original rule writer unknown. +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0876 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0877 + +-- --- /dev/null +++ b/doc/signatures/1730.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1730 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/516.txt @@ -0,0 +1,61 @@ +Nigel - added new references to the rule and bumped up revision number. +Rule: + +-- +Sid: +516 + +-- +Summary: +This event is generated when an attempt is made by Simple Network Management Protocol (SNMP) to enumerate Server Message Block (SMB) users on the host. + +-- +Impact: +Reconnaissance. An attacker may obtain SMB usernames of the remote host. + +-- +Detailed Information: +Server Message Block is a network file sharing protocol used between Windows hosts and Unix and between Windows hosts that communicate via Samba. SNMP can be used to query a remote host that listens for SNMP requests and supports SMB, to list the SMB usernames. This provides reconnaissance of valid usernames and may be followed by a brute force attack to guess passwords. + +-- +Affected Systems: +Hosts that run SMB and listen for SNMP requests. + +-- +Attack Scenarios: +An attacker may obtain a list of current usernames on the remote host as a precursor of attempting a brute force attack to guess passwords of those users. + +-- +Ease of Attack: +A Nessus script exists to list current SMB users. + +-- +False Positives: +None. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Block inbound SNMP traffic. + +Disable SNMP as a listening service on the remote host unless it is required. + +-- +Contributors: +Original rule written by Max Vision +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS333 + +Nessus: +http://cgi.nessus.org/plugins/dump.php3?id=10546 + +-- --- /dev/null +++ b/doc/signatures/1059.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +1059 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: +NGS Whitepaper - Advanced SQL Injection +www.nextgenss.com/papers/advanced_sql_injection.pdf + +-- --- /dev/null +++ b/doc/signatures/2093.txt @@ -0,0 +1,86 @@ +Rule: + +-- +Sid: +2093 + +-- +Summary: +vulnerability in xdrmem_getbytes used by XDR in RPC portmap services. + +-- +Impact: +System compromise, denial of service, execution of arbitrary code, +information disclosure. + +-- +Detailed Information: +A vulnerability exists in various implementations of external data +representation (XDR) libraries. An integer overflow in a component +(xdrmem_getbytes) used by XDR can lead to a buffer overflow. + +The XDR libraries are widely used by multiple vendors to provide a +framework for data transmission across networks. This is most commonly +used in RPC implementations. + +A specially crafted rpc request can lead to remote system compromise and +super user access to the target host. Additionally, a denial of service +and execution of arbitrary code with the privilege of the super user is +also possible. + +-- +Affected Systems: +Multiple vendors including all those using: + Sun Microsystems Network Services Library (libnsl) + GNU C library with sunrpc (glibc) + BSD-derived libraries with XDR/RPC routines (libc) + +-- +Attack Scenarios: +The attacker needs to send a specially crafted rpc request to the target +host. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Upgrade the vendor libraries to the latest non-affected versions. Any +statically linked binaries and applications must be recompiled and +restarted after the upgrade. + +Disallow all RPC requests from external sources and use a firewall to +block access to RPC ports from outside the LAN. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/7123 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0028 + +CERT: +http://www.cert.org/advisories/CA-2003-10.html +http://www.kb.cert.org/vuls/id/516825 +http://www.kb.cert.org/vuls/id/192995 + +-- --- /dev/null +++ b/doc/signatures/100000110.txt @@ -0,0 +1,66 @@ +Rule: + +-- +Sid: +100000110 + +-- +Summary: +This event is generated when the Dabber virus attempts to exploit a +vulnerability in the FTP server installed by the Sasser virus. + +-- + +Impact: +If the Sasser virus is currently running on the affected system, then the +Dabber virus will be able to install itself as well. + +-- +Detailed Information: +Some variants of the Sasser virus install an FTP server that listens on port +5554. However, this FTP server suffers from a buffer overflow in the PORT +command, which can be exploited with a command of 100 or more characters. The +Dabber virus makes use of this vulnerability as an infection vetor. + +-- +Affected Systems: +Any machine with a variant of the Sasser virus whose FTP server listens on port +5554. + +-- + +Attack Scenarios: +A known virus scans the Internet in search of vulnerable systems. + +-- + +Ease of Attack: +Simple, as the virus is in the wild. + +-- + +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- + +Corrective Action: +Users should employ a virus removal tool to clean their system of both Dabber +and Sasser, and then apply the latest security patches from Microsoft to +prevent further infections. + +-- +Contributors: +Matt Watchinski +Alex Kirk + +-- +Additional References: + +http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx + +-- --- /dev/null +++ b/doc/signatures/3330.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3330 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1610.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: +1610 + +-- +Summary: +An attempt to access a script (formmail) in the cgi-bin which has known +vulnerabilities. + +Formmail is a freely available perl script that is used to send data +collected via a form to specified addresses. + +-- +Impact: +Attempt to gain information about the web-server environment variables. +Could also be an attempt to execute commands on the web-server that will +execute with the privilege of the user owning the daemon running the +server. The script may also be used to relay SPAM or to disclose the +contents of files on the host. + +-- +Detailed Information: +This could be an attempt to gain intelligence about the web-server that +might be used to further exploit the machine. The environment variables +of the web-server might be retrieved and sent via email to an address of +the attackers choosing. More importantly this could be an attempt to +execute commands on the web-server. Should this be successful, the +commands would execute with the privileges of the user owning the httpd daemon. + +-- +Attack Scenarios: +Formmail receives information from a form via an HTTP POST. This +includes the email addresses to which the form data is sent. A URI in +the form of a POST to the formmail script could be crafted to send +environment variables to a specified email address. + +-- +Ease of Attack: +Simple. Exploit software is not required. + +-- +False Positives: +None known. + +-- +False Negatives: +None Known + +-- +Corrective Action: +Web-servers should not be allowed to view or execute files and binaries +outside of it's designated web root or cgi-bin. The web-server httpd +daemon should be run as a non-privileged user without login access to +the host. The formmail script should be updated to a non-vulnerable +version as soon as possible. + +-- +Contributors: +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1830.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1830 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1446.txt @@ -0,0 +1,68 @@ +Rule: + +-- +Sid: +1446 + +-- +Summary: +This event is generated when an external attacker uses the "vrfy root" +command to find the login name or mail alias of the system +administrator. This may also indicate a vulnerability scan. + +-- +Impact: +Information gathering. + +-- +Detailed Information: +An attacker may be able to obtain the email alias or actual email +address of root users. This allows the attacker to know which email +accounts may be more valuable to target, and can be used by spammers or +as targets for denial of service attempts. + +-- +Affected Systems: +Systems running Sendmail. + +-- +Attack Scenarios: +An attacker uses vrfy root to obtain the name of administrators on the +server. The attacker now knows which accounts have administrative +access, and may use this information to focus later attacks. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Disable the vrfy command on your mail server, or update your Sendmail +configuration file so that Sendmail displays non-sensitive information +when it receives a vrfy root request. + +-- +Contributors: +Original rule written by Brian Caswell +Sourcefire Research Team +Sourcefire Technical Publications Team +Jen Harvey + +-- +Additional References: + +RFC 821: +http://www.faqs.org/rfcs/rfc821.html + +Security Space: +http://www.securityspace.com/smysecure/catid.html?viewsrc=1&id=10249 + +-- --- /dev/null +++ b/doc/signatures/718.txt @@ -0,0 +1,58 @@ +Rule: + +-- +Sid: +718 + +-- +Summary: +This event is generated when an attempted telnet login fails from a remote user. + +-- +Impact: +Attempted remote access. This event may indicate that an attacker is attempting to guess username and password combinations. Alternately, it may indicate that an authorized user has entered an incorrect username and password combination. + +-- +Detailed Information: +A telnet server will issue an error message after a failed login attempt. This may be an indication of an attacker attempting brute force guessing of username and password combinations. It is also possible that an authorized user has incorrectly entered a legitimate username and password combination. Telnet traffic is passed in clear text so it is not recommended for remote connections. Secure Shell is considered to be a more secure alternative. + +-- +Affected Systems: +Telnet servers. + +-- +Attack Scenarios: +An attacker may attempt to guess username and password combinations. + +-- +Ease of Attack: +Simple + +-- +False Positives: +This event may be triggered by a failed telnet login attempt from a remote user. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Consider using Secure Shell instead of telnet. + +Block inbound telnet access if it is not required. + +-- +Contributors: +Original rule writer Max Vision +Documented by Steven Alexander +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS127 + +-- --- /dev/null +++ b/doc/signatures/1368.txt @@ -0,0 +1,48 @@ +Rule: + +-- +Sid: +1368 + +-- +Summary: +Attempted ps command access via web + +-- +Impact: +Attempt to gain information on system files and filestructure + +-- +Detailed Information: +This is an attempt to gain intelligence on the filesystem on a webserver. The ls command lists the files and filesystem layout on a UNIX or Linux based system. The attacker could possibly gain information needed for other attacks on the host. + +-- +Attack Scenarios: +The attacker can make a standard HTTP request that contains '/bin/ls'in the URI. + +-- +Ease of Attack: +Simple HTTP request. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. + +-- +Contributors: +Sourcefire Research Team + +-- +Additional References: +sid: 1369 + +-- --- /dev/null +++ b/doc/signatures/1098.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1098 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/141.txt @@ -0,0 +1,94 @@ +Rule: + +-- +Sid: +141 + +-- +Summary: +hack-a-tack is a Trojan Horse. + +-- +Impact: +Possible theft of data via download, upload of files, execution of files and reboot the targeted machine. + +-- +Detailed Information: +The Trojan changes system registry settings to add the hack-a-tack server to programs normally started on boot. Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed. + + SID Message + --- ------- + 141 HackAttack 1.20 Connect + 614 hack-a-tack attempt + +This Trojan is commonly used to install other Trojan programs. + +The server portion opens TCP ports 31785 and 31787 and UDP ports 31789 and 31791 by default to establish a connection between client and server. The ports may then be configured by the attacker to use something other than these defaults. + +-- +Affected Systems: + Windows 95 + Windows 98 + Windows ME + Windows NT + Windows 2000 + Windows XP + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. + +The Trojan server is located at :\WINDOWS\Expl32.exe. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. + +Affected registry keys are: + + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ + +Registry keys added are: + + Explorer32 =":\windows\Expl32.exe" + Configuration Wizard = ":\windows=cfgwiz32.exe" + +Removal of this entry is required. + +Delete the file(s) :\WINDOWS\Expl32.exe and :\windows=cfgwiz32.exe + +Ending the Trojan process is also necessary. A reboot of the infected machine is recommended. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Whitehats arachNIDS +http://www.whitehats.com/info/IDS314 +http://www.whitehats.com/info/IDS504 + +Hackfix.org +http://www.hackfix.org/miscfix/hackatack.shtml + +Commodon Communications +http://www.commodon.com/threat/threat-hack.htm + +-- --- /dev/null +++ b/doc/signatures/1776.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: 1776 + +-- + +Summary: +This event is generated when an attempt is made to use the MySQL 'show' command to garner a list of databases. + +-- +Impact: +Intelligence gathering. This may be the prelude to an attack against one the databases or the MySQL daemon. + +-- +Detailed Information: +This event is generated when the MySQL command 'show' is used to garner a list of MySQL databases being served by the MySQL daemon. + +This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. + +-- + +Attack Scenarios: +A MySQL implementation may inappropriately respond to connections from any host external to the protected network. The atttacker may be able to query the daemon to gain a list of databases available, then continue to garner information from the databases. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +This event may be generated by a legitimate user making a query to a MySQL daemon from an external source. + +-- +False Negatives: +None Known + +-- + +Corrective Action: +Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3416.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3416 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000687.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +100000687 + +-- +Summary: +This event is generated when an empty CTCP NOTICE message is sent to an IRC +channel. + +-- +Impact: +If the EnergyMech IRC Bot receives such a message, a denial of service +condition will occur. + +-- +Detailed Information: +Whenever the EnergyMech IRC Bot processes a null CTCP NOTICE message, a denial +of service condition occurs. Note that this rule is set to examine only default +IRC ports, in order to conserve system resources; if you are particularly +concerned about this exploit, you may wish to set the ports to "any", as IRC +channels can exist on any port. + +-- +Affected Systems: +EnergyMech <= 3.0.1 + +-- +Attack Scenarios: +An attacker could exploit this vulnerability via any IRC client, or by using an +automated script. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to version 3.0.2 or greater. + +-- +Contributors: +VeriSign MSS Operations Team +Joel Esler + +-- +Additional References: +http://www.energymech.net/versions-3.0.html + +-- --- /dev/null +++ b/doc/signatures/2345.txt @@ -0,0 +1,58 @@ +Rule: + +-- +Sid: +2345 + +-- +Summary: +This event is generated when an attempt is made to access the +search.php script which contains known vulnerabilities and +is part of the phpGedView CGI web application running on a server. + +-- +Impact: +Information gathering and possible cross site scripting attack. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in the phpGedView CGI web application running on a server. +Multiple vulnerabilities exist in the application which can lead to +cross site scripting attacks. + +-- +Affected Systems: + phpGedView + +-- +Attack Scenarios: +An attacker can supply code of their choice by including it in the +firstname parameter of the search.php script. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2227.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2227 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the PHP application Pod.Board. + +-- +Impact: +Execution of arbitrary code on the client machine connecting to the host +running the application. Theft of cookie data not limited to +authentication credentials is possible. + +-- +Detailed Information: +The forum_details.php script does not properly check data supplied in +input fields or via URI parameters which leads to HTML injection +possibilites. This injection can include malicious script of the +attackers choosing. + +-- +Affected Systems: + planetinsanity.de pod.board 1.1 + +-- +Attack Scenarios: +A cross site scripting attack is possible, the attacker would need to +entice the victim to use a link supplied by the attacker which could +then divulge login and cookie information. + +-- +Ease of Attack: +Moderate to Difficult. No exploit software required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1762.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1762 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2388.txt @@ -0,0 +1,72 @@ +Rule: + +-- +Sid: +2388 + +-- +Summary: +This event is generated when an attempt is made to access +view_broadcast.cgi on a server used for streaming media services. + +-- +Impact: +Information gathering and system integrity compromise. + +-- +Detailed Information: +The view_broadcast.cgi script contains a known vulnerability that may +allow an attacker to perform a variety of cross-site scripting attacks. +This event is generated when an attempt is amde to access the script +directly from a source external to the protected network. + +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000502.txt @@ -0,0 +1,72 @@ +Rule: + +-- +Sid: +100000502 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Ji-Takz" application running on a webserver. +Access to the file "tag.class.php" using a remote file being passed as the +"mycfg" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "mycfg" parameter in the "tag.class.php" script used by +the "Ji-Takz" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Ji-Takz +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/100000493.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000493 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "DeluxeBB" application running on a webserver. +Access to the file "postreply.php" using a remote file being passed as the +"templatefolder" parameter may indicate that an exploitation attempt has been +attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "templatefolder" parameter in the "postreply.php" script +used by the "DeluxeBB" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using DeluxeBB +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/1674.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: 1674 + +-- + +Summary: +This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. + +-- +Impact: +Serious. An attacker may have gained superuser access to the system. + +-- +Detailed Information: +This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. + +Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. + +This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. + +Oracle servers running on a Windows platform may listen on any arbitrary +port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this +is applicable to the protected network. + +-- + +Attack Scenarios: +Simple. These are Oracle database commands. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. + +-- +False Negatives: +Configure your ORACLE_PORTS variable correctly for the environment you are in. +In many situations ORACLE negotiates a communication port. This means that 1521 +and 1526 are not used for communication during the entire transaction. A new +port is negotiated after the initial connect message, all communication after +that uses this other port. If you are in an environment such as this, you should +set ORACLE_PORTS to "any" in snort.conf. + +Otherwise, there are no known false negatives. + +-- + +Corrective Action: +Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. +Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1486.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +1486 + +-- +Summary: +This event is generated when an attempt is made to access the file ctss.idc. + +-- +Impact: +Remote access. This attack may permit the execution of arbitrary +commands on the vulnerable server. + +-- +Detailed Information: +This mkilog.exe is a Common Gateway Interface (CGI) script that can be +used to view and modify SQL database contents. It posts data to another +module, ctss,idc, that creates a table based on the parameters passed to +it. If an attacker passes parameters such as a valid username and +password to create a table, it may be possible to alter the table to +execute commands on the vulnerable server. + +-- +Affected Systems: + Windows systems. + +-- +Attack Scenarios: +An attacker can attempt to exploit this vulnerability to execute remote +commands on the vulnerable server. + +-- +Ease of Attack: +Easy. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Delete file /scripts/tools/ctss.idc + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +SecurityFocus Mail Archive: +http://www.securityfocus.com/archive/101/200779 + +-- --- /dev/null +++ b/doc/signatures/3231.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3231 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1155.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1155 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1873.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1873 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/446.txt @@ -0,0 +1,53 @@ +Rule: + +-- +Sid: +446 + +-- +Summary: +This event is generated when an ICMP "SKIP" message is generated with a non-zero ICMP code. + +-- +Impact: +Informational. This may indicate that the ICMP message has been crafted. + +-- +Detailed Information: +An ICMP "SKIP" message is issued when a SKIP request to provide keying material fails. The ICMP code value for this message should be 0. If a non-zero code for the ICMP code is observed, it may be an indication that the packet was crafted with an invalid value. + + +-- +Affected Systems: +This traffic should have no adverse impact. + +-- +Attack Scenarios: +An attacker may craft an ICMP "SKIP" message with an invalid ICMP code. A single packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally generated. + +-- +Ease of Attack: +Simple. There are many packages available to generate ICMP messages. + +-- +False Positives: +Although it should be rare, it is possible to observe an ICMP "SKIP" message with an ICMP code greater than 0 if it is generated by software that does not conform to standards. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +None. + +-- +Contributors: +Original rule writer unknown. +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2736.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2736 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure alter_priority_date +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2014.txt @@ -0,0 +1,76 @@ +Rule: + +-- +Sid: +2014 + +-- +Summary: +Remote Procedure Call (RPC) is a facility that enables a machine to +request a service from another remote machine. This is done without the +need for detailed network information. Some versions of RPC have a +vulnerability that allows an a remote host to register (and un-register) +applications from a spoofed source. + +-- +Impact: +Possible denial of service (DoS) against the target host. Potential +remote root compromise of the target system. + +-- +Detailed Information: +Certain versions of rpcbind portmapper contain a flaw that could allow +an attacker capable of spoofing TCP packets to set and unset calls to +arbitrary RPC programs. + +A denial of service could be instigated against the target machine that +could render network file system services and other such network +available services unavailable to network users. + +It is also possible for the attacker to gain super user access depending +on the RPC service he is able to register. This could then lead to a +compromise of all resources on the network the victim is attached to. + +-- +Affected Systems: +All machines running vulnerable RPC services. + +-- +Attack Scenarios: +The attacker could potentially spoof TCP packets for pmap_set to +register an RPC service. The attacker might also spoof TCP packets to +un-register needed services via pmap_unset. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +RPC services should not be available outside the local area network, +filter RPC ports at the firewall to ensure access is denied to RPC +enabled machines. + +RPC services should also be disabled where not needed. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +BugTraq: +http://www.securityfocus.com/bid/1892 + +-- --- /dev/null +++ b/doc/signatures/1431.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: 1431 + +-- +Summary: +This event is generated when packets with the SYN flag set are sent to +multicast addresses. + +-- +Impact: +Possible reconnaisance or evidence of a Denial of Service (DoS) attack. + +-- +Detailed Information: +Under normal circumstances packets with the SYN flag set should not be +sent to multicast addresses. + +If the attacker has spoofed a multicast address when sending a SYN flood +attack this traffic will be seen. + +an indicator of unauthorized network use, reconnaisance activity or +system compromise. These rules may also generate an event due to +improperly configured network devices. + +-- +Affected Systems: + Any + +-- +Attack Scenarios: +The attacker may have intiated an attack and could have spoofed a +multicast address as the source. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Employ filtering at the firewall. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/607.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: 607 + +-- +Summary: +This event is generated when an attempt to login using the "bin" account is made. + +-- +Impact: +An attacker may have gained the ability to initiate a remote interactive session on the server. + +-- +Detailed Information: +This event is generated when a connection using the "bin" account via "rsh" is attempted. + +This activity is indicative of attempts to abuse hosts using a default configuration. + +Some UNIX systems used to ship with "bin" account enabled and no password required. Similarly, the "rshd" service was also enabled. This allowed an attacker to connect to the machine and establish an interactive session using the "bin" account. + +-- +Attack Scenarios: +An attacker finds a machine with default account "bin" and "rshd" service running and connects to it, then escalates his privileges to "root" + +-- +Ease of Attack: +Simple, no exploit software required + +-- +False Positives: +None Known + +-- +False Negatives: +If a local username is not the same as the remote one ("bin"), the rule will not generate an event. + +-- +Corrective Action: +Investigate logs on the target host for further details and more signs of suspicious activity + +Use ssh for remote access instead of rlogin. + +-- +Contributors: +Original rule by Max Vision modified from a signature written by Ron Gula +Snort documentation contributed by Anton Chuvakin +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS384 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 + +-- --- /dev/null +++ b/doc/signatures/542.txt @@ -0,0 +1,68 @@ +Rule: + +-- +Sid: +542 + +-- +Summary: +This event is generated when activity relating to network chat clients +is detected. + +-- +Impact: +Policy Violation. Use of chat clients to communicate with unkown +external sources may be against the policy of many organizations. + +-- +Detailed Information: +Instant Messaging (IM) and other chat related client software can allow +users to transfer files directly between hosts. This can allow malicious +users to circumvent the protection offered by a network firewall. + +Vulnerabilities in these clients may also allow remote attackers to gain +unauthorized access to a host. + +This event indicates that an IRC nickname change has been made from a +client originating from the protected network to an IRC server external +to the protected network. + +-- +Attack Scenarios: +A user may transfer sensitive company information to an external party +using the file transfer capabilities of an IM client. + +An attacker might utilize a vulnerability in an IM client to gain access +to a host, then upload a Trojan Horse program to gain control of that +host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow the use of IM clients on the protected network and enforce or +implement an organization wide policy on the use of IM clients. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +IRC Protocol: +http://www.irchelp.org/irchelp/rfc/ + +-- --- /dev/null +++ b/doc/signatures/2952.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2952 + +-- +Summary: +This event is generated when an attempt is made to gain access to +private resources using Samba. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. + +-- +Detailed Information: +This event is generated when an attempt is made to use Samba to gain +access to private or administrative shares on a host. + +-- +Affected Systems: + All systems using Samba for file sharing. + All systems using file and print sharing for Windows. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +direct access to Windows adminsitrative shares. + +-- +Ease of Attack: +Simple. Exploit software is not required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000503.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000503 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Nucleus CMS" application running on a webserver. +Access to the file "action.php" using a remote file being passed as the +"DIR_LIB" parameter may indicate that an exploitation attempt has been +attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "DIR_LIB" parameter in the "action.php" script used by +the "Nucleus CMS" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Nucleus CMS +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/100000540.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +100000540 +-- +Summary: +This event is generated when an attempt is made to exploit a cross site +scripting vulnerability in the "Enterprise Groupware" application running on a +webserver. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit a cross site +scripting vulnerability via the "module" parameter in the "index.php" script +used by the "Enterprise Groupware" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to retrieve sensitive data, execute system binaries +or malicious code of the attackers choosing. + +-- +Affected Systems: +All systems running CGI applications using Enterprise Groupware +-- +Attack Scenarios: +An attacker can supply a malicious link designed to steal information from a +user clicking on that link. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +The Cross Site Scripting (XSS) FAQ +http://www.cgisecurity.com/articles/xss-faq.shtml + +-- + --- /dev/null +++ b/doc/signatures/1031.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +1031 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a web server running Microsoft Internet Information +Server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. Denial of +Service is possible. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running Microsoft Internet Information Server (IIS). Many known +vulnerabilities exist for this platform and the attack scenarios are +legion. + +-- +Affected Systems: + All systems running Microsoft IIS + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Many exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1224.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1224 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/284.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +284 + +-- +Summary: +This event generated when an attempt is made to exploit a buffer overflow in the pop2 service. + +-- +Impact: +Remote access. This attack may permit the execution of arbitrary commands on the vulnerable host with the privileges of the user "nobody". + +-- +Detailed Information: +Access to the user "nobody" can be obtained with pop2 or pop3 servers that support "anonymous proxy". "Anonymous proxy" permits the use of a proxy pop server to access mail on another pop server where the user has a valid account. This access to the proxy server as user "nobody". A buffer overflow exists because of improper user input filtering, allowing the attacker to enter an overly long argment to the FOLD command. This may permit the execution of arbitrary commands on the vulernable server with the privileges of the user "nobody". + +-- +Affected Systems: +Debian Linux 2.1 +Redhat Linux 4.2, 5.0, 5.1, and 5.2 +University of Washington imap 4.4 +University of Washington pop2d 4.4 + +-- +Attack Scenarios: +An attacker may attempt to exploit a vulnerable pop2 server, permitting the execution of arbitrary commands with the privilege of user "nobody". + +-- +Ease of Attack: +Simple. Exploit scripts are freely available. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the pop2d version 4.51 or later. + +Compile pop2d to not support anonymous proxing. + +-- +Contributors: +Original rule writer unknown +Documented by Steven Alexander +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Bugtraq +http://www.securityfocus.com/bid/283 + +-- --- /dev/null +++ b/doc/signatures/100000760.txt @@ -0,0 +1,56 @@ + + +Rule: + +-- +Sid: +100000760 +-- +Summary: +This event is generated when an attempt is made to exploit a cross site scripting vulnerability in the "The Banner Engine" application running on a webserver. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit a cross site scripting vulnerability via the "text" parameter in the "top.php" script used by the "The Banner Engine" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to retrieve sensitive data, execute system binaries or malicious code of the attackers choosing. + +-- +Affected Systems: +All systems running CGI applications using The Banner Engine +-- +Attack Scenarios: +An attacker can supply a malicious link designed to steal information from a user clicking on that link. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +The Cross Site Scripting (XSS) FAQ +http://www.cgisecurity.com/articles/xss-faq.shtml + +-- + --- /dev/null +++ b/doc/signatures/1396.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1396 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/668.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +668 + +-- +Summary: +This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where tab characters in ident messages are not properly parsed. + +-- +Impact: +Severe. Remote execution of arbitrary code, leading to remote root compromise. + +-- +Detailed Information: +Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of tab characters in commands passed from ident to Sendmail. An attacker can use a specially crafted command with tabs in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. + +-- +Affected Systems: +Systems running unpatched versions of Sendmail 8.6.10 or earlier. + +-- +Attack Scenarios: +An attacker sends an email with tab characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. + +-- +Ease of Attack: +Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest version of Sendmail. + +-- +Contributors: +Original rule written by Max Vision +Modified by Brian Caswell +Sourcefire Research Team +Sourcefire Technical Publications Team +Jen Harvey + +-- +Additional References: +CVE +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0203 + +Bugtraq +http://www.securityfocus.com/bid/2311 + +-- --- /dev/null +++ b/doc/signatures/1869.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1869 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2144.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: 2144 + + +-- +Summary: +This event is generated when an attempt is made to access the cafelog php application. + +-- +Impact: +Possible arbitrary code execution. + +-- +Detailed Information: +This event is generated when an attempt is made to access the cafelog PHP application. + +It is possible for an attacker to include a PHP file of his choosing via a URL, the script is processed and executed with the privileges of the user running the webserver. This is due to poor checking of user supplied variables in the gm-2-b2.php script. + +-- +Affected Systems: +Any host using cafelog. + +-- +Attack Scenarios: +An attacker could include a PHP file of his choice by including the file name in a URI supplied to the webserver that would in turn process the script via gm-2-b2.php. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the php implementation on the host. + +Check the webserver log files for signs of this activity. + +Where possible, ensure the webserver is run as an unprivileged process. + +Check the host for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/100000444.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000444 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MiraksGalerie" application running on a webserver. Access to the file "galsecurity.lib.php" using a remote file being passed as the "listconfigfile[0]" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "listconfigfile[0]" parameter in the "galsecurity.lib.php" script used by the "MiraksGalerie" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using MiraksGalerie +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/3203.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3203 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3033.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: +3033 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a Samba implementation. + +-- +Impact: +Serious. Possible execution of arbitrary code. + +-- +Detailed Information: +Samba is a file and print serving system for heterogenous networks. It +is available for use as a service and client on UNIX/Linux systems and as +a client for Microsoft Windows systems. + +Samba uses the SMB/CIFS protocols to allow communication between client +and server. The SMB protocol contains many commands and is commonly used +to control network devices and systems from a remote location. A +vulnerability exists in the way the smb daemon processes commands sent by +a client system when accessing resources on the remote server.The problem +exists in the allocation of memory which can be exploited by an attacker +to cause an integer overflow, possibly leading to the execution of +arbitrary code on the affected system with the privileges of the user +running the smbd process. + +-- +Affected Systems: + Samba 3.0.8 and prior + +-- +Attack Scenarios: +An attacker needs to supply specially crafted data to the smb daemon to +overflow a buffer containing the information for the access control lists +to be applied to files in the smb query. + +-- +Ease of Attack: +Difficult. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2264.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2264 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in versions of Sendmail. + +-- +Impact: +Remote arbitrary code execution. + +-- +Detailed Information: +A vulnerability exists in the prescan() function used in Sendmail prior +to version 8.12.9. This function contains an error when converting a +character to an integer value while processing SMTP headers. + +-- +Affected Systems: +All systems using Sendmail. + +-- +Attack Scenarios: +An attacker could exploit this condition to process code of their +choosing and open a listening shell bound to a high port, thus opening the +system to further compromise. + +-- +Ease of Attack: +Simple. Exploit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade Sendmail to the latest non-affected verison. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +CERT: +http://www.cert.org/advisories/CA-2003-12.html + +-- --- /dev/null +++ b/doc/signatures/1136.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1136 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000682.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000682 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Harpia" application running on a webserver. +Access to the file "email.php" using a remote file being passed as the +"header_prog" parameter may indicate that an exploitation attempt has been +attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "header_prog" parameter in the "email.php" script used +by the "Harpia" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Harpia +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/1719.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1719 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/1573.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1573 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1146.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1146 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/298.txt @@ -0,0 +1,60 @@ +SID: +298 +-- + +Rule: +-- + +Summary: +This event is triggered when an attempt is made to overflow an imapd server. +-- + +Impact: +Commands may be run on the IMAP server as the root user, This can lead to a complete compromise of the targeted system +-- + +Detailed Information: +Failure to check the size of the value passed to the 'AUTHENTICATE' +command on certain IMAPD implementations can lead to a buffer overflow. +This in turn can allow arbitrary commands to be executed on the server. +-- + +Affected Systems: + Netscape Messaging Server 3.55, University of Washington imapd 10.234 +-- + +Attack Scenarios: +An attacker may attempt to exploit a vulnerable imapd server, permitting +the execution of arbitrary commands possibly with the privilege of user +"root". +-- + +Ease of Attack: +Simple. Sample exploit code is available. +-- + +False Positives: +None known +-- + +False Negatives: +None known + +-- + +Corrective Action: +Vendors have provided updated versions, upgrading will resolve this +problem + +-- + +Contributors: +Snort documentation contributed by matthew harvey +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +References: + +-- --- /dev/null +++ b/doc/signatures/678.txt @@ -0,0 +1,79 @@ +Rule: + +-- +Sid: +678 + +-- + +Summary: +This event is generated when a command is issued to an SQL database +server that may result in a serious compromise of the data stored on +that system. + +-- +Impact: +Serious. An attacker may have gained administrator access to the system. + +-- +Detailed Information: +This event is generated when an attacker issues a special command to an +SQL database that may result in a serious compromise of all data stored +on that system. + +Such commands may be used to gain access to a system with the privileges +of an administrator, delete data, add data, add users, delete users, +return sensitive information or gain intelligence on the server software +for further system compromise. + +This connection can either be a legitimate telnet connection or the +result of spawning a remote shell as a consequence of a successful +network exploit. + +-- +Affected Systems: + Microsoft SQL Servers + +-- +Attack Scenarios: +Simple. These are SQL database commands. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +This event may be generated by a database administrator logging in and +issuing database commands from a location outside the protected network. + +-- +False Negatives: +None Known + +-- + +Corrective Action: +Disallow direct access to the SQL server from sources external to the +protected network. + +Ensure that this event was not generated by a legitimate session then +investigate the server for signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Microsoft MSDN: +http://msdn.microsoft.com/library/en-us/tsqlref/ts_sp_da-di_8nas.asp + +-- --- /dev/null +++ b/doc/signatures/1696.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: 1696 + +-- + +Summary: +This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. + +-- +Impact: +Serious. An attacker may have gained superuser access to the system. + +-- +Detailed Information: +This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. + +Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. + +This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. + +Oracle servers running on a Windows platform may listen on any arbitrary +port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this +is applicable to the protected network. + +-- + +Attack Scenarios: +Simple. These are Oracle database commands. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. + +-- +False Negatives: +Configure your ORACLE_PORTS variable correctly for the environment you are in. +In many situations ORACLE negotiates a communication port. This means that 1521 +and 1526 are not used for communication during the entire transaction. A new +port is negotiated after the initial connect message, all communication after +that uses this other port. If you are in an environment such as this, you should +set ORACLE_PORTS to "any" in snort.conf. + +Otherwise, there are no known false negatives. + +-- + +Corrective Action: +Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. +Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000714.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000714 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "PHPRaid" application running on a webserver. Access to the file "view.php" using a remote file being passed as the "phpraid_dir" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "phpraid_dir" parameter in the "view.php" script used by the "PHPRaid" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using PHPRaid +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/1666.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +1666 + +-- +Summary: +This event is generated when a webserver returns a directory listing of +it's cgi-bin. + +-- +Impact: +Information gathering. + +-- +Detailed Information: +This event is generated when a webserver returns a directory listing of +it's cgi-bin. The scripts listed may be valuable to an attacker when +planning further attacks against the webserver. It may also be possible +for the attacker to download the contents of the cgi-bin and view the +contents of the script sources. + +-- +Affected Systems: + All web server platforms. + +-- +Attack Scenarios: +An attacker can list the contents of the cgi-bin, discover the filename +of a vulnerable script and use the information to execute an exploit +against the server. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Disallow directory content listing of the cgi-bin. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/541.txt @@ -0,0 +1,51 @@ +Rule: + +-- +Sid: 541 + +-- +Summary: +This event is generated when activity relating to network chat clients is detected. + +-- +Impact: +Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations. + +-- +Detailed Information: +Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall. + +Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host. + +-- +Attack Scenarios: +A user may transfer sensitive company information to an external party using the file transfer capabilities of an IM client. + +An attacker might utilize a vulnerability in an IM client to gain access to a host, then upload a Trojan Horse program to gain control of that host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/987.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +987 + +-- +Summary: +This event is generated when an attempt is made to disclose the contents of an Active Server Page (ASP) using a malformed HTR request. + +-- +Impact: +Information gathering. Fragments of the source code of an ASP may be returned possibly disclosing sensitive information. + +-- +Detailed Information: +HTR is an older scripting language still supported by Internet Information Service (IIS). HTR requests are preocessed by ISM.DLL that improperly evaluates malformed HTR requests. This may disclose parts of the source code associated with a .asp file referenced in the request. + +-- +Affected Systems: + +Microsoft IIS 4.0, 5.0 + +-- +Attack Scenarios: +An attacker can craft a malformed request to disclose source code possibly revealing sensitive information. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Apply the patch referenced in the Microsoft link. + +Consider running the IIS Lockdown Tool to disable HTR functionality. + +-- +Contributors: +Original rule writer unknown +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +CVE +http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0063 + +Bugtraq +http://www.securityfocus.com/bid/1488 + +Microsoft +http://www.microsoft.com/technet/security/bulletin/ms00-031.asp + +-- --- /dev/null +++ b/doc/signatures/100000570.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +100000570 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "app_change_pwd.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the +"app_change_pwd.php" script used by the "Indexu" application running on a +webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/2992.txt @@ -0,0 +1,66 @@ +Rule: + +-- +Sid: +2992 + +-- +Summary: +This event is generated when an attempt is made to shutdown a Windows +system via SMB. + +-- +Impact: +Serious. + +-- +Detailed Information: +This event indicates that an attempt was made to shutdown a Windows +system via SMB across the network. + +It may be possible for an attacker to manipulate a Windows system +from a remote location. Shutting down a system may lead to a Denial of +Service for the target host. + +-- +Affected Systems: + Microsoft Windows systems. + +-- +Attack Scenarios: +An attacker may be able to manipulate a target system using SMB. The +attacker may gain complete control over the affected system. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the host for signs of system compromise. + +Turn off file and print sharing on the target host. + +Use a packet filtering firewall to disallow SMB access to the host from +sources external to the protected network. + +Disallow remote registry manipulation. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2471.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +2471 + +-- +Summary: +This event is generated when an attempt is made to access the C$ default +administrative share of a Windows host. + +-- +Impact: +Serious. Possible administrator access to the host. Information +disclosure. + +-- +Detailed Information: +By default, Windows hosts have default administrative shares of the +local hard drives using the format %DRIVE_LETTER% + $. Anybody with +administrative rights can remotely access the share. + +-- +Affected Systems: + Windows hosts. + +-- +Attack Scenarios: +An attacker may be attempting to access files located on the C drive of +the host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow Netbios access from external networks (tcp port 139). + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton +Snort documentation contributed by Josh Sakofsky + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS339 + +Microsoft: +http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 + +-- --- /dev/null +++ b/doc/signatures/1107.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1107 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3429.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3429 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1892.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1892 + +-- +Summary: +This event is generated when SNMP communications contain a NULL value +the authentication string. + +-- +Impact: +Medium to Serious. Depending on if the community string was for +read-only, read-create or read-write an attacker could gain a varying +level of access to a system. + +-- +Detailed Information: +An SNMP community string is the authentication process that a host +running SNMP uses to grant access. + +-- +Affected Systems: +Numerous. Routers, switches, servers, NAS systems, many others. + +-- +Attack Scenarios: +An attacker can launch a scan of all network attached devices looking +for port 161 (UDP) and then attempt to gain access using SNMP. + +-- +Ease of Attack: +Simple. There are many free SNMP "tree walking" programs, an example of +such is getIF. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Make sure that all devices that have SNMP turned on have complex +passwords assigned. + +Disable unneeded WRITE / CREATE community strings. + +Since SNMP traffic is not encrypted, use a packet filtering firewall to +restrict SNMP communications to the protected network. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Mike Rivett ebiz@rivett.org + +-- +Additional References: + +GetIF: +http://www.wtcs.org/snmp4tpc/getif.htm + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0517 + +-- --- /dev/null +++ b/doc/signatures/614.txt @@ -0,0 +1,94 @@ +Rule: + +-- +Sid: +614 + +-- +Summary: +hack-a-tack is a Trojan Horse. + +-- +Impact: +Possible theft of data via download, upload of files, execution of files and reboot the targeted machine. + +-- +Detailed Information: +This Trojan affects the following operating systems: + + Windows 95 + Windows 98 + Windows ME + Windows NT + Windows 2000 + Windows XP + +The Trojan changes system registry settings to add the hack-a-tack server to programs normally started on boot. Due to the nature of this Trojan it is unlikely that the attacker's client IP address has been spoofed. + + SID Message + --- ------- + 141 HackAttack 1.20 Connect + 614 hack-a-tack attempt + +This Trojan is commonly used to install other Trojan programs. + +The server portion opens TCP ports 31785 and 31787 and UDP ports 31789 and 31791 by default to establish a connection between client and server. The ports may then be configured by the attacker to use something other than these defaults. + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. + +The Trojan server is located at :\WINDOWS\Expl32.exe. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. + +Affected registry keys are: + + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ + +Registry keys added are: + + Explorer32 =":\windows\Expl32.exe" + Configuration Wizard = ":\windows=cfgwiz32.exe" + +Removal of this entry is required. + +Delete the file(s) :\WINDOWS\Expl32.exe and :\windows=cfgwiz32.exe + +Ending the Trojan process is also necessary. A reboot of the infected machine is recommended. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Whitehats arachNIDS +http://www.whitehats.com/info/IDS314 +http://www.whitehats.com/info/IDS504 + +Hackfix.org +http://www.hackfix.org/miscfix/hackatack.shtml + +Commodon Communications +http://www.commodon.com/threat/threat-hack.htm + +-- --- /dev/null +++ b/doc/signatures/3110.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +3110 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft License Logging Service. + +-- +Impact: +Serious. Execution of arbitrary code leading to unauthorized +administrative access to the target host. Denial of Service (DoS) is +also possible. + +-- +Detailed Information: +Microsoft License Logging Service is used to manage licenses for +Microsoft server products. + +A vulnerability in the service exists due to a programming error such +that an unchecked buffer may present an attacker with the opportunity to +exploit the service and run code of their choosing on an affected +system. The attacker may then cause a DoS condition in the service or +possibly gain administrative access to the target host. + +The unchecked buffer exists when processing the length of messages sent +to the logging service. + +-- +Affected Systems: + Microsoft Windows Server 2003 + Microsoft Windows Server 2000 + Microsoft Windows NT Server + +-- +Attack Scenarios: +An attacker can supply extra data in the message to the service +containing code of their choosing to be run on the server. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- + +Corrective Action: +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1761.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: +1761 + +-- +Summary: +This event is generated when network traffic indicating the use of an +IDS system on the protected network is detected. + +-- +Impact: +These tools may be used to compromise data on the network or may +indicate mis-use of other IDS systems. + +-- +Detailed Information: +This event indicates the use of an IDS tool. The source of the event +should be investigated carefully. These tools may be used to gather data +present in traffic on the protected network. + +-- +Affected Systems: + All networks. + +-- +Attack Scenarios: +An unathorized user could use an IDS to gather data and observe traffic +present on the network. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3248.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3248 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/237.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +237 + +-- +Summary: +This event is generated when a trinoo DDoS master host communicates with a daemon host. + +-- +Impact: +Attempted DDoS. If the listed source IP is in your network, it may be a trinoo master. If the listed destination IP is in your network, it may be a trinoo daemon. + +-- +Detailed Information: +The trinoo DDoS uses a tiered structure of compromised hosts to coordinate and participate in a distributed denial of service attack. Masters communicate with daemons to direct them to launch attacks. A master may communicate with a daemon via UDP destination port 27444 with a string of "l44adsl" in the payload. This string is the default password for the daemon. + +-- +Affected Systems: +Any trinoo compromised host. + +-- +Attack Scenarios: +A trinoo master will communicate with a daemon to direct it to launch attacks. + +-- +Ease of Attack: +Simple. trinoo code is freely available. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Perform proper forensic analysis on the suspected compromised host to discover the means of compromise. + +Rebuild a confirmed compromised host. + +Use a packet-filtering firewall to block inappropriate traffic to the network to prevent hosts from being compromised. + + +-- +Contributors: +Original rule written by Max Vision +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +CERT: +http://www.cert.org/incident_notes/IN-99-07.html#trinoo + +Arachnids: +http://www.whitehats.com/info/IDS197 + +-- --- /dev/null +++ b/doc/signatures/890.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +890 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running on a web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2535.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +2535 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the Microsoft implementation of SSL Version 3. + +-- +Impact: +Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in the handling of SSL Version 3 requests that +can be manipulated to cause a DoS condition in various software +implementations used on Microsoft operating systems. + +The condition exists because of poor error handling routines in the +Microsoft Secure Sockets Layer (SSL) library. SSL requests containing an +invalid field, sent to vulnerable systems can cause the affected host to stop +handling any further requests. + +-- +Affected Systems: + Microsoft Windows 2000, 2003 and XP systems using SSL + +-- +Attack Scenarios: +An attcker needs to make an SSL request to an affected system that +contains an invalid field. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +-- +Contributors: +Sourcefire Research Team +Matt Watchinski +Nigel Houghton + +-- +Additional References: + +US-Cert: +http://www.kb.cert.org/vuls/id/150236 + +-- --- /dev/null +++ b/doc/signatures/100000416.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000416 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "MyBloggie" application running on a webserver. Access to the file "admin.php" using a remote file being passed as the "mybloggie_root_path" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "mybloggie_root_path" parameter in the "admin.php" script used by the "MyBloggie" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using MyBloggie + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/708.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: 708 + +-- + +Summary: +This event is generated when an attempt is made to overflow a buffer in the Microsoft SQL Server and Data Engine. + +-- +Impact: +Serious. A Denial of Service condition or execution of arbitrary code is possible. + +-- +Detailed Information: +A buffer overflow condition exists in some versions of Microsoft SQL Server and Data Engine that may allow an attacker to execute arbitrary code with system privileges or crash the SQL Server. + +The attacker must gain access to the SQL Server to exploit this vulnerability. + +-- + +Attack Scenarios: +Exploit code exists. + +-- + +Ease of Attack: +Simple. Exploit code exists. + +-- + +False Positives: +None Known. + +-- +False Negatives: +None Known + +-- + +Corrective Action: +Apply the appropriate vendor supplied patches. + +Disallow direct access to the SQL server from sources external to the protected network. + +Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1082 + +Bugtraq: +http://www.securityfocus.com/bid/2031 + +Microsoft: +http://www.microsoft.com/technet/security/bulletin/ms00-092.asp + +-- --- /dev/null +++ b/doc/signatures/1520.txt @@ -0,0 +1,90 @@ +Rule: + +-- +Sid: +1520 + +-- +Summary: +This event is generated when an attempt is made to access server-info. +Using the Apache webserver, this url is generally handled by the +mod_info module, which will happily disclose valuable information about +your webserver which may aid in their attack. + +-- +Impact: +Information disclosure. + +-- +Detailed Information: +The mod_info module "provides a comprehensive overview of the server +configuration including all installed modules and directives in the +configuration files" for the Apache webserver. Successfully accessing the url +that is handle by mod_info may give an attacker valuable information about +the server. + +If mod_info is in use and the attacking host is allowed to access it, +every possible configuration option that the Apache server is using can +be viewed. This includes ACLs, modules, file and directory names, and +other valuable information that will help an attacker determine ways of +attacking the server. + +-- +Affected Systems: + Apache webservers with mod_info enabled. + +-- +Attack Scenarios: +As part of an attack against an Apache webserver, an attacker may try to +access "/server-info" which is typically handled by the mod_info module. If +sucessful, this will give valuable information about the webserver for +use in further attacks. + +-- +Ease of Attack: +Simple. No exploit software is required. + +-- +False Positives: +Few, but certainly possible. Since this rule only checks for the +existance of "/server-info" in the url, any url containing that string will +trigger this rule. A few common false positives may include urls like: + +http://victim/server-info/contact.html +http://victim/really/long/directory/server-info.html + +-- +False Negatives: +None Known + +-- +Corrective Action: +Determine if server-info exists on the victim in question, and if the attacker +is allowed to access it. + +If mod_info is necessary on this server, consider restricting access to +it via Apache directives, i.e.: + + + SetHandler server-info + Order deny,allow + Deny from all + Allow from .yourdomain.net + + + +-- +Contributors: +Snort documentation contributed by Jon Hart +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + + +-- +Additional References: + +Apache: +http://httpd.apache.org/docs/mod/mod_info.html + +-- --- /dev/null +++ b/doc/signatures/2724.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2724 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure add_priority_date +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/391.txt @@ -0,0 +1,60 @@ +Rule: + +-- + +Sid: +391 + +-- + +Summary: +This event is generated when an ICMP Alternate Host Address datagram is detected on the network with an invalid ICMP code. This ICMP Type is not documented in an RFC, but may be implemented by routing equipment to direct hosts to the correct IP address of neighboring hosts. + +-- + +Impact: +This ICMP Type is not implemented in most standard operating systems and is a potential indication of information gathering activities. + +-- + +Detailed Information: +ICMP Type 6 (Alternate Host Address) is not defined in an RFC and should not be considered legitimate network traffic. + +-- + +Attack Scenarios: +Attackers may use this ICMP Type to gather information about the network. +-- + +Ease of Attack: +Numerous tools and scripts can generate ICMP Alternate Host Address datagrams with invalid ICMP codes. + +-- + +False Positives: +None known + +-- + +False Negatives: +None known + +-- + +Corrective Action: +ICMP Type 6 datagrams should be blocked at the firewall. + +-- + +Contributors: +Original Rule wirter unknown +Sourcefire Research Team +Matthew Watchinski (matt.watchinski@sourcefire.com) + +-- + +Additional References: +None + + +-- --- /dev/null +++ b/doc/signatures/2124.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +2124 + +-- +Summary: +This event is generated when an attempt is made to connect to a host running a Remote PC Access Server. + +-- +Impact: +Serious. System compromise leading to a compromise of all data on the target host. + +-- +Detailed Information: +This event indicates that an attempt has been made to connect to a host using the Remote PC Access Server. This event may also be generated by an attacker using Nessus to scan for Remote PC Access. + +Remote PC is used to remotely administer hosts via the Internet. It offers complete control of the client machine via a TCP connection. + +Login information is transmitted in clear text across a TCP connection, the attacker could recover this information by capturing a legitimate session. It may also be possible for an attacker to gain access by utilizing a brute force attack to discover the password to connect. + +-- +Affected Systems: +Any host using the Remote PC Access Server. + +-- +Attack Scenarios: +An attacker can connect to the Remote PC Access Server using the client program and gain complete control of the host if the password and username are known. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +A legitimate login session may cause this rule to generate an event. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Disable the Remote PC Access Server + +Disallow connection to the server from clients external to the protected network. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/427.txt @@ -0,0 +1,61 @@ +Rule: + +-- + +Sid: +427 + +-- + +Summary: +This event is generated when a router generates and ICMP Parameter Problem Unspecified Error datagram. + +-- + +Impact: +This could be an indication of a protocol error by a previous hop router. Normally this datagram would only be generated with the datagram was truncated or damaged before it reached its final destination. + +-- + +Detailed Information: +A router generates a Parameter Problem message for any error not specifically covered by another ICMP message. This could be an indication of routing problems on the network, or malfunctioning routing hardware. + +-- + +Attack Scenarios: +None known + +-- + +Ease of Attack: +Numerous tools and scripts can generate this type of ICMP datagram. + +-- + +False Positives: +None known + +-- + +False Negatives: +None known + +-- + +Corrective Action: +ICMP Type 12 Code 0 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for configuration errors or nefarious activity. + +-- + +Contributors: +Original Rule writer unknown +Sourcefire Research Team +Matthew Watchinski (matt.watchinski@sourcefire.com) + +-- + +Additional References: +None + + +-- --- /dev/null +++ b/doc/signatures/1213.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1213 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000629.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +100000629 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "message_view.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the +"message_view.php" script used by the "Indexu" application running on a +webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/1686.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: 1686 + +-- + +Summary: +This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. + +-- +Impact: +Serious. An attacker may have gained superuser access to the system. + +-- +Detailed Information: +This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. + +Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. + +This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. + +Oracle servers running on a Windows platform may listen on any arbitrary +port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this +is applicable to the protected network. + +-- + +Attack Scenarios: +Simple. These are Oracle database commands. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. + +-- +False Negatives: +Configure your ORACLE_PORTS variable correctly for the environment you are in. +In many situations ORACLE negotiates a communication port. This means that 1521 +and 1526 are not used for communication during the entire transaction. A new +port is negotiated after the initial connect message, all communication after +that uses this other port. If you are in an environment such as this, you should +set ORACLE_PORTS to "any" in snort.conf. + +Otherwise, there are no known false negatives. + +-- + +Corrective Action: +Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. +Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2822.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2822 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure publish_flavor_definition +. This procedure is included in +sys.dbms_repcat_fla_mas. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000556.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +100000556 +-- +Summary: +This event is generated when an attempt is made to exploit a cross site +scripting vulnerability in the "VebiMiau" application running on a webserver. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit a cross site +scripting vulnerability via the "sid" parameter in the "error.php" script used +by the "VebiMiau" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to retrieve sensitive data, execute system binaries +or malicious code of the attackers choosing. + +-- +Affected Systems: +All systems running CGI applications using VebiMiau +-- +Attack Scenarios: +An attacker can supply a malicious link designed to steal information from a +user clicking on that link. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +The Cross Site Scripting (XSS) FAQ +http://www.cgisecurity.com/articles/xss-faq.shtml + +-- + --- /dev/null +++ b/doc/signatures/2623.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +2623 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a Oracle database implementation. + +-- +Impact: +Serious. Execution of arbitrary code may be possible. A Denial of +Service (DoS) condition may also be caused. + +-- +Detailed Information: +Oracle databases may use a built-in procedure to assist in useful +tasks. The "create_snapshot_repgroup" procedure contains a +programming error that may allow an attacker to execute a buffer +overflow attack. + +This overflow is triggered by a long string in a parameter for the +procedure. + + +If you are running Oracle on a Windows server, make sure that the +variable $ORACLE_PORTS is set to a value of "any". + +-- +Affected Systems: + Oracle 9i + +-- +Attack Scenarios: +An attacker can supply a long string to the first variable to cause +the overflow. The result could permit the attacker to gain escalated +privileges and run code of their choosing. This attack requires an +attacker to logon to the database with a valid username and password +combination. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Matt Watchinski +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +Other: +http://www.appsecinc.com/Policy/PolicyCheck97.html + +-- --- /dev/null +++ b/doc/signatures/100000701.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000701 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "WordPress" application running on a webserver. Access to the file "index.php" with SQL commands being passed as the "paged" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a remote machine via the "paged" parameter in the "index.php" script used by the "WordPress" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using WordPress +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- /dev/null +++ b/doc/signatures/1574.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1574 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/809.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +809 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2525.txt @@ -0,0 +1,68 @@ +Rule: + +-- +Sid: +2525 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer +overrun condition in Microsoft products via the Local Security Authority +Subsystem Service (LSASS). + +-- +Impact: +Remote execution of arbitrary code. + +-- +Detailed Information: +A vulnerability exists in LSASS that may present an attacker with the +opportunity to execute code of their choosing on an affected host. + +The problem lies in an unchecked buffer in the LSASS service, suscessful +exploitation may present the attacker with the opportunity to gain +control of the affected system. + +-- +Affected Systems: + Microsoft Windows 2000, 2003 and XP systems. + +-- +Attack Scenarios: +An attcker needs to make a specially crafted request to the LSASS +service that could contain harmful code to gain further access to the +system. + +-- +Ease of Attack: +Moderate. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Use a packet filtering firewall to deny access to TCP and UDP ports 135 +and 445, UDP ports 137 and 138 and TCP ports 139 and 593 from resources +outside the protected network. + +Access should also be denied to ephemeral ports and any other ports used +by RPC services from sources external to the protected network. + +-- +Contributors: +Sourcefire Research Team +Matt Watchinski +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2157.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: 2157 + + +-- +Summary: +This event is generated when an attempt is made to access the administration interface of IISProtect on a host running Microsoft Internet Information Server (IIS). + +-- +Impact: +Administrator access. + +-- +Detailed Information: +This event indicates that an attempt has been made to access the administration interface of IISProtect on a host running Microsoft Internet Information Server (IIS). + +The attacker can gain administrator access to the web server running IISProtect without the need to authenticate. + +-- +Affected Systems: +Any host using IISProtect. + +-- +Attack Scenarios: +An attacker can gain control of the web server without the need to authenticate. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. + +Ensure that the IIS implementation is fully patched. + +Ensure that the underlying operating system is fully patched. + +Employ strategies to harden the IIS implementation and operating system. + +Check the host for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/100000377.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000377 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpNuke" application running on a webserver. Access to the file "admin_forum_prune.php" using a remote file being passed as the "phpbb_root_path" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "phpbb_root_path" parameter in the "admin_forum_prune.php" script used by the "phpNuke" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using phpNuke + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/1489.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1489 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1370.txt @@ -0,0 +1,57 @@ +Rule: +-- +Sid: +1370 + +-- +Summary: +Attempted inetd configuration access via web + +-- +Impact: +Attempt to gain information on system processes on webserver + +-- +Detailed Information: +This is an attempt to gain intelligence on the processes being run on a +webserver. The inetd configuration lists the daemons executed at boot +time on a UNIX or Linux based system. The attacker could possibly gain +information needed for other attacks on the host. + +-- +Attack Scenarios: +The attacker can make a standard HTTP request that contains +'/etc/inetd.conf'in the URI. + +-- +Ease of Attack: +Simple HTTP request. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Webservers should not be allowed to view or execute files and binaries +outside of it's designated web root or cgi-bin. This file may also be +requested on a command line should the attacker gain access to the +machine. Making the file read only by the superuser on the system will +disallow viewing of the file by other users. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/100000603.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000603 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "inv_paid.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the "inv_paid.php" +script used by the "Indexu" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/2447.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2447 + +-- +Summary: +This event is generated when an attempt is made to access the servlet +administration scripts on a Novell Groupwise servlet server. + +-- +Impact: +Possible unauthorized administrative access to the server. + +-- +Detailed Information: +This event is generated when an attempt is made to access the servlet +administration scripts on a Novell Groupwise servlet server located in /servlet/ServletManager. + +The default installation has a known username and password for +administration of the server. + +-- +Affected Systems: + Novell Groupwise 6.0 + Novell Groupwise Enhancement Pack 5.5 + +-- +Attack Scenarios: +The attacker might login to the application using the default username +and password gaining administrative access to the host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/821.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +821 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/637.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +637 + +-- +Summary: +This event is generated when a scan is detected. + +-- +Impact: +Information gathering. + +-- +Detailed Information: +This event indicates that an attempt has been made to scan a host. + +This may be the prelude to an attack. Scanners are used to ascertain +which ports a host may be listening on, whether or not the ports are +filtered by a firewall and if the host is vulnerable to a particular +exploit. + +-- +Affected Systems: +Any host. + +-- +Attack Scenarios: +An attacker can determine if ports 21 and 20 are being used for FTP. +Then the attacker might find out that the FTP service is vulnerable to a +particular attack and is then able to compromise the host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +A scanner may be used in a security audit. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Determine whether or not the scan was legitimate then look for other +events concerning the attacking IP address. + +Check the host for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/2610.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +2610 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a Oracle database implementation. + +-- +Impact: +Serious. Execution of arbitrary code may be possible. A Denial of +Service (DoS) condition may also be caused. + +-- +Detailed Information: +Oracle databases may use a built-in procedure to assist in database +replication. The "cancel_statistics" procedure contains a +programming error that may allow an attacker to execute a buffer +overflow attack. + +This overflow is triggered by long strings in some parameters for the +procedure. + +If you are running Oracle on a Windows server, make sure that the +variable $ORACLE_PORTS is set to a value of "any". + +-- +Affected Systems: + Oracle 9i + +-- +Attack Scenarios: +An attacker can supply a long string to either the "sname" or +"oname" variables to cause the overflow. The result could +permit the attacker to gain escalated privileges and run code of their +choosing. This attack requires an attacker to logon to the database +with a valid username and password combination. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Matt Watchinski +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +Other: +http://www.appsecinc.com/Policy/PolicyCheck633.html + +-- --- /dev/null +++ b/doc/signatures/1929.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +1929 + +-- +Summary: +This event is generated when an attacker attempts to connect to a +Trojan server installed via compromised tcpdump or libpcap sources. + +-- +Impact: +Control of the victim host. + +-- +Detailed Information: +This Trojan affects UNIX operating systems: + +Some versions of tcpdump and libpcap were compromised and Trojan code +inserted into the source. The compromise is similar to that which +affected OpenSSH. + +Libpcap is a library used for capturing packets in Snort and other +packet sniffing tools. + +The Trojaned libpcap source contains code in the configure script that +connects to a server at 212.146.0.34 on port 1963. The script then +downloads source code for a Trojan horse and compiles it. + +Tcpdump is a tool that is used for capturing network traffic, it +utilizes libpcap. Some versions of tcpdump also contain the same Trojan. + +Due to the nature of this Trojan it is unlikely that the attacker's +client IP address has been spoofed. + +-- +Attack Scenarios: +This Trojan is delivered to the target via the configure script. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Delete the Trojan and kill any associated processes. + +Restore the system from known good backups. + +Download non-trojaned versions of the library and re-compile. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Houston Linux Users Group +http://www.hlug.org/trojan/ + +-- --- /dev/null +++ b/doc/signatures/423.txt @@ -0,0 +1,60 @@ +Rule: + +-- + +Sid: +423 + +-- + +Summary: +This event is generated when a network host generates an ICMP Mobile Registration Request datagram. + +-- + +Impact: +ICMP Mobile Registration Requests were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 35 datagrams should never be seen in normal network conditions. + +-- + +Detailed Information: +ICMP Mobile Registration Request datagrams were developed before the development of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. + +-- + +Attack Scenarios: +None known + +-- + +Ease of Attack: +Numerous tools and scripts can generate this type of ICMP datagram. + +-- + +False Positives: +None known + +-- + +False Negatives: +None known +-- + +Corrective Action: +ICMP Type 35 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity + +-- + +Contributors: +Original rule writer unknown +Sourcefire Research Team +Matthew Watchinski (matt.watchinski@sourcefire.com) + +-- + +Additional References: +None + + +-- --- /dev/null +++ b/doc/signatures/100000675.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000675 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Harpia" application running on a webserver. +Access to the file "pfooter.php" using a remote file being passed as the +"theme_root" parameter may indicate that an exploitation attempt has been +attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "theme_root" parameter in the "pfooter.php" script used +by the "Harpia" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Harpia +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/575.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +575 + +-- +Summary: +This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) admind is listening. + +-- +Impact: +Information disclosure. This request is used to discover which port admind is using. Attackers can also learn what versions of the admind protocol are accepted by admind. + +-- +Detailed Information: +The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as admind run. The admind RPC service is used by some UNIX hosts to perform remote distributed system administration tasks such as adding new users. If weak authentication is used, it may be possible for a malicious user to perform remote administration. + +-- +Affected Systems: +Any host running admind with weak authentication. + +-- +Attack Scenarios: +An attacker can query the portmapper to discover the port where admind runs. This may be a precursor to accessing admind. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +If a legitimate remote user is allowed to access admind, this rule may trigger. + +-- +False Negatives: +This rule detects probes of the portmapper service for admind, not probes of the admind service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the admind service itself. An attacker may attempt to go directly to the admind port without querying the portmapper service, which would not trigger the rule. + +-- +Corrective Action: +Limit remote access to RPC services. + +Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. + +Disable unneeded RPC services. + +-- +Contributors: +Original rule written by Max Vision +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Arachnids +http://www.whitehats.com/info/IDS18 + + +-- --- /dev/null +++ b/doc/signatures/2277.txt @@ -0,0 +1,58 @@ +Rule: +-- +Sid: +2277 + +-- +Summary: +This event is generated when an attempt is made to exploit a directory +traversal vulnerability in the cgi application PeopleSoft PeopleBooks. + +-- +Impact: +Information gathering. + +-- +Detailed Information: +This event may indicate an attempt is made to exploit a directory +traversal vulnerability in the cgi application PeopleSoft PeopleBooks. +The script psdoccgi.exe does not sufficiently check script arguements +for the "headername" and "footername" variables. An attacker may exploit +this issue to access files outside the root of the web server. + +-- +Affected Systems: + PeopleTools versions 8.43 and earlier. + +-- +Attack Scenarios: +An attacker can use directory traversal techniques to access sensitive +system files to gain information necessary for further system +compromise. + +-- +Ease of Attack: +Simple. No exploit code required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2199.txt @@ -0,0 +1,58 @@ +Rule: + +-- +Sid: +2199 + +-- +Summary: +This event is generated when an attempt is made to access multidiff.cgi on an internal web server. This may indicate an attempt to exploit an information disclosure vulnerability in Mozilla Bonsai 1.3. + +-- +Impact: +Information gathering. + +-- +Detailed Information: +Mozilla Bonsai, a CVS query tool, contains an information disclosure vulnerability in multidiff.cgi. An attacker can discover the location of the Mozilla Bonsai application by sending a malformed request to the application, which produces an error. The error message shows the full path of the multidiff.cgi file, providing the attacker with information about the server directory structure. + +-- +Affected Systems: +Any system running Mozilla Bonsai 1.3. + +-- +Attack Scenarios: +An attacker sends an erroneous request to multidiff.cgi on the Bonsai server. The error message returns the full path of the script, allowing the attacker to discover more information about the server directory structure for possible use in later attacks. + +-- +Ease of Attack: +Simple. Proof of concept exists. + +-- +False Positives: +If a legitimate remote user accesses multidiff.cgi, this rule may generate an event. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to a newer build of Mozilla Bonsai 1.3. + +If you are running Mozilla Bonsai on Debian 3.0, Debian has provided patches at http://security.debian.org/pool/updates/main/b/bonsai/. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Sourcefire Technical Publications Team +Jennifer Harvey + +-- +Additional References: +Bugtraq +http://www.securityfocus.com/bid/5517 + +-- --- /dev/null +++ b/doc/signatures/1088.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1088 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/3297.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3297 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1360.txt @@ -0,0 +1,57 @@ +Rule: + +-- +Sid: 1360 + +-- +Summary: +A web command execution attack involving the use of a +"netcat" command + +-- +Impact: +Possible intelligence gathering activity or an attempt to gain elevated privileges on the server by using netcat to open another connection. + +-- +Detailed Information: +The attacker may have gained the ability to execute system commands remotely or the web server may be incorrectly configured to allow such access. + +This rule generates an event when a "netcat" command is used over a plain-text (unencrypted) connection on one of the specified web ports to the target web server. The "netcat" command may be used establish an interactive shell session to the machine and also transfer files over the connection. + +The rule looks for the "netcat" command in the client to web server network traffic and does not indicate whether the command was actually successful. The presence of the "netcat" command in the URI indicates that an attacker attempted to trick the web server into executing system in non-interactive mode i.e. without a valid shell session. + +Alternatively this rule may generate an event in an unencrypted HTTP tunneling connection to the server or a shell connection via another exploit against the web server. + +-- +Attack Scenarios: +An attacker uses a "netcat" command to move a rootkit to the system. + +-- +Ease of Attack: +Simple. No exploit software required + +-- +False Positives: +Any string containing 'nc' followed by space in the URL will trigger the alarm. + +-- +False Negatives: +none known + +-- +Corrective Action: +Check the web server software for vulnerabilities and possible upgrades or patches for the system to the latest version of the web software, also investigate the server logs for signs of compromise + +Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. Disallowing execution of this binary via a URI is suggested. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Anton Chuvakin + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3252.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3252 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000626.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +100000626 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "message_edit.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the +"message_edit.php" script used by the "Indexu" application running on a +webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/2342.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +2342 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the PHP web application DCP-Portal. + +-- +Impact: +Execution of arbitrary code on the affected system + +-- +Detailed Information: +DCP-Portal contains a flaw such that it may be possible for an attacker +to include code of their choosing by manipulating the variable root when +making a GET or POST request to a vulnerable system. + +It may be possible for an attacker to execute that code with the +privileges of the user running the webserver, usually root by supplying +their code in a file included from an external source by modifying the +variable "root" in the editor.php script. + +-- +Affected Systems: + DCP-Portal 5.0.1 + +-- +Attack Scenarios: +An attacker can make a request to an affected script and define their +own path for the root variable. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade to the latest non-affected version of the software + +-- +Contributors: +Sourcefire Research Team +Matt Watchinski +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2859.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2859 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure add_priority_char +. This procedure is included in +sys.dbms_repcat_conf. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000148.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +100000148 + +-- +Summary: +This event is generated when an attempt is made to perform a directory +traversal attack against a system running Barracuda Spam Firewall. + +-- +Impact: +Serious. Unauthorized remote command execution possibly leading to remote +access. + +-- +Detailed Information: +User supplied data to script parameters are not properly sanitized, this may +permit an unauthorized attacker to execute commands of their choosing on an +affected system. + +Note: +In order to utilize this rule, port 8000 must be added to the http_inspect +configuration in snort.conf. + +-- +Affected Systems: +Barracuda Spam Firewall 3.1.17 and prior. + +-- +Attack Scenarios: +An attacker can supply commands as parameters to the img.pl script. + +-- +Ease of Attack: +Simple, exploit software exists but is not necessary. + +-- +False Positives: +None known. + +-- +False Negatives: +None known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Judy Novak +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2845.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2845 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure register_snapshot_repgroup +. This procedure is included in +sys.dbms_repcat_sna_utl. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000605.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000605 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "inv_unpaid.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the "inv_unpaid.php" +script used by the "Indexu" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/1880.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1880 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/631.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +631 + +-- +Summary: +This event is generated when an external user scans an internal SMTP +server using Network Associates' Cybercop vulnerability scanner. + +-- +Impact: +Information gathering. + +-- +Detailed Information: +Cybercop Scanner is scanning software that searches for system +vulnerabilities. As one of its scanning procedures, it sends an EHLO +command to SMTP server ports to determine if the SMTP server will return +a list of remote commands that it accepts. + +-- +Affected Systems: +Any SMTP server that returns a list of acceptable commands for remote mailers. + +-- +Attack Scenarios: +An attacker may run Cybercop Scanner against SMTP servers in order to +determine vulnerabilities that can later be exploited. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure that your SMTP server does not provide more information than is +necessary when it receives an EHLO request. + +-- +Contributors: +Original rule writer unknown +Modified by Brian Caswell +Sourcefire Research Team +Sourcefire Technical Publications Team +Jen Harvey + +-- +Additional References: + +General Cybercop information: +http://www.securityfocus.com/products/126 + +-- --- /dev/null +++ b/doc/signatures/3403.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3403 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2913.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2913 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure repcat_import_check +. This procedure is included in +sys.dbms_repcat_sna. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3106.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +3106 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft License Logging Service. + +-- +Impact: +Serious. Execution of arbitrary code leading to unauthorized +administrative access to the target host. Denial of Service (DoS) is +also possible. + +-- +Detailed Information: +Microsoft License Logging Service is used to manage licenses for +Microsoft server products. + +A vulnerability in the service exists due to a programming error such +that an unchecked buffer may present an attacker with the opportunity to +exploit the service and run code of their choosing on an affected +system. The attacker may then cause a DoS condition in the service or +possibly gain administrative access to the target host. + +The unchecked buffer exists when processing the length of messages sent +to the logging service. + +-- +Affected Systems: + Microsoft Windows Server 2003 + Microsoft Windows Server 2000 + Microsoft Windows NT Server + +-- +Attack Scenarios: +An attacker can supply extra data in the message to the service +containing code of their choosing to be run on the server. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- + +Corrective Action: +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/828.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +828 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1652.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +1652 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in version 1.2 of NCSA web server. + +-- +Impact: +File retrieval leading to compromise of confidential information, +potential root exploit. + +-- +Detailed Information: +This event is generated when an attempt is made to manipulate a cgi +script to retrieve files outside the web root of version 1.2 of the NCSA +web server. + +The vulnerability exists in the cgi script "campas" + +-- +Affected Systems: + web servers running a very old (1995) version of NCSA web + server may have this cgi script installed. + +-- +Attack Scenarios: +The attacker can make an HTTP GET request to the script and include +variables to retrieve a sensitive system file in the following manner: + +GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a + +-- +Ease of Attack: +Simple. No exploit software required + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2258.txt @@ -0,0 +1,78 @@ +Rule: + +-- +Sid: + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the Microsoft Windows Messenger service. + +-- +Impact: +Serious. Denial of Service (DoS), execution of arbitrary code is +possible. + +-- +Detailed Information: +Due to improper length validation in the Microsoft Windows Messenger +service, it may be possible for an attacker to overwrite portions of +memory. This can result in the attacker being presented with the +opportunity to execute code of their choosing. Under some circumstances +a Denial of Service condition may be possible against the target host. + +Specifically, this vulnerability may present the attacker with the +opportunity to execute code with the privileges of the local system +account with full access to all resources on the target host. + +-- +Affected Systems: + Microsoft Windows NT Workstation 4.0, Service Pack 6a + Microsoft Windows NT Server 4.0, Service Pack 6a + Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 + Microsoft Windows 2000, Service Pack 2, Service Pack 3, Service Pack 4 + Microsoft Windows XP Gold, Service Pack 1 + Microsoft Windows XP 64-bit Edition + Microsoft Windows XP 64-bit Edition Version 2003 + Microsoft Windows Server 2003 + Microsoft Windows Server 2003 64-bit Edition + +-- +Attack Scenarios: +The attacker may use one of the available exploits to target a +vulnerable host. + +-- +Ease of Attack: +Simple. Exploit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches and service packs. + +Disable the Windows messenger service + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +CERT: +http://www.kb.cert.org/vuls/id/575892 + +Microsoft: +http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-043.asp + +-- --- /dev/null +++ b/doc/signatures/2319.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2319 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Ebola from PLD Software. + +-- +Impact: +Serious. Execution of arbitrary code may be possible. + +-- +Detailed Information: +Ebola from PLD Software is used to improve the performance of Anti-Virus +solutions on Linux systems. + +A buffer overflow condition is present in the authentication mechanism +such that it may be triggered by the generation of an error message from +an unsuccessful authentication attempt. + +-- +Affected Systems: + All versions of Ebola prior to 0.1.5 + +-- +Attack Scenarios: +An attacker can send specially crafted authentication attempts to the Ebola system and +cause the buffer overflow thus presenting the opportunity to execute +arbitrary code. + +-- +Ease of Attack: +Simple. Expoits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3102.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +3102 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft License Logging Service. + +-- +Impact: +Serious. Execution of arbitrary code leading to unauthorized +administrative access to the target host. Denial of Service (DoS) is +also possible. + +-- +Detailed Information: +Microsoft License Logging Service is used to manage licenses for +Microsoft server products. + +A vulnerability in the service exists due to a programming error such +that an unchecked buffer may present an attacker with the opportunity to +exploit the service and run code of their choosing on an affected +system. The attacker may then cause a DoS condition in the service or +possibly gain administrative access to the target host. + +The unchecked buffer exists when processing the length of messages sent +to the logging service. + +-- +Affected Systems: + Microsoft Windows Server 2003 + Microsoft Windows Server 2000 + Microsoft Windows NT Server + +-- +Attack Scenarios: +An attacker can supply extra data in the message to the service +containing code of their choosing to be run on the server. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- + +Corrective Action: +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000695.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000695 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VCard PRO" application running on a webserver. Access to the file "rating.php" with SQL commands being passed as the "card_id" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a remote machine via the "card_id" parameter in the "rating.php" script used by the "VCard PRO" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using VCard PRO +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- /dev/null +++ b/doc/signatures/1075.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: 1075 + + +-- +Summary: +This event is generated when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server (IIS). + +-- +Impact: +Information gathering possible administrator access. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit potential weaknesses in a host running Microsoft IIS. + +The attacker may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against that host using that information. + +The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information. + +Some applications may store sensitive information such as database connections, user information, passwords and customer information in files accessible via a web interface. Care should be taken to ensure these files are not accessible to external sources. + +-- +Affected Systems: +Any host using IIS. + +-- +Attack Scenarios: +An attacker can retrieve a sensitive file containing information on the IIS implementation. The attacker might then gain administrator access to the site, deface the content or gain access to a database. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files. + +Ensure that the IIS implementation is fully patched. + +Ensure that the underlying operating system is fully patched. + +Employ strategies to harden the IIS implementation and operating system. + +Check the host for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/2283.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2283 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the PHP web application MediaWiki running on a server. + +-- +Impact: +Possible execution of arbitrary code and unauthorized administrative +access to the target system. + +-- +Detailed Information: +This event indicates that an attempt may have been made to exploit a +known vulnerability in the PHP application MediaWiki . This application +does not perform stringent checks when handling user input, this may +lead to the attacker being able to execute PHP code and include php files +of the attackers choosing. + +-- +Affected Systems: + MediaWiki MediaWiki-stable 20031107 + MediaWiki MediaWiki-stable 20030829 + +-- +Attack Scenarios: +An attacker can exploit weaknesses to gain access as the administrator +by supplying input of their choosing to the underlying PHP script. + +-- +Ease of Attack: +Simple. No exploit code is required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1527.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: +1527 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the Basilix webmail PHP script. + +An attacker can access mysql.class file to obtain MySQL login and use it +for further attacks. + +-- +Impact: +Serious. Password disclosure which can lead to further system +compromise. + +authenticate directly to a mysql database. Many Sun Cobalt Linux servers use Basilix webmail + +-- +Detailed Information: +A webserver usually sends files in the webroot to an anonymous user +without further processing. PHP scripts often include files (which +contain configuration variables, functions, etc.) that are stored +using a suffix that does not prevent a webserver sending them in clear +text. The ".class" suffix is not usually explicitly denied in a standard +web server configuration and the file "mysql.class" may be sent to the +attacker. + +-- +Attack Scenarios: +An attacker gets mysql.class containing database login credentials. The attacker can then connect to the database server using the login provided by mysql.class file and modify the database. + +-- +Ease of Attack: +Simple + +-- +False Positives: +File doesn't exist or mysql.class is for example a java class file publicly available on the server + +-- +False Negatives: +None known + +-- +Corrective Action: +Update Basilix script (www.basilix.org) + +Check files which contain php code for a suffix that might be rendered in plaintext by the web server. + +Workaround - register .class the same way that the extensions .php, .php3 or.php4 are registered in the web server configuration file. +Note: .class is usually used by java applets + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Ueli Kistler, +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/3042.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +3042 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Ethereal. + +-- +Impact: +Serious. Denial of Service (DoS). + +-- +Detailed Information: +Ethereal is a multi-platform network protocol analyser capable of +displaying network data to the user in a graphical user interface. + +An error in the processing of access control lists (ACLs) concerning the +size of the access control entries (ACEs) may lead to a Denial of Service +(DoS) condition in Ethereal. The ACL parsing routine trusts the size of +the ACE given in the packet during processing. If a sufficiently large ACL +structure is supplied combined with a specified ACE size of 0, it is +possible to cause the DoS condition to occur. + +-- +Affected Systems: + Ethereal 0.10.7 and prior + +-- +Attack Scenarios: +An attacker needs to craft packet data containing large NT ACLs, the +attacker then needs to specify one of the ACEs as having a size of 0. + +-- +Ease of Attack: +Moderate. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2039.txt @@ -0,0 +1,89 @@ +Rule: + +-- +Sid: +2039 + +-- +Summary: +The Dynamic Host Configuration Protocol (DHCP) daemon is used to issue +dynamic IP addresses from a server to client machines. A vulnerability +exists such that arbitrary code may be executed on the server using the +credential of the super user (root). + +-- +Impact: +Execution of code and possible control of the targeted machine. + +-- +Detailed Information: +A format string vulnerabilty in some versions of dhcpd may lead to the +execution of arbitrary code as the root user via a DNS server response. +This is due to the unsafe logging of user data. The option NSUPDATE +option in the configuration of dhcpd must be enabled, although this is a +default option in version 3.0 and later. + +Two exploits for this vulnerability are known to exist. + +-- +Affected Systems: +ISC DHCPD 3.0 + Caldera OpenLinux Server 3.1 and 3.1.1 + Caldera OpenLinux Workstation 3.1 and 3.1.1 + Conectiva Linux 8.0 + MandrakeSoft Linux Mandrake 8.1, 8.1 ia64, 8.2, 8.2 ppc and 9.0 + MandrakeSoft Multi Network Firewall 8.2 + S.u.S.E. Linux 7.2, 7.3 and 8.0 + S.u.S.E. Linux Connectivity Server + S.u.S.E. Linux Database Server + S.u.S.E. Linux Enterprise Server 7 and S/390 + +ISC DHCPD 3.0.1 rc8 and ISC DHCPD 3.0.1 rc7 + FreeBSD FreeBSD 4.1.1, 4.2, 4.3, 4.4 and 4.5 + +ISC DHCPD 3.0.1 rc6 + S.u.S.E. Linux 8.0 and 8.0 i386 + +ISC DHCPD 3.0.1 rc5, ISC DHCPD 3.0.1 rc4 +OpenPKG OpenPKG 1.0 + +ISC DHCPD 3.0.1 rc3, rc2 and rc1 + +-- +Attack Scenarios: +The attacker could send a specially crafted packet to the dhcpd server or use one of the exploits widely available for this vulnerability. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Patches from the vendor should be applied as soon as possible. + +Upgrade to ISC DHCPD 3.0.1 rc 9. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/4701 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0702 + +-- --- /dev/null +++ b/doc/signatures/3098.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +3098 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft License Logging Service. + +-- +Impact: +Serious. Execution of arbitrary code leading to unauthorized +administrative access to the target host. Denial of Service (DoS) is +also possible. + +-- +Detailed Information: +Microsoft License Logging Service is used to manage licenses for +Microsoft server products. + +A vulnerability in the service exists due to a programming error such +that an unchecked buffer may present an attacker with the opportunity to +exploit the service and run code of their choosing on an affected +system. The attacker may then cause a DoS condition in the service or +possibly gain administrative access to the target host. + +The unchecked buffer exists when processing the length of messages sent +to the logging service. + +-- +Affected Systems: + Microsoft Windows Server 2003 + Microsoft Windows Server 2000 + Microsoft Windows NT Server + +-- +Attack Scenarios: +An attacker can supply extra data in the message to the service +containing code of their choosing to be run on the server. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- + +Corrective Action: +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/106.txt @@ -0,0 +1,92 @@ +Rule: + +-- +Sid: +106 + +-- +Summary: +Backdoor.AckCmd is a Trojan Horse that uses TCP ACK segments to +communicate. This Trojan may bypass firewalls that do not keep track of +the session state in a TCP transaction. + +-- +Impact: +Possible theft of data and control of the targeted machine leading to a +compromise of all resources the machine is connected to. This Trojan +also has the ability to delete data, steal passwords and disable the +machine. Other versions are capable of launching DDoS attacks. + +-- +Detailed Information: +This Trojan affects the following operating systems: + + Windows 95 + Windows 98 + Windows ME + Windows NT + Windows 2000 + Windows XP + +No other systems are affected. This is a windows executable that does +not make changes to the system registry. + +AckCmd is a "proof of concept" Trojan. + + SID Message + --- ------- + 106 ACKcmdC trojan scan + +This event is indicative of an attacker attempting to locate AckCmd +servers. + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This +event is indicative of an existing infection being activated. Initial +compromise can be in the form of a Win32 installation program that may +use the extension ".jpg" or ".bmp" when delivered via e-mail for +example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. +Updated virus definition files are essential in detecting this Trojan. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Delete the file AckCmd.exe + +A machine reboot is required to clear the existing process from running +in memory. + +In addition, the use of a firewall that correctly checks the state of a +TCP session is recommended. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Whitehats arachNIDS +http://www.whitehats.com/info/IDS485 + +ntsecurity.nu +ACK Tunneling Trojans +http://ntsecurity.nu/papers/acktunneling/ + +-- --- /dev/null +++ b/doc/signatures/3317.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3317 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2979.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +2979 + +-- +Summary: +This event is generated when an attempt is made to access the C$ default +administrative share of a Windows host. + +-- +Impact: +Serious. Possible administrator access to the host. Information +disclosure. + +-- +Detailed Information: +By default, Windows hosts have default administrative shares of the +local hard drives using the format %DRIVE_LETTER% + $. Anybody with +administrative rights can remotely access the share. + +-- +Affected Systems: + Windows hosts. + +-- +Attack Scenarios: +An attacker may be attempting to access files located on the C drive of +the host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow Netbios access from external networks (tcp port 139). + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton +Snort documentation contributed by Josh Sakofsky + +-- +Additional References: + +Arachnids: +http://www.whitehats.com/info/IDS339 + +Microsoft: +http://support.microsoft.com/default.aspx?scid=kb;en-us;100517 + +-- --- /dev/null +++ b/doc/signatures/122-21.txt @@ -0,0 +1,93 @@ + + +Rule: + +-- +Sid: +122-21 + +-- +Summary: +This event is generated when the pre-processor sfPortscan detects +network traffic that may constitute an attack. Specifically a udp +filtered portscan was detected. + +-- +Impact: +Unknown. This is normally an indicator of possible network +reconnaisance and may be the prelude to a targeted attack against the +targeted systems. + +-- +Detailed Information: +This event is generated when the sfPortscan pre-processor detects +network traffic that may consititute an attack. + +A portscan is often the first stage in a targeted attack against a +system. An attacker can use different portscanning techniques and tools +to determine the target host operating system and application versions +running on the host to determine the possible attack vectors against +that host. + +More information on this event can be found in the individual +pre-processor documentation README.sfportscan in the docs directory of +the snort source. Descriptions of different types of portscanning +techniques can also be found in the same documentation, along with +instructions and examples on how to tune and use the pre-processor. + +-- +Affected Systems: + All. + +-- +Attack Scenarios: +An attacker often uses a portscanning technique to determine operating +system type and version and also application versions to determine +possible effective attack vectors that can be used against the target +host. + +-- +Ease of Attack: +Simple. Many portscanning tools are freely available. + +-- +False Positives: +While not necessarily a false positive, a security audit or penetration +test will often employ the use of a portscan in the same way an +attacker might use the technique. If this is the case, the +pre-processor should be tuned to ignore the audit if so desired. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check for other events targeting the host. + +Check the target host for signs of compromise. + +Apply any appropriate vendor supplied patches as appropriate. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Daniel Roelker +Marc Norton +Jeremy Hewlett +Nigel Houghton + +-- +Additional References: + +Nmap: +http://www.insecure.org/nmap/ + +Port Scanning Techniques and the Defense Against Them - Roger +Christopher, SANS: +http://www.sans.org/rr/whitepapers/auditing/70.php + +Hypervivid Tiger Team - Port-Scanning: A Practical Approach +http://www.hcsw.org/reading/nmapguide.txt + +-- --- /dev/null +++ b/doc/signatures/2455.txt @@ -0,0 +1,52 @@ +Rule: + +-- +Sid: +2455 + +-- +Summary: +This event is generated when a host in your network that has Yahoo Instant Messenger running has sent a message to a Yahoo IM conference. + +-- +Impact: +Possible policy violation. Instant Messenger programs may not be appropriate in certain network environments. + +-- +Detailed Information: +A Yahoo IM conference allows multiple users to participate in the exchange of text and voice messages, as well as share files and webcams. It is possible that a file that is exchanged may contain malicious code such as as virus, worm, Trojan, or backdoor. Also, since all exchanges are done via Yahoo IM servers and in clear text, there should be no expectation of privacy. + +-- +Affected Systems: +Any host running Yahoo Instant Messenger. + +-- +Attack Scenarios: +A Yahoo IM user may unwittingly accept a malicious file. + +-- +Ease of Attack: +Easy to transfer a malicious file. + +-- +False Positives: +None Known. + +-- +False Negatives: +It may be possible for Yahoo IM traffic to use other ports than the default expected ones. + +-- +Corrective Action: +Disallow the use of IM clients on the protected network and enforce or implement an organization wide policy on the use of IM clients. + +-- +Contributors: +Sourcefire Research Team +Judy Novak +-- +Additional References: +Yahoo Protocol +http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm + +-- --- /dev/null +++ b/doc/signatures/2835.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2835 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure purge_master_log +. This procedure is included in +sys.dbms_repcat_mas. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/121-3.txt @@ -0,0 +1,98 @@ + + +Rule: + +-- +Sid: +121-3 + +-- +Summary: +This event is generated when the pre-processor flow-portscan detects +network traffic that may constitute an attack. Specifically a fixed +scale talker limit exceeded event was generated. + +-- +Impact: +Unknown. This is normally an indicator of possible network +reconnaisance and may be the prelude to a targeted attack against the +targeted systems. + +-- +Detailed Information: +This event is generated when the flow-portscan pre-processor detects +network traffic that may consititute an attack. + +The flow-portscan pre-processor uses a flow based technique to identify +portscanning in one-to-many and many-to-one scenarios based on flow +creation in the flow pre-processor. + +A portscan is often the first stage in a targeted attack against a +system. An attacker can use different portscanning techniques and tools +to determine the target host operating system and application versions +running on the host to determine the possible attack vectors against +that host. + +More information on this event can be found in the individual +pre-processor documentation README.flow-portscan in the docs directory +of the snort source. Descriptions of different types of portscanning +techniques can also be found in the same documentation, along with +detailed instructions and examples on how to tune and use the +pre-processor. + +-- +Affected Systems: + All. + +-- +Attack Scenarios: +An attacker often uses a portscanning technique to determine operating +system type and version and also application versions to determine +possible effective attack vectors that can be used against the target +host. + +-- +Ease of Attack: +Simple. Many portscanning tools are freely available. + +-- +False Positives: +While not necessarily a false positive, a security audit or penetration +test will often employ the use of a portscan in the same way an +attacker might use the technique. If this is the case, the +pre-processor should be tuned to ignore the audit if so desired. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check for other events targeting the host. + +Check the target host for signs of compromise. + +Apply any appropriate vendor supplied patches as appropriate. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Chris Green +Daniel Roelker +Marc Norton +Nigel Houghton + +-- +Additional References: + +Nmap: +http://www.insecure.org/nmap/ + +Port Scanning Techniques and the Defense Against Them - Roger +Christopher, SANS: +http://www.sans.org/rr/whitepapers/auditing/70.php + +Hypervivid Tiger Team - Port-Scanning: A Practical Approach +http://www.hcsw.org/reading/nmapguide.txt + +-- --- /dev/null +++ b/doc/signatures/100000840.txt @@ -0,0 +1,55 @@ + + +Rule: + +-- +Sid: +100000840 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "FlatNuke" application running on a webserver. Access to the file "index.php" using a remote file being passed as the "mod" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "mod" parameter in the "index.php" script used by the "FlatNuke" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using FlatNuke +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/2662.txt @@ -0,0 +1,54 @@ +Rule: + +-- +Sid: +2662 + +-- +Summary: +This rule is intended to increase the accuracy of rules designed to +generate events based on attempts to exploit implementations of Secure +Socket Layer (SSL) version 2. + +-- +Impact: +None. This is a protocol decode rule that does not generate events. + +-- +Detailed Information: +This is a protocol decode rule that does not generate events. + +-- +Affected Systems: +NA + +-- +Attack Scenarios: +NA + +-- +Ease of Attack: +NA + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +NA + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/329.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: 329 + +-- +Summary: +This is an intelligence gathering activity. This event is indicative of a connection laundering attack against the finger daemon + +-- +Impact: +The attacker may obtain information about a third party host without making a direct connection to that host. + +-- +Detailed Information: +The event is generated when an attempt to use a machine to run +finger queries against a third party UNIX system is attempted by the +Cybercop vulnerability scanner. + +The attack utilizes "finger forwarding" functionality, normally used to forward queries to a third party machine. The information is obtained without a direct connection to the said third party, since the target system performs a connection to the third party host for the attacker. + +The Finger daemon is used to provide information about users on a UNIX system. It used to be installed and enabled by default on most UNIX/Linux systems. The attack if successful, will confirm that the target host will try to forward queries. + +-- + +Attack Scenarios: +An attacker uses the Cybercop vulnerability scanner to test for this weakness. + +-- + +Ease of Attack: +Simple, performed by a scanner + +-- + +False Positives: +None Known + +-- +False Negatives: +None Known + +-- + +Corrective Action: +Disable the finger daemon or upgrade to a daemon without finger forwarding functionality + + +-- +Contributors: +Original rule written by Max Vision +Snort documentation contributed by Anton Chuvakin +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0105 + +Arachnids: +http://www.whitehats.com/info/IDS11 + +-- --- /dev/null +++ b/doc/signatures/2036.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2036 + +-- +Summary: +Network Status Monitor (NSM) is used to indicate whether a host is up or +for its status. + +-- +Impact: +Intelligence gathering about the current state of a host and whether rpc +services are available. + +-- +Detailed Information: +NSM runs on client machines and informs other hosts of the status of +that machine should a crash or reboot occur. Each remote application +using an rpc service can therefore register with the host when services +are once again available. + +A request made to a machine will indicate to the attacker the status of +that host and will also be indicative of rpc services being available. +The attacker might then continue to ascertain which rpc services are +being offered and then launch an attack on vulnerable daemons. + +-- +Affected Systems: +Any system running the service. + +-- +Attack Scenarios: +An attacker merely needs to request the status of the host using rpc. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow all RPC requests from external sources and use a firewall to +block access to RPC ports from outside the LAN. + +Use the hosts.allow file to restrict the hosts able to request the +status of the server. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Network Status Monitor Protocol, The Open Group: +http://www.opengroup.org/onlinepubs/009629799/chap11.htm + +-- --- /dev/null +++ b/doc/signatures/2654.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +2654 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the web application PHPNuke. + +-- +Impact: +SQL Injection is possible leading to a complete compromise of the data +in the application database. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in the PHPNuke web application running on a server. + +Insufficient checks are made on user input supplied to the script +"viewtopic.php", exploitation of this issue could present an attacker +with the opportunity to inject SQL code of their choosing into a +vulnerable system. + +-- +Affected Systems: + PHPNuke 6.0 + PHPNuke 6.5 RC2 + +-- +Attack Scenarios: +An attacker can supply code of their choice by including it in the +URI that calls on viewtopic.php. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Consider reviewing the database permissions for the application. + +-- +Contributors: +Sourcefire Research Team +Ricky MacAtee +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2559.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +2559 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Oracle Application Server Web Cache. + +-- + +Impact: +Serious. Possible execution of arbitrary code leading to remote +administrative access. + +-- +Detailed Information: +The Oracle Application Server Web Cache is vulnerable to a buffer +overrun caused by poor checking of the length of an HTTP Header. If a +large invalid HTTP Request Method is supplied to a vulnerable system, an +attacker may be presented with the opportunity to overrun a fixed length +buffer and subsequently execute code of their choosing on the server. + +-- +Affected Systems: +Oracle Application Server Web Cache 10g 9.0.4 .0 +Oracle Oracle9i Application Server Web Cache 2.0 .0.4 +Oracle Oracle9i Application Server Web Cache 9.0.2 .3 +Oracle Oracle9i Application Server Web Cache 9.0.2 .2 +Oracle Oracle9i Application Server Web Cache 9.0.3 .1 + +-- + +Attack Scenarios: +An attacker might supply an HTTP Request Method of more than 432 bytes, +causing the overflow to occur. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +None Known + +-- +False Negatives: +This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible +to configure the Oracle Web Cache server to run on different ports. The rule +should be configured to reflect the appropriate ports of Oracle Web Cache +servers on your network. + +-- + +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Judy Novak +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000848.txt @@ -0,0 +1,66 @@ +Rule: + +-- +Sid: +100000848 +-- +Summary: +This event is generated when an attempt is made to exploit a cross site +scripting vulnerability in the "PhpWebGallery" application running on a +webserver. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to exploit a cross site +scripting vulnerability via the "keyword" parameter in the "comments.php" +script +used by the "PhpWebGallery" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to retrieve sensitive data, execute system binaries +or malicious code of the attackers choosing. + +-- +Affected Systems: +All systems running CGI applications using PhpWebGallery +-- +Attack Scenarios: +An attacker can supply a malicious link designed to steal information from a +user clicking on that link. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Chris Jacob + +-- +Additional References: + +The Cross Site Scripting (XSS) FAQ +http://www.cgisecurity.com/articles/xss-faq.shtml + +-- + --- /dev/null +++ b/doc/signatures/232.txt @@ -0,0 +1,70 @@ +Rule: +-- +Sid: +232 + +-- +Summary: +This event is generated when a pong packet for the Trinoo (aka trin00) +DDos suite is detected. + +-- +Impact: +This may indicate a compromised system or be the prelude to a +Distributed Denial of Service (DDoS) attack. + +-- +Detailed Information: +Once a Trinoo client has been installed on a compromised machine and a master is +ready and listening, the master sends a "png" (ping) command to its drones in +an attempt to enumerate the drone network. A functioning client will respond to +port 31335/udp with the text "PONG". + +Once a machine becomes part of a trin00 network, a Denial of Service (DoS) +is typically initiated against one (or more) victim machines. + +-- +Affected Systems: + +-- +Attack Scenarios: +As part of a large scale attack against a machine or a network, an +attacker will compromise large numbers of machines which will form the +army that the trin00 master daemon will command. The master daemon +typically instructs the clients to send mass-quantities of packets to +a set of victim hosts. If the traffic is sufficient, the victim +machines will become resource deprived and thus endure a DoS condition. + +-- +Ease of Attack: +Simple. Trinoo client and master programs are widely available. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disconnect infected machine(s) from the network immediately. + +Use software to determine if a host has been compromised using a +rootkit. + +-- +Contributors: +Original rule writer unknown +Snort documentation contributed by Jon Hart +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +SANS: +http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm + +-- --- /dev/null +++ b/doc/signatures/2312.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +2312 + +-- +Summary: +This event is generated when suspicious shell code is detected in +network traffic. + +-- +Impact: +Denial of Service (DoS) possible execution of arbitrary code. + +-- +Detailed Information: +This event is generated when suspicious shell code is detected. Many +buffer overflow attacks contain large numbers of NOOP instrucions to pad +out the request. Other attacks contain specific shell code sequences +directed at certain applications or services. + +The shellcode in question may also use Unicode encoding. + +-- +Affected Systems: + Any software running on x86 architecture. + +-- +Attack Scenarios: +An attacker may exploit a DCERPC service by sending shellcode in the RPC +data stream. Sending large amounts of data to the Microsoft Workstation +service can cause a buffer overflow condition in the logging function +thus presenting an attacker with the opportunity to issue a DoS attack +or in some cases, to execute code of their choosing. + +-- +Ease of Attack: +Simple. Many exploits exist. + +-- +False Positives: +False positives may be generated by binary file transfers. + +-- +False Negatives: +None known + +-- +Corrective Action: +Make sure the target host has all current patches applied and has the +latest software versions installed. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2871.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2871 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure alter_priority_nchar +. This procedure is included in +sys.dbms_repcat_conf. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1537.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: +1537 + +-- +Summary: +This event is generated when an attempt is made to exploit an +authentication vulnerability in a web server or an application running +on that server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a web server or an application running ona web server. Some +applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + +-- +Attack Scenarios: +An attacker can access the authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Disallow administrative access from sources external to the protected +network. + +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2081.txt @@ -0,0 +1,78 @@ +Rule: + +-- +Sid: +2081 + +-- +Summary: +number for the rpc service xfsmd + +-- +Impact: +Intelligence gathering + +-- +Detailed Information: +This may be an attacker probing for vulnerable versions of rpc services. +In this case, the rpc service xfsmd. + +It is possible for an attacker to supply a meta character followed by +any commands or code of his choosing to the xfsmd daemon. + +Due to a programming error, the service does not correctly check for the +characters and they are not stripped from the request. + +The xfsmd daemon is not installed by default on IRIX systems but it is +part of an optional package. + +-- +Affected Systems: + IRIX 6.2 + IRIX 6.3 + IRIX 6.4 + IRIX 6.5.x + +-- +Attack Scenarios: +Exploits are widely available. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Patches are NOT available for this issue. + +Disable and remove the xfsmd daemon. + +Uprade to the latest non affected version of the operating system + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/5075 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0359 + +SGI IRIX: +ftp://patches.sgi.com/support/free/security/advisories/20020606-01-I + +-- --- /dev/null +++ b/doc/signatures/2235.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +2235 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer +overflow in Trend Micro InterScan eManager. + +-- +Impact: +Serious. Remote administrative access is possible. + +-- +Detailed Information: +Versions of Trend Micro InterScan eManager suffer from a buffer overflow +condition that can present an attacker with the opportunity to execute +arbitrary code of their choosing which could lead to remote access to +the server. + +-- +Affected Systems: + Trend Micro InterScan eManager 3.51 + +-- +Attack Scenarios: +If the buffer overflow condition is met, the attacker can run code of +their choosing on the affected host. + +-- +Ease of Attack: +Moderate. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Disable the web interface + +Enable NTLM authentication for the administrative interface + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/3327 + +-- --- /dev/null +++ b/doc/signatures/491.txt @@ -0,0 +1,63 @@ +Rule: +-- +Sid: +491 + +-- +Summary: +This event is generated when a failed attempt to login to an FTP server +is detected. + +-- +Impact: +Unknown. Multiple events may indicate an attempt to enumerate accounts +and passwords using brute force methodology. + +-- +Detailed Information: +This event is generated when a failed attempt to login to an FTP server +is detected. + +Multiple events may indicate an attempt to enumerate accounts +and passwords using brute force methodology. + +-- +Affected Systems: + All FTP Servers + +-- +Attack Scenarios: + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Check FTP logs for access attempts. + +Disallow FTP access from sources external to the protected network. + +Consider using Secure Shell as a replacement for FTP services. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +RFC: +http://www.faqs.org/rfcs/rfc959.html + +-- --- /dev/null +++ b/doc/signatures/1261.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +1261 + +-- +Summary: +This event is genereated when an attempt to overflow the buffer of the +IBM Program Database Name Server Daemon (PDNSD) is made. + +-- +Impact: +Serious. System compromize presenting the attacker with the opportunity +to gain remote access to the victim host or execute arbitrary code with +the privileges of the superuser account. + +-- +Detailed Information: +Some versions of IBM PDSND for AIX are vulnerable to a buffer overflow +condition which can present the attacker with root privileges. + + +Affected Systems: + PDSND versions 2 and 3 + +-- +Attack Scenarios: +Exploit scripts are available + +-- +Ease of Attack: +Simple. Exploits are available. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Disable the PDSND daemon. + +-- +Contributors: +Original rule writer unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +CIAC: +http://www.ciac.org/ciac/bulletins/j-059.shtml + +-- --- /dev/null +++ b/doc/signatures/2460.txt @@ -0,0 +1,61 @@ +Rule: + +-- +Sid: +2460 + +-- +Summary: +This event is generated when a host in your network that has Yahoo +Instant Messenger running requests to view a webcam listen to an audio +message of another Yahoo IM user. + +-- +Impact: +Possible policy violation. Instant Messenger programs may not be +appropriate in certain network environments. + +-- +Detailed Information: +This event indicates that a Yahoo IM user in your network is requesting +to view a webcam or listen to an audio message of another Yahoo IM user. +While there are no known exploits associated with showing or viewing +webcams, it is possible that this activity is inappropriate in certain +environments. + +-- +Affected Systems: +Any host running Yahoo Instant Messenger. + +-- +Attack Scenarios: +No known attack scenarios. + +-- +Ease of Attack: +No known attack scenarios. + +-- +False Positives: +None Known. + +-- +False Negatives: +It may be possible for Yahoo IM traffic to use other ports than the +default expected ones. + +-- +Corrective Action: +Disallow the use of IM clients on the protected network and enforce or +implement an organization wide policy on the use of IM clients. + +-- +Contributors: +Sourcefire Research Team +Judy Novak +-- +Additional References: +Yahoo Protocol +http://www.cse.iitb.ac.in/~varunk/YahooProtocol.htm + +-- --- /dev/null +++ b/doc/signatures/2241.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2241 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerablity in NetWin CWMail 2.7. + +-- +Impact: +Serious. Execution of arbitrary code is possible. + +-- +Detailed Information: +Certain versions of NetWin CWMail suffer from a buffer overflow +condition that can present an attacker with the opportunity to execute +code of their choosing on the server. + +-- +Affected Systems: + NetWin CWMail 2.7, a, b, c, d, f, i, j, k, l, m, n, o, p, q, s and t + +-- +Attack Scenarios: +The attacker would need to supply a large amount of characters to the +"item=" parameter which could then cause the overflow condition to +occur. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/4093 + +-- --- /dev/null +++ b/doc/signatures/1617.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1617 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1394.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: + +1394 + +-- +Summary: +This event is generated when an attempt is made to possibly overflow a buffer. + +The NOOP warning occurs when a series of NOOP (no operation) are found in a stream. Most buffer overflow exploits typically use NOOPs sleds to pad the code. + +-- +Impact: + +This might indicate someone is trying to use a buffer overflow exploit. + +Full compromise of system is possible if the exploit is successful. + +-- +Detailed Information: +This rule detects a large number of consecutive NOOP instructions used in padding code. It's not specific to a particular service exploit, but rather used to try and detect buffer overflows in general. It is common for buffer overflow code to contain a large sequence of NOOP instructions as it increases the odds of successful execution of the useful shellcode. + +-- +Affected Systems: + + Any x86 programs. + +-- +Attack Scenarios: +An attacker uses a buffer overflow exploit which contains the following payload: + + 90 90 90 90 90 90 90 90 90 90 /bin/sh + +-- +Ease of Attack: +Simple. + +-- +False Positives: +High, This event may be generated by applications such as ftp and http +when binary data is being transfered. + +A false Positive can be generated if the snort sensor detects text from an IRC +client or any other application that passes data plaintext. The event is +generated if snort detects several (a) characters in a row - such as +'aaaaaaaaaa'. + +-- +False Negatives: + +None known + +-- +Corrective Action: +Apply a non-executable user stack patch to your kernel + +Secure programming/execution of a program + +Check the destination host and service to verify if any buffer overflow vulnerability exists. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com) + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3222.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3222 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2365.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2365 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the PHP web application newsPHP. + +-- +Impact: +Execution of arbitrary code on the affected system + +-- +Detailed Information: +newsPHP contains a flaw such that it may be possible for an attacker +to include code of their choosing by manipulating the variable LangFile when +making a GET or POST request to a vulnerable system. + +It may be possible for an attacker to execute that code with the +privileges of the user running the webserver, usually root. + +-- +Affected Systems: + newsPHP newsPHP 216 + +-- +Attack Scenarios: +An attacker can make a request to an affected script and define their +own path for the LangFile variable. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade to the latest non-affected version of the software + +-- +Contributors: +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000483.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000483 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Wheatblog" application running on a webserver. +Access to the file "view_links.php" using a remote file being passed as the +"wb_inc_dir" parameter may indicate that an exploitation attempt has been +attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "wb_inc_dir" parameter in the "view_links.php" script +used by the "Wheatblog" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Wheatblog +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/2641.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +2641 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a Oracle database implementation. + +-- +Impact: +Serious. Execution of arbitrary code may be possible. A Denial of +Service (DoS) condition may also be caused. + +-- +Detailed Information: +Oracle databases may use a built-in procedure to assist in database +replication. The "drop_site_instantiate" procedure contains a +programming error that may allow an attacker to execute a buffer +overflow attack. + +This overflow is triggered by a long string in a parameter for the +procedure. + +If you are running Oracle on a Windows server, make sure that the +variable $ORACLE_PORTS is set to a value of "any". + +-- +Affected Systems: + Oracle 9i + +-- +Attack Scenarios: +An attacker can supply a long string to the "refresh_template_name" +variable to cause the overflow. The result could permit the attacker +to gain escalated privileges and run code of their choosing. This +attack requires an attacker to logon to the database with a valid +username and password combination. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Matt Watchinski +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +Other: +http://www.appsecinc.com/Policy/PolicyCheck629.html + +-- --- /dev/null +++ b/doc/signatures/1625.txt @@ -0,0 +1,54 @@ +Rule: + +-- +Sid: +1625 + +-- +Summary: +This event is generated when activity relating to spurious ftp traffic is detected on the network. + +-- +Impact: +Varies from information gathering to a serious compromise of an ftp server. + +-- +Detailed Information: +FTP is used to transfer files between hosts. This event is indicative of spurious activity in FTP traffic between hosts. + +The event may be the result of a transfer of a known protected file or it could be an attempt to compromise the FTP server by overflowing a buffer in the FTP daemon or service. + +-- +Attack Scenarios: +A user may transfer sensitive company information to an external party using FTP. + +An attacker might utilize a vulnerability in an FTP daemon to gain access to a host, then upload a Trojan Horse program to gain control of that host. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow access to FTP resources from hosts external to the protected network. + +Use secure shell (ssh) to transfer files as a replacement for FTP. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2483.txt @@ -0,0 +1,60 @@ +Rule: + +-- +Sid: +2176 + + +-- +Summary: +This event is generated when an attempt is made to shutdown a service via SMB. + +-- +Impact: +Serious. + +-- +Detailed Information: +This event indicates that an attempt was made to shutdown a service +on a system using SMB across the network. + +-- +Affected Systems: + Microsoft Windows systems. + +-- +Attack Scenarios: +An attacker may try to deny services to other users. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the host for signs of system compromise. + +Turn off file and print sharing on the target host. + +Use a packet filtering firewall to disallow SMB access to the host from +sources external to the protected network. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/257.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +257 + +-- +Summary: +This event is generated when an attempt is made to determine the version +of BIND being used on a DNS server. + +-- +Impact: +Information gathering. This activity may indicate reconnaisance before +an impending attack. + +-- +Detailed Information: +A remote machine attempted to determine the version of BIND running on a +nameserver. + +-- +Affected Systems: + All DNS nameservers + +-- +Attack Scenarios: +As part of reconnaissance leading upto a potential intrusion attempt, an +attacker may attempt to determine the BIND version that is in use so +that a vulnerable version can be used as an attack vector. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disable the ability for untrusted (remote) machines to determine the named +version. + +-- +Contributors: +Original rule writer unknown +Snort documentation contributed by Jon Hart +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1016.txt @@ -0,0 +1,56 @@ +Rule: + +-- +Sid: +1016 + +-- +Summary: +This event is generated when an attempt is made to craft a URL containing a reference to the "/global.asa" file. + +-- +Impact: +Intelligence gathering. This attack may permit disclosure of the source code of global.asa file that is not normally available for viewing. + +-- +Detailed Information: +Microsoft Internet Information Services (IIS) 5.0 contains scripting engines to support various advanced files types such as .ASP and .HTR. The scripting engines permit the execution of server-side processing. IIS determines which scripting engine is appropriate depending on the file extension. If an attacker crafts a URL request ending in 'Translate: f' and followed by a slash '/', IIS fails to send the file to the appropriate scripting engine for processing. Instead, it returns the source code of a referenced file, such as global.asa, to the browser. The Nessus vulnerability scanner references the global.asa file in a GET request to determine whether a host is susceptible to this exploit. + +-- +Affected Systems: +Microsoft IIS 5.0 + +-- +Attack Scenarios: +An attacker can craft a URL that includes the 'Translate: f' followed by a '/' to disclose the source code of a file such as global.asa on the vulnerable server. + +-- +Ease of Attack: +Simple. The Nessus vulnerability scanner can test for this exploit. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Apply the patch referenced in the Microsoft link. + +-- +Contributors: +Original rule writer unknown +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Microsoft +http://www.microsoft.com/technet/security/bulletin/MS00-058.asp + +-- --- /dev/null +++ b/doc/signatures/1672.txt @@ -0,0 +1,74 @@ +Rule: + +-- +Sid: +1672 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer overflow associated with certain versions of the Sun Solaris FTP server. + +-- +Impact: +Reconnaissance. An attacker may be able to examine records from the password shadow file. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a buffer overflow vulnerability associated with a globbing function in Sun Solaris FTP servers. An attacker may exploit this vulnerability by logging into the FTP server with a valid username and an invalid password then supplying the command "CWD ~". This may produce a core dump in the root directory with world-readable permissions that could be examined to discover valid FTP users for the server. + +-- +Affected Systems: + +SPARC + + * Solaris 2.5 without patch 103577-13 + * Solaris 2.5.1 without patch 103603-16 + * Solaris 2.6 without patch 106301-03 + * Solaris 2.7 without patch 110646-02 + * Solaris 2.8 without patch 111606-01 + +Intel + + * Solaris 2.5 without patch 103578-13 + * Solaris 2.5.1 without patch 103604-16 + * Solaris 2.6 without patch 106302-03 + * Solaris 2.7 without patch 110647-02 + * Solaris 2.8 without patch 111607-01 + +-- +Attack Scenarios: +An attacker may attempt to exploit this vulnerability to learn valid FTP usernames to later attempt brute force guessing of passwords. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software or apply the appropriate patch. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/2601 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0421 + +-- --- /dev/null +++ b/doc/signatures/2771.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2771 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure drop_priority_char +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2961.txt @@ -0,0 +1,68 @@ +Rule: + +-- +Sid: +2961 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) +services. + +-- +Impact: +Serious. Execution of arbitrary code with system level privileges + +-- +Detailed Information: +A vulnerability exists in Microsoft NetDDE that may allow an attacker to +run code of their choosing with system level privileges. A programming +error in the handling of network messages may give an attacker the +opportunity to overflow a fixed length buffer by using a specially +crafted NetDDE message. + +This service is not started by default on Microsoft Windows systems, but +this issue can also be exploited locally in an attempt to escalate +privileges after a successful attack from an alternate vector. + +-- +Affected Systems: + Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. + +-- +Attack Scenarios: +An attacker needs to craft a special NetDDE message in order to overflow +the affected buffer. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Disable the NetDDE service. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft Security Bulletin MS04-031: +http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx + +-- --- /dev/null +++ b/doc/signatures/532.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +532 + +-- +Summary: +This event is generated when an attempt is made to access an administrative share on a Windows machine. + +-- +Impact: +Serious. Possible administrator access on the victim machine. + +-- +Detailed Information: +This rule generates an event when the hidden Netbios share Admin$, which is the Winnt directory, is accessed via SMB. + +This is a poor security practice or an indication that a machine is being accessed remotely. + +-- +Affected Systems: + Windows 9x + Windows 2000 + Windows XP + +-- +Attack Scenario: +This can be accessed from GUI "map network drive" remotely + +-- +Ease of Attack: +Simple + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Use a packet filtering firewall to disallow Netbios access from the unprotected network. + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton +Snort documentation contributed by Jake Babbin + +-- +References: + +arachnids 340 + +-- --- /dev/null +++ b/doc/signatures/2560.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +2560 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Oracle Application Server Web Cache. + +-- + +Impact: +Serious. Possible execution of arbitrary code leading to remote +administrative access. + +-- +Detailed Information: +The Oracle Application Server Web Cache is vulnerable to a buffer +overrun caused by poor checking of the length of an HTTP Header. If a +large invalid HTTP Request Method is supplied to a vulnerable system, an +attacker may be presented with the opportunity to overrun a fixed length +buffer and subsequently execute code of their choosing on the server. + +-- +Affected Systems: +Oracle Application Server Web Cache 10g 9.0.4 .0 +Oracle Oracle9i Application Server Web Cache 2.0 .0.4 +Oracle Oracle9i Application Server Web Cache 9.0.2 .3 +Oracle Oracle9i Application Server Web Cache 9.0.2 .2 +Oracle Oracle9i Application Server Web Cache 9.0.3 .1 + +-- + +Attack Scenarios: +An attacker might supply an HTTP Request Method of more than 432 bytes, +causing the overflow to occur. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +None Known + +-- +False Negatives: +This rule examines Oracle Web Cache server on port 7777 or 7778. It is possible +to configure the Oracle Web Cache server to run on different ports. The rule +should be configured to reflect the appropriate ports of Oracle Web Cache +servers on your network. + +-- + +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Judy Novak +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1252.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +1252 + +-- +Summary: +This event is generated after a sucessful exploit of the BSD derived Telnet daemon. + +-- +Impact: +Remote root access. This may or may not indicate a successful root +compromise of a telnet server. + +-- +Detailed Information: +This event is generated after a possible sucessful attempt to compromise +a server running a BSD derived version of Telnet. A buffer overflow +condition exists that may present an attacker with the opportunity to +execute code of their choosing. + +The attacker does not need to login to the server to exploit this +vulnerability, only a connection to the server is needed. + +-- +Affected Systems: + Multiple Vendor Telnet servers running versions of telnetd derived + from the BSD telnet daemon. + +-- +Attack Scenarios: +An attacker may utilize one of the available exploit scripts. + +-- +Ease of Attack: +Simple. Exploit scripts are publicly available. This vulnerability may +also be exploited by a worm. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Consider using Secure Shell instead of telnet. + +Block inbound telnet access if it is not required. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1661.txt @@ -0,0 +1,55 @@ +Rule: + +-- +Sid: +1661 + +-- +Summary: +This event is generated when an attempt is made to access the cmd32.exe file. + +-- +Impact: +Remote access. This attack may permit the execution of arbitrary commands on the vulnerable server. + +-- +Detailed Information: +The cmd32.exe file allows execution of commands on Windows hosts. This file is only accessible if maliciously placed in the web server's root directory or an attacker performs unauthorized directory traversal. This may permit the attacker to execute arbitrary commands on the vulnerable server. + +-- +Affected Systems: +??? + +-- +Attack Scenarios: +An attacker can attempt to access the cmd32.exe file to execute arbitrary commands on the vulernable server. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Make sure that the cmd32.exe is not in the webroot directory. + +Make sure that all appropriate patches have been applied. + +-- +Contributors: +Original rule writer unknown +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1437.txt @@ -0,0 +1,79 @@ +Rule: + +-- +Sid: +1437 + +-- +Summary: +This event is generated when network traffic indicating the use of a +multimedia application is detected. + +-- +Impact: +This may be a violation of corporate policy since these applications can +be used to bypass security measures designed to restrict the flow of +corporate information to destinations external to the corporation. + +-- +Detailed Information: +Multimedia client applications can be used to view movies and listen to +music files. Some also include file sharing facilities. Use of these +programs may constitute a violation of company policy. + +Clients may also contain vulnerabilities that can give an attacker an +attack vector for delivering Trojan horse programs and viruses. + +This rule detects the following Windows Media file types: + + File extension MIME type + .wmz application/x-ms-wmz + .wmd application/x-ms-wmd + .wma audio/x-ms-wma + .wax audio/x-ms-wax + .wmv audio/x-ms-wmv + .asf video/x-ms-asf + .asx video/x-ms-asf + .wvx video/x-ms-wvx + .wm video/x-ms-wm + .wmx video/x-ms-wmx + +-- +Affected Systems: + All Windows systems running Windows Media player applications + +-- +Attack Scenarios: +A user can download files from a source external to the protected +network that may contain malicious code hidden in the file giving an +attacker the opportunity to gain access to a host inside the protected +network. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft Windows Media file types: +http://support.microsoft.com/default.aspx?scid=kb;en-us;288102 + +-- --- /dev/null +++ b/doc/signatures/1113.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1113 + +-- +Summary: +This event is generated when an attempt is made to execute a directory +traversal attack. + +-- +Impact: +Information disclosure. This is a directory traversal attempt which can +lead to information disclosure and possible exposure of sensitive +system information. + +-- +Detailed Information: +Directory traversal attacks usually target web, web applications and ftp +servers that do not correctly check the path to a file when requested by +the client. + +This can lead to the disclosure of sensitive system information which may +be used by an attacker to further compromise the system. + +-- +Affected Systems: + +-- +Attack Scenarios: +An authorized user or anonymous user can use the directory traversal +technique, to browse folders outside the ftp root directory. Information +gathered may be used in further attacks against the host. + +-- +Ease of Attack: +Simple. No exploit software required. + +-- +False Positives: +None known + +-- +False Negatives: +None known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Upgrade the software to the latest non-affected version. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/1676.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: 1676 + +-- + +Summary: +This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. + +-- +Impact: +Serious. An attacker may have gained superuser access to the system. + +-- +Detailed Information: +This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. + +Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. + +This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. + +Oracle servers running on a Windows platform may listen on any arbitrary +port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this +is applicable to the protected network. + +-- + +Attack Scenarios: +Simple. These are Oracle database commands. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. + +-- +False Negatives: +Configure your ORACLE_PORTS variable correctly for the environment you are in. +In many situations ORACLE negotiates a communication port. This means that 1521 +and 1526 are not used for communication during the entire transaction. A new +port is negotiated after the initial connect message, all communication after +that uses this other port. If you are in an environment such as this, you should +set ORACLE_PORTS to "any" in snort.conf. + +Otherwise, there are no known false negatives. + +-- + +Corrective Action: +Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. +Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2255.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +2255 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability associated with the Remote Procedure Call (RPC) sadmind. + +-- +Impact: +Remote root access. This attack may permit execution of arbitrary commands with the privileges of root. + +-- +Detailed Information: +The sadmind RPC service is used by Solaris Solstice AdminSuite +applications to perform remote distributed system administration tasks +such as adding new users. + +This event indicates that an RPC query for the sadmind service has been +made with the credentials of the root user supplied. + +This may permit execution of arbitrary commands with the privileges of root. + +-- +Affected Systems: +All systems using sadmind + +-- +Attack Scenarios: +Exploit code can be used to attack a vulnerable sadmind to obtain root access to the remote host. + +-- +Ease of Attack: +Simple. Exploit scripts are freely available. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Limit remote access to RPC services. + +Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. + +Disable unneeded RPC services. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/195.txt @@ -0,0 +1,76 @@ +Rule: + +-- +Sid: +195 + +-- +Summary: +Deepthroat is a Trojan Horse offering the attacker control of the target. + +-- +Impact: +Possible theft of data and control of the targeted machine leading to a compromise of all resources the machine is connected to. This Trojan also has the ability to delete data, steal passwords and disable the machine. + +-- +Detailed Information: +This Trojan affects the following operating systems: + + Windows 95 + Windows 98 + Windows ME + +The Trojan changes system registry settings to add the Deepthroat sever to programs normally started on boot. + +See also rules with sids 195, 1980, 1981, 1982 and 1983. + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This event is indicative of an existing infection being activated. Initial compromise can be in the form of a Win32 installation program that may use the extension ".jpg" or ".bmp" when delivered via e-mail for example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. Updated virus definition files are essential in detecting this Trojan. Once compromised, this Trojan grants the attacker the ability to almost completely control the target. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Edit the system registry to remove the extra keys or restore a previously known good copy of the registry. + +Affected registry keys are: + + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ + +Registry keys added are: + + Systemtray + +Removal of the files pddt.dat and systray.exe from the Windows system directory is required. + +Ending the process systray.exe is also necessary. A reboot of the infected machine is recommended. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Whitehats arachNIDS +http://www.whitehats.com/info/IDS106 + +Symantec Security Response +http://securityresponse.symantec.com/avcenter/venc/data/deepthroat.trojan.html + +-- --- /dev/null +++ b/doc/signatures/2095.txt @@ -0,0 +1,87 @@ +Rule: + +-- +Sid: +2095 + +-- +Summary: +vulnerability in the rpc service for the Calendar Manager Service Daemon +(CMSD) used by XDR. + +-- +Impact: +System compromise, denial of service, execution of arbitrary code, +information disclosure. + +-- +Detailed Information: +A vulnerability exists in various implementations of external data +representation (XDR) libraries. An integer overflow in a component +(xdr_array) used by XDR can lead to a buffer overflow. + +The XDR libraries are widely used by multiple vendors to provide a +framework for data transmission across networks. This is most commonly +used in RPC implementations. + +A specially crafted rpc request containing a large number of arguments +to xdr_array can lead to remote system compromise and super user access +to the target host. Additionally, a denial of service and execution of +arbitrary code with the privilege of the super user is also possible +depending on the platform used. + +-- +Affected Systems: +Multiple verndors including all those using: + Sun Microsystems Network Services Library (libnsl) + GNU C library with sunrpc (glibc) + BSD-derived libraries with XDR/RPC routines (libc) + +-- +Attack Scenarios: +The attacker needs to send a specially crafted rpc request containing a +large number of arguments for xdr_array to the target host. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Upgrade the vendor libraries to the latest non-affected versions. Any +statically linked binaries and applications must be recompiled and +restarted after the upgrade. + +Disallow all RPC requests from external sources and use a firewall to +block access to RPC ports from outside the LAN. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/5356 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391 + +CERT: +http://www.cert.org/advisories/CA-2002-25.html +http://www.kb.cert.org/vuls/id/192995 + +-- --- /dev/null +++ b/doc/signatures/122-27.txt @@ -0,0 +1,93 @@ + + +Rule: + +-- +Sid: +122-27 + +-- +Summary: +This event is generated when the pre-processor sfPortscan detects +network traffic that may constitute an attack. Specifically a open port +was detected. + +-- +Impact: +Unknown. This is normally an indicator of possible network +reconnaisance and may be the prelude to a targeted attack against the +targeted systems. + +-- +Detailed Information: +This event is generated when the sfPortscan pre-processor detects +network traffic that may consititute an attack. + +A portscan is often the first stage in a targeted attack against a +system. An attacker can use different portscanning techniques and tools +to determine the target host operating system and application versions +running on the host to determine the possible attack vectors against +that host. + +More information on this event can be found in the individual +pre-processor documentation README.sfportscan in the docs directory of +the snort source. Descriptions of different types of portscanning +techniques can also be found in the same documentation, along with +instructions and examples on how to tune and use the pre-processor. + +-- +Affected Systems: + All. + +-- +Attack Scenarios: +An attacker often uses a portscanning technique to determine operating +system type and version and also application versions to determine +possible effective attack vectors that can be used against the target +host. + +-- +Ease of Attack: +Simple. Many portscanning tools are freely available. + +-- +False Positives: +While not necessarily a false positive, a security audit or penetration +test will often employ the use of a portscan in the same way an +attacker might use the technique. If this is the case, the +pre-processor should be tuned to ignore the audit if so desired. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check for other events targeting the host. + +Check the target host for signs of compromise. + +Apply any appropriate vendor supplied patches as appropriate. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Daniel Roelker +Marc Norton +Jeremy Hewlett +Nigel Houghton + +-- +Additional References: + +Nmap: +http://www.insecure.org/nmap/ + +Port Scanning Techniques and the Defense Against Them - Roger +Christopher, SANS: +http://www.sans.org/rr/whitepapers/auditing/70.php + +Hypervivid Tiger Team - Port-Scanning: A Practical Approach +http://www.hcsw.org/reading/nmapguide.txt + +-- --- /dev/null +++ b/doc/signatures/2661.txt @@ -0,0 +1,54 @@ +Rule: + +-- +Sid: +2661 + +-- +Summary: +This rule is intended to increase the accuracy of rules designed to +generate events based on attempts to exploit implementations of Secure +Socket Layer (SSL) version 2. + +-- +Impact: +None. This is a protocol decode rule that does not generate events. + +-- +Detailed Information: +This is a protocol decode rule that does not generate events. + +-- +Affected Systems: +NA + +-- +Attack Scenarios: +NA + +-- +Ease of Attack: +NA + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +NA + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2754.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2754 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure comment_on_site_priority +. This procedure is included in +dbms_repcat. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2160.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +2160 + + +-- +Summary: +This event is generated when a possible outgoing virus is detected. + +-- +Impact: +Informational event. An virus on an infected host may be attempting to +propogate. + +-- +Detailed Information: +This event indicates that an outgoing email message possibly containing +a virus has been detected. + +This rule generates an event when a filename extension commonly used by +viruses is detected. + +-- +Affected Systems: +Any host. + +-- +Attack Scenarios: +This is indicative of a virus infection. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +A legitimate attachment to an email may generate this event. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Check the host for signs of virus infection. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/1561.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1561 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2267.txt @@ -0,0 +1,57 @@ +Rule: + +-- +Sid: +2267 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in versions of Sendmail. + +-- +Impact: +Remote arbitrary code execution. + +-- +Detailed Information: +A vulnerability exists in the prescan() function used in Sendmail prior +to version 8.12.9. This function contains an error when converting a +character to an integer value while processing SMTP headers. + +-- +Affected Systems: +All systems using Sendmail. + +-- +Attack Scenarios: +An attacker could exploit this condition to process code of their +choosing and open a listening shell bound to a high port, thus opening the +system to further compromise. + +-- +Ease of Attack: +Simple. Exploit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade Sendmail to the latest non-affected verison. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2193.txt @@ -0,0 +1,87 @@ +Rule: + +-- +Sid: +2193 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +This vulnerability is also exploited by the Billy/Blaster worm. The worm +also uses the Trivial File Transfer Protocol (TFTP) to propagate. A +number of events generated by this rule may indicate worm activity. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. This is also exploited by a worm. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +Block access to port 69 used by the worm to propogate. + +Block access to port 4444 used by the worm. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft: +http://www.microsoft.com/technet/security/bulletin/MS03-026.asp + +CVE: +http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 + +Symantec: +http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html + +-- --- /dev/null +++ b/doc/signatures/3186.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3186 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2295.txt @@ -0,0 +1,65 @@ +Rule: + +-- +Sid: +2295 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in the PHP web application Proxy2.de Advanced Poll 2.0.2 +running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt may have been made to exploit a +known vulnerability in the PHP application Proxy2.de Advanced Poll +2.0.2. This application does not perform stringent checks when handling +user input, this may lead to the attacker being able to execute PHP +code, include php files and possibly retrieve sensitive files from the +server running the application. + +-- +Affected Systems: + All systems running Proxy2.de Advanced Poll 2.0.2 + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying PHP script. + +-- +Ease of Attack: +Simple. No exploit code is required. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/830.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +830 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3362.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3362 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1277.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +1277 + +-- +Summary: +This event is generated when an attempt is made through a portmap GETPORT request to discover the port where the Remote Procedure Call (RPC) ypupdated is listening. + +-- +Impact: +Information disclosure. This request is used to discover which port ypupdated is using. Attackers can also learn what versions of the ypupdated protocol are accepted by ypupdated. + +-- +Detailed Information: +The portmapper service registers all RPC services on UNIX hosts. It can be queried to determine the port where RPC services such as ypupdated run. The ypupdated RPC service allows clients to update maps for Network Information Service (NIS), formerly known as Sun Yellow Pages. A vulnerability exists with improper validation associated with the 'make' command used to update changes, allowing the execution of arbitrary commands as root. + +-- +Affected Systems: +HP HP-UX 10.1, 10.10, 10.20 +IBM AIX 3.2, 4.1 +NEC EWS-UX/V, UP-UX/V +SGI IRIX 3.2, 3.3, 3.3.1, 3.3.2, 3.3.3,4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 5.0, 5.0.1, 5.1, 5.1.1, 5.2, 5.3, 6.0.1 +Sun SunOS 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4 + +-- +Attack Scenarios: +An attacker can query the portmapper to discover the port where ypupdated runs. This may be a precursor to accessing ypupdated. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +If a legitimate remote user is allowed to access ypupdated, this rule may trigger. + +-- +False Negatives: +This rule detects probes of the portmapper service for ypupdated, not probes of the ypupdated service itself. Because RPC services often listen on fairly arbitrary ports, it may not be possible to detect misuses of the ypupdated service itself. An attacker may attempt to go directly to the ypupdated port without querying the portmapper service, which would not trigger the rule. + +-- +Corrective Action: +Limit remote access to RPC services. + +Filter RPC ports at the firewall to ensure access is denied to RPC-enabled machines. + +Disable unneeded RPC services. + +-- +Contributors: +Original rule written by Max Vision +Modified by Brian Caswell +Sourcefire Research Team +Judy Novak + +-- +Additional References: + +Bugtraq +http://www.securityfocus.com/bid/1749 + +CERT +http://www.cert.org/advisories/CA-1995-17.html + +Arachnids +http://www.whitehats.com/info/IDS125 + +-- --- /dev/null +++ b/doc/signatures/1764.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1764 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1529.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +1529 + +-- +Summary: +This event is generated when an attempt is made to exploit a buffer +overflow or denial of service vulnerability associated with FTP SITE command. + +-- +Impact: +Remote access or denial of service. A successful attack can cause a +denial of service or allow remote execution of arbitrary commands with +privileges of the process running the FTP server. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit various +vulnerabilities associated with the FTP SITE command of different FTP +servers. The Windows Serv-U FTP server 2.5a can be made to crash when an +overly long argument is supplied to the SITE PASS command. The GuildFTPd +free Windows FTP server 0.97 is vulnerable to a buffer overflow caused +by issuing a SITE command that is 261 bytes or longer. A buffer overflow +exists in Debian Linux 2.2 FTP daemon that is caused by issuing a SITE +command that is 400 bytes or longer. The buffer overflow attacks may +permit the execution of arbitrary commands with the privileges of the +process running the FTP server. All of these attacks require login +access to the vulnerable server via an authenticated or anonymous user. + +-- +Affected Systems: + Serv-U FTP server 2.5a. + GuildFTPd Server 0.97. + Debian 2.2 FTP server. + +-- +Attack Scenarios: +An attacker may login to a vulnerable FTP server and enter an overly +long file argument with the SITE command, causing a denial of service or +buffer overflow. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2967.txt @@ -0,0 +1,68 @@ +Rule: + +-- +Sid: +2967 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft Network Dynamic Data Exchange (NetDDE) +services. + +-- +Impact: +Serious. Execution of arbitrary code with system level privileges + +-- +Detailed Information: +A vulnerability exists in Microsoft NetDDE that may allow an attacker to +run code of their choosing with system level privileges. A programming +error in the handling of network messages may give an attacker the +opportunity to overflow a fixed length buffer by using a specially +crafted NetDDE message. + +This service is not started by default on Microsoft Windows systems, but +this issue can also be exploited locally in an attempt to escalate +privileges after a successful attack from an alternate vector. + +-- +Affected Systems: + Microsoft Windows NT, 2000, 2003, XP, 98 and ME systems. + +-- +Attack Scenarios: +An attacker needs to craft a special NetDDE message in order to overflow +the affected buffer. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches + +Disable the NetDDE service. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft Security Bulletin MS04-031: +http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx + +-- --- /dev/null +++ b/doc/signatures/119-13.txt @@ -0,0 +1,62 @@ +Rule: + +-- +Sid: +119-13 + +-- +Summary: +This event is generated when the pre-processor http_inspect +detects network traffic that may constitute an attack. + +-- +Impact: +Unknown. + +-- +Detailed Information: +This event is generated when the http_inspect pre-processor detects the +use of a newline "\n" character as a delimeter. This is non-standard but +is accepted by both Apache and IIS web servers. + +-- +Affected Systems: + All web servers + +-- +Attack Scenarios: +An attacker may supply the newline character as the delimeter in a web +request. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known. + +-- +False Negatives: +None Known. + +-- + +Corrective Action: +Check the target host for signs of compromise. + +Apply any appropriate vendor supplied patches. + +-- +Contributors: +Daniel Roelker +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +HTTP IDS Evasions Revisited - Daniel Roelker +http://docs.idsresearch.org/http_ids_evasions.pdf + +-- --- /dev/null +++ b/doc/signatures/3241.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3241 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2375.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2375 + +-- +Summary: +This event is generated when activity from the worm DoomJuice is +detected. + +-- +Impact: +This is indicative of worm activity which may launch of a Denial of +Service condition against Microsoft from infected machines. + +-- +Detailed Information: +This event is indicative of activity by the DoomJuice worm. This worm +attempts to connect to random addresses on port 3127, if it receives a +response it will attempt to upload a copy of itself to the target +machine. If no response is received on that port, it will try on ports +between 3127 and 3199. + +If the date is between February 8th and February 28th 2004, the worm +will attempt to launch a Denial of Service (DoS) attack against +www.microsoft.com. + +-- +Affected Systems: + Windows 95 + Windows 98 + Windows Me + Windows NT + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +This is worm activity. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +It is possible to edit the binary data in the executable to create a +variant of the worm. This may evade the rule. + +-- +Corrective Action: +Use Anti-Virus software to remove the worm. + +-- +Contributors: +Sourcefire Research Team +Matt Watchinski +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000519.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +100000519 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection +vulnerability in the "VUBB" application running on a webserver. Access to the +file "index.php" with SQL commands being passed as the "user" parameter may +indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a +remote machine via the "user" parameter in the "index.php" script used by the +"VUBB" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to compromise the database backend for the +application, the attacker may also be able to execute system binaries or +malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using VUBB +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application +if user input is not correctly sanitized or checked before passing that input +to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- /dev/null +++ b/doc/signatures/3194.txt @@ -0,0 +1,66 @@ +Rule: + +-- +Sid: +3194 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft Internet Information Server. + +-- +Impact: +Serious. Code execution leading to unauthorized administrative access +on the target host. + +-- +Detailed Information: +Microsoft IIS contains a programming error that may allow an attacker to +execute commands of their choosing on a vulnerable system. If a valid +request for an executable file on the system is made, the server will +honor the request and execute any commands sent to the system. It may be +possible for an attacker to execute system commands sent to cmd.exe or +an executable batch file (.bat) for example. + +-- +Affected Systems: + Microsoft IIS 4.0 + Microsoft IIS 5.0 + +-- +Attack Scenarios: +An attacker can send a request to an executable file on the system and +supply command arguments of their choice to the file. The server will +honor the request and execute the attackers commands. + +For example, http://www.target.com/scripts/cmd.bat"+&+somecommand + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest non-affected version of the software. + +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1091.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1091 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000544.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +100000544 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection +vulnerability in the "Dating Agent" application running on a webserver. Access +to the file "search.php" with SQL commands being passed as the "relationship" +parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a +remote machine via the "relationship" parameter in the "search.php" script used +by the "Dating Agent" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to compromise the database backend for the +application, the attacker may also be able to execute system binaries or +malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Dating Agent +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application +if user input is not correctly sanitized or checked before passing that input +to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- /dev/null +++ b/doc/signatures/478.txt @@ -0,0 +1,69 @@ +Rule: + +-- + +Sid: +478 + +-- + +Summary: +This event is generated when Broadscan Smurf Scanner generates an ICMP echo +request message. + +-- + +Impact: +ICMP echo requests are used to determine if a host is running at a +specific IP address. A remote attacker can scan a large range of hosts +using ICMP echo requests to determine what hosts are operational on the +network. + +-- + +Detailed Information: +The Broadscan Smurf Scanner generates an ICMP echo packet with a specific +datagram signature. + +-- + +Attack Scenarios: +A remote attacker might scan a large range of hosts using ICMP echo +requests to determine what hosts are operational on the network. + +-- + +Ease of Attack: +Simple. Packet generation tools can generate this type of ICMP packet + +-- + +False Positives: +None known + +-- + +False Negatives: +Packet generation tools can generate ICMP echo requests with +user-defined payloads. This could allow attackers to replace this +signature with binary values and conceal their operating system. + +-- + +Corrective Action: +To prevent information gathering, use a firewall to block incoming ICMP +Type 8 Code 0 traffic. + +-- + +Contributors: +Original Rule writer unknown +Sourcefire Research Team +Matthew Watchinski (matt.watchinski@sourcefire.com) + +-- + +Additional References: + + +-- --- /dev/null +++ b/doc/signatures/3328.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3328 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1511.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1511 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2832.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +2832 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database server. + +-- +Impact: +Serious. Possible execution of arbitrary code and Denial of Service. + +-- +Detailed Information: +This event is generated when an attempt is made to exploit a known +vulnerability in an Oracle database implementation. Multiple buffer +overflow conditions are present in numerous packages and procedures. + +Exploitation of these vulnerable procedures may allow an attacker to +execute code of their choosing as the user running the database. In the +case of databases running on Microsoft Windows platforms, this is the +Local System account which may mean a compromise of the operating system +as well as the database. + +This event indicates that an attempt has been made to exploit a +vulnerability in the procedure do_deferred_repcat_admin +. This procedure is included in +sys.dbms_repcat_mas. + +-- +Affected Systems: + Oracle Oracle9i + +-- +Attack Scenarios: +If an attacker can supply enough data to the procedure in question, it +may be possible to cause the overflow condition to occur and present the +attacker with the opportunity to execute code of their choosing. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1691.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: 1691 + +-- + +Summary: +This event is generated when a command is issued to an Oracle database server that may result in a serious compromise of the data stored on that system. + +-- +Impact: +Serious. An attacker may have gained superuser access to the system. + +-- +Detailed Information: +This event is generated when an attacker issues a special command to an Oracle database that may result in a serious compromise of all data stored on that system. + +Such commands may be used to gain access to a system with the privileges of an administrator, delete data, add data, add users, delete users, return sensitive information or gain intelligence on the server software for further system compromise. + +This connection can either be a legitimate telnet connection or the result of spawning a remote shell as a consequence of a successful network exploit. + +Oracle servers running on a Windows platform may listen on any arbitrary +port. Change the $ORACLE_PORTS variable in snort.conf to "any" if this +is applicable to the protected network. + +-- + +Attack Scenarios: +Simple. These are Oracle database commands. + +-- + +Ease of Attack: +Simple. + +-- + +False Positives: +This event may be generated by a database administrator logging in and issuing database commands from a location outside the protected network. + +-- +False Negatives: +Configure your ORACLE_PORTS variable correctly for the environment you are in. +In many situations ORACLE negotiates a communication port. This means that 1521 +and 1526 are not used for communication during the entire transaction. A new +port is negotiated after the initial connect message, all communication after +that uses this other port. If you are in an environment such as this, you should +set ORACLE_PORTS to "any" in snort.conf. + +Otherwise, there are no known false negatives. + +-- + +Corrective Action: +Use a firewall to disallow direct access to the Oracle database from sources external to the protected network. +Ensure that this event was not generated by a legitimate session then investigate the server for signs of compromise + +Look for other events generated by the same IP addresses. + +-- +Contributors: +Original Rule Writer Unknown +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/1101.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1101 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000623.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000623 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Indexu" application running on a webserver. +Access to the file "menu.php" using a remote file being passed as the +"admin_template_path" parameter may indicate that an exploitation attempt has +been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "admin_template_path" parameter in the "menu.php" script +used by the "Indexu" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Indexu +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/3364.txt @@ -0,0 +1,70 @@ +Rule: + +-- +Sid: +3364 + +-- +Summary: +This rule generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000422.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000422 + +-- +Summary: +This event is generated when an attempt is made to exploit a remote file include vulnerability in the "phpBB" application running on a webserver. Access to the file "template.php" using a remote file being passed as the "page" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a remote machine via the "page" parameter in the "template.php" script used by the "phpBB" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to execute system binaries or malicious code of the attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using phpBB + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the administrator by supplying input of their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton + +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/421.txt @@ -0,0 +1,60 @@ +Rule: + +-- + +Sid: +421 + +-- + +Summary: +This event is generated when a network host generates an ICMP Mobile Registration Reply datagram. + +-- + +Impact: +ICMP Mobile Registration Reply were never implemented and have been replaced by UDP and TCP versions of the message. ICMP Type 36 datagrams should never be seen in normal network conditions. + +-- + +Detailed Information: +ICMP Mobile Registration Reply datagrams were developed before the approval of RFC3344 (IP Mobility Support for IPv4). Therefore these types of ICMP datagrams should never be seen in normal networking conditions. + +-- + +Attack Scenarios: +None known + +-- + +Ease of Attack: +Numerous tools and scripts can generate this type of ICMP datagram. + +-- + +False Positives: +None known + +-- + +False Negatives: +None known +-- + +Corrective Action: +ICMP Type 36 datagrams are not normal network activity. Hosts generating these types of datagrams should be investigated for nefarious activity + +-- + +Contributors: +Original rule writer unknown +Sourcefire Research Team +Matthew Watchinski (matt.watchinski@sourcefire.com) + +-- + +Additional References: +None + + +-- --- /dev/null +++ b/doc/signatures/2705.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +2705 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft GDI using a malformed JPEG image. + +-- + +Impact: +Serious. Execution of arbitrary code is possible. Denial of Service +(DoS), + +-- +Detailed Information: +The Microsoft Graphics Device Interface contains a programming error +in the handling of Joint Photographics Experts Group (JPEG) files. This +error may allow an attacker to execute code of their choosing on a +vulnerable system. + +Due to the popularity of jpeg files, and in order to provide accurate +detection for the GDI JPEG vulnerability, sid 2705 may generate false +positive events in certain situations. Since this rule may generate +a number of false positives it is disabled by default. + +In order to avoid potential evasion techniques, http_inspect should be +configured with "flow_depth 0" so that all HTTP server response traffic is +inspected. + +WARNING +Setting flow_depth 0 will cause performance problems in some situations. +WARNING + +-- +Affected Systems: + All Microsoft systems including multiple Microsoft products + +-- +Attack Scenarios: +An attacker would need to supply a malformed jpeg image to a victim and +have the use attempt to view the file. + +-- +Ease of Attack: +Medium. + +-- + +False Positives: +False positive events are known to occur with this rule, the incidence +is low but may be an inconvenience in some installations. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Alex Kirk +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2084.txt @@ -0,0 +1,75 @@ +Rule: + +-- +Sid: +2084 + +-- +Summary: +xfsmd + +-- +Impact: +Possible root access and code execution. + +-- +Detailed Information: +It is possible for an attacker to exploit some versions of the xfsmd +daemon. + +Due to a programming error, the service does not correctly check for +certain meta-characters and they are not stripped from the request. + +The xfsmd daemon is not installed by default on IRIX systems but it is +part of an optional package. + +-- +Affected Systems: + IRIX 6.2 + IRIX 6.3 + IRIX 6.4 + IRIX 6.5.x + +-- +Attack Scenarios: +Exploits are widely available. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Patches are NOT available for this issue. + +Disable and remove the xfsmd daemon. + +Uprade to the latest non affected version of the operating system + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/5075 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0359 + +SGI IRIX: +ftp://patches.sgi.com/support/free/security/advisories/20020606-01-I + +-- --- /dev/null +++ b/doc/signatures/819.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +819 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/669.txt @@ -0,0 +1,58 @@ +Rule: + +-- +Sid: +669 + +-- +Summary: +This event is generated when an external attacker attempts to exploit a vulnerability in Sendmail, where linefeed characters in ident messages are not properly parsed. + +-- +Impact: +Severe. Remote execution of arbitrary code, leading to remote root compromise. + +-- +Detailed Information: +Sendmail 8.6.10 and earlier versions contain a vulnerability related to the parsing of linefeed characters in commands passed from ident to Sendmail. An attacker can use a specially crafted command with linefeeds in an ident response to Sendmail. The message is not properly parsed and Sendmail forwards the response, with included commands, to its queue. The commands are then executed while the message awaits delivery in the Sendmail queue, causing the included arbitrary code to be executed on the server in the security context of Sendmail. + +-- +Affected Systems: +Systems running unpatched versions of Sendmail 8.6.10 or earlier. + +-- +Attack Scenarios: +An attacker sends an email with linefeed characters and includes a path variable of P=/bin/sh. Directives included in the transmission are executed while the message remains in the Sendmail queue. + +-- +Ease of Attack: +Moderate. Multiple exploits exist, but the window of opportunity is small; the vulnerability must be exploited while the message is queued for delivery and must have sufficient time (the mail server must be busy/slow) to execute the commands. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Upgrade to the latest version of Sendmail. + +-- +Contributors: +Original rule written by Max Vision +Sourcefire Research Team +Sourcefire Technical Publications Team +Jen Harvey + +-- +Additional References: +CVE +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0204 + +Bugtraq +http://www.securityfocus.com/bid/2311 + +-- --- /dev/null +++ b/doc/signatures/100000826.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000826 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "Phorum" application running on a webserver. Access to the file "search.php" with SQL commands being passed as the "mode" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a remote machine via the "mode" parameter in the "search.php" script used by the "Phorum" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Phorum +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- /dev/null +++ b/doc/signatures/2033.txt @@ -0,0 +1,85 @@ +Rule: + +-- +Sid: +2033 + +-- +Summary: +A request has been made to rpc.ypserv from an external source that +should not have access to this service. This may be indicative of an +intelligence gathering activity as a prelude to a more serious +compromise of system resources. + +service against the target host. + +-- +Impact: +Disclosure of sensitive system information to an unauthorized user. +Possible denial of service. + +-- +Detailed Information: +The rpc.ypserv daemon queries information in the local NIS maps. A +response to this query may divulge important information to the user +performing the query. This could lead to futher exploitation of +resources on the network. + +In addition, a vulnerability exists in ypserv on some Linux platforms +that could lead to a buffer overflow and root compromise of the target +host. This is achieved by making a multitude of requests for a NIS map +that does not exist. + +-- +Affected Systems: +Multiple systems running versions of ypserv prior to 2.5. + +-- +Attack Scenarios: +The attacker can craft a malicious request to rpc.ypserv such that +valuable information can be returned to the attacker. + +In the case of a buffer overflow, the attacker might issue a large +therefore, be seen many times. + +-- +Ease of Attack: +Simple + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Disallow all RPC requests from external sources and use a firewall to +block access to RPC ports from outside the LAN. + +Upgrade ypserv to the latest version. + +Use /var/yp/securenets to list the hosts allowed to access this resource +where appropriate. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Bugtraq: +http://www.securityfocus.com/bid/6016 +http://www.securityfocus.com/bid/5914 + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1232 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1043 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1042 + +-- --- /dev/null +++ b/doc/signatures/1313.txt @@ -0,0 +1,64 @@ +Rule: +-- +Sid: + +1313 + +-- +Summary: +This rule indicates that a webpage was visited the included the content "up skirt". + +-- +Impact: +Someone could be violating your company's policy regarding the browsing of inappropriate content. + +-- +Detailed Information: + +This rule looks for a response from a webserver containing "up skirt". + +-- +Affected Systems: + +All + +-- +Attack Scenarios: + +Not an attack. + +-- +Ease of Attack: + +N/A. + +-- +False Positives: + +This could have been caused by a pop-up window or spam with an embedded link to a pornographic website. This could also be caused by somebody visiting the snort rule descriptions on the snort website. + +-- +False Negatives: + +None known. +-- +Corrective Action: + +Dependent on your company's policies. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Steven Alexander +-- +Additional References: + + + + + + + +-- --- /dev/null +++ b/doc/signatures/1544.txt @@ -0,0 +1,78 @@ +Rule: +-- +Sid: +1544 +-- +Summary: +This event is generated when an attempt is made to list the user +configuration file on a Cisco router or switch. +-- +Impact: +If successful, the switch will reveal the local authentication user +configuration file to an attacker without requiring prior +authentication. +-- +Detailed Information: +The HTTP server that is part of some versions of the Cisco IOS software +allows remote command execution when the access control method is set to +local authentication. + +-- +Affected Systems: +The following Cisco products can be affected. Whether they actually +are vulnerable or not depends on the version of IOS that they are +running. To properly determine if your product is vulnerable, see the +Cisco website referenced below. This is not exploitable if the device +is using an access control method other than local authentication. +Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, +1400, 1500, 1600, 1700, 2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, +AS5200, AS5300, AS5800, 6400, 7000, 7100, 7200, ubr7200, 7500, and 12000 +series. +Most recent versions of the LS1010 ATM switch. +The Catalyst 6000 and 5000 if they are running Cisco IOS software. +The Catalyst 2900XL and 3500XL LAN switch only if it is running Cisco +IOS software. +The Catalyst 2900 and 3000 series LAN switches are affected. +The Cisco Distributed Director. +-- +Attack Scenarios: +By making the request to a vulnerable system, an attacker can take +complete control of a Cisco device. +-- +Ease of Attack: +Simple. HTTP GET request, a browser may be used. +-- +False Positives: +None known. + +-- +False Negatives: +This rule only looks for one particular command (show config cr). +However, this vulnerability will allow any other command to be executed +on the device at the highest privilege level, and this rule will +not detect them. + +This rule only looks for attacks against systems that are included +in the $HTTP_SERVERS group. Many administrators do not consider +routers or switches to be web servers, and therefore may not include +vulnerable devices in this group, causing an attack to proceed +unnoticed. If you think one of your routers or switches is vulnerable, +reference it in the $HTTP_SERVERS group. +-- +Corrective Action: +Turn off the web server functionality, use access lists to ensure only +trusted hosts have access to the device, use TACACS+ or RADIUS for +access control, or upgrade your version of IOS. +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Snort documentation contributed by Kevin Peuhkurinen + +-- +Additional References: + +Cisco +http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html + +-- --- /dev/null +++ b/doc/signatures/100000505.txt @@ -0,0 +1,73 @@ +Rule: + +-- +Sid: +100000505 +-- +Summary: +This event is generated when an attempt is made to exploit a remote file +include vulnerability in the "Nucleus CMS" application running on a webserver. +Access to the file "server.php" using a remote file being passed as the +"DIR_LIB" parameter may indicate that an exploitation attempt has been +attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution of +arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to include a file from a +remote machine via the "DIR_LIB" parameter in the "server.php" script used by +the "Nucleus CMS" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also +be possible for an attacker to execute system binaries or malicious code of the +attackers choosing. + +This event is generated when an attempt is made to gain unauthorized access to +a CGI application running ona web server. Some applications do not perform +stringent checks when validating the credentials of a client host connecting to +the services offered on a host server. This can lead to unauthorized access and +possibly escalated privileges to that of the administrator. Data stored on the +machine can be compromised and trust relationships between the victim server +and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using Nucleus CMS +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her own +credentials to gain access. Alternatively the attacker can exploit weaknesses +to gain access as the administrator by supplying input of their choosing to the +underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had +all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +-- + --- /dev/null +++ b/doc/signatures/3031.txt @@ -0,0 +1,67 @@ +Rule: + +-- +Sid: +3031 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a Samba implementation. + +-- +Impact: +Serious. Possible execution of arbitrary code. + +-- +Detailed Information: +Samba is a file and print serving system for heterogenous networks. It +is available for use as a service and client on UNIX/Linux systems and as +a client for Microsoft Windows systems. + +Samba uses the SMB/CIFS protocols to allow communication between client +and server. The SMB protocol contains many commands and is commonly used +to control network devices and systems from a remote location. A +vulnerability exists in the way the smb daemon processes commands sent by +a client system when accessing resources on the remote server.The problem +exists in the allocation of memory which can be exploited by an attacker +to cause an integer overflow, possibly leading to the execution of +arbitrary code on the affected system with the privileges of the user +running the smbd process. + +-- +Affected Systems: + Samba 3.0.8 and prior + +-- +Attack Scenarios: +An attacker needs to supply specially crafted data to the smb daemon to +overflow a buffer containing the information for the access control lists +to be applied to files in the smb query. + +-- +Ease of Attack: +Difficult. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/3121.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +3121 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in Microsoft License Logging Service. + +-- +Impact: +Serious. Execution of arbitrary code leading to unauthorized +administrative access to the target host. Denial of Service (DoS) is +also possible. + +-- +Detailed Information: +Microsoft License Logging Service is used to manage licenses for +Microsoft server products. + +A vulnerability in the service exists due to a programming error such +that an unchecked buffer may present an attacker with the opportunity to +exploit the service and run code of their choosing on an affected +system. The attacker may then cause a DoS condition in the service or +possibly gain administrative access to the target host. + +The unchecked buffer exists when processing the length of messages sent +to the logging service. + +-- +Affected Systems: + Microsoft Windows Server 2003 + Microsoft Windows Server 2000 + Microsoft Windows NT Server + +-- +Attack Scenarios: +An attacker can supply extra data in the message to the service +containing code of their choosing to be run on the server. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- + +Corrective Action: +Apply the appropriate vendor supplied patches. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2622.txt @@ -0,0 +1,72 @@ +Rule: + +-- +Sid: +2622 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a Oracle database implementation. + +-- +Impact: +Serious. Execution of arbitrary code may be possible. A Denial of +Service (DoS) condition may also be caused. + +-- +Detailed Information: +Oracle databases may use a built-in procedure to assist in useful +tasks. The "drop_an_object" procedure contains a programming error +that may allow an attacker to execute a buffer overflow attack. + +This overflow is triggered by a long string in a parameter for the +procedure. + +If you are running Oracle on a Windows server, make sure that the +variable $ORACLE_PORTS is set to a value of "any". + +-- +Affected Systems: + Oracle 9i + +-- +Attack Scenarios: +An attacker can supply a long string to the third variable to cause +the overflow. The result could permit the attacker to gain escalated +privileges and run code of their choosing. This attack requires an +attacker to logon to the database with a valid username and password +combination. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Matt Watchinski +Brian Caswell +Nigel Houghton +Judy Novak + +-- +Additional References: + +Other: +http://www.appsecinc.com/Policy/PolicyCheck97.html + +-- --- /dev/null +++ b/doc/signatures/2545.txt @@ -0,0 +1,63 @@ +Rule: + +-- +Sid: +2545 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in AppleFileServer. + +-- + +Impact: +Serious. Unauthorized remote administrative access. + +-- +Detailed Information: +AppleFileServer is used to share files and mount remote drives between +machines using Apple Macintosh OS X. An error in the processing of +PathName may lead to a buffer overflow. If the length of a string for +AFPName is longer than the declared length, the buffer will be +overflowed and may present an attacker with the opportunity to execute +code of their choosing. + +-- + +Attack Scenarios: +An attacker can supply an AFPName longer than what is expected by the +service and overwrite portions of memory leading to the execution of +code. + +-- + +Ease of Attack: +Simple + +-- + +False Positives: +None Known + +-- +False Negatives: +None Known + +-- + +Corrective Action: +Disable AFP if not needed + +Apply the appropriate vendor supplied patch + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/100000822.txt @@ -0,0 +1,58 @@ + + +Rule: + +-- +Sid: +100000822 +-- +Summary: +This event is generated when an attempt is made to exploit an SQL injection vulnerability in the "VBZooM" application running on a webserver. Access to the file "reply.php" with SQL commands being passed as the "UserID" parameter may indicate that an exploitation attempt has been attempted. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized administrative access to the server or application. Possible execution of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event indicates that an attempt has been made to inject SQL code from a remote machine via the "UserID" parameter in the "reply.php" script used by the "VBZooM" application running on a webserver. + +If stringent input checks are not performed by the CGI application, it may also be possible for an attacker to compromise the database backend for the application, the attacker may also be able to execute system binaries or malicious code of their choosing. + +This event is generated when an attempt is made to gain unauthorized access to a CGI application running ona web server. Some applications do not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited by the attacker. + +-- +Affected Systems: +All systems running CGI applications using VBZooM +-- +Attack Scenarios: +An attacker can inject SQL commands to the backend database for an application if user input is not correctly sanitized or checked before passing that input to the database. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Vulnerability Research Team +Nigel Houghton +-- +Additional References: + +SQL Injection Attack and Defense +http://www.securitydocs.com/library/3587 + +-- + --- /dev/null +++ b/doc/signatures/1871.txt @@ -0,0 +1,64 @@ +Rule: + +-- +Sid: +1871 + +-- +Summary: +This event is generated when an attempt is made to access an Oracle +Application Server's XSQLConfig.xml configuration file. + +-- +Impact: +Serious + +-- +Detailed Information: +With the default installation of Oracle's Application Server, it is +possible for an unauthorized user to view the XSQLConfig.xml file. This +file contains information such as the database server's name, user id's, +and passwords. + +-- +Affected Systems: + Oracle 9i Application Server + +-- +Attack Scenarios: +An attacker can use this to find out information about the database and +then use that information to compromise the server. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply appropriate permissions to the file. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton +Snort documentation contributed by Josh Sakofsky + +-- +Additional References: + +CVE: +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0568 + +Nessus: +http://cgi.nessus.org/plugins/dump.php3?id=10855 + +-- --- /dev/null +++ b/doc/signatures/1705.txt @@ -0,0 +1,69 @@ +Rule: + +-- +Sid: +1705 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in a CGI web application running on a server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server or application. Possible execution +of arbitrary code of the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to gain unauthorized +access to a CGI application running ona web server. Some applications do +not perform stringent checks when validating the credentials of a client +host connecting to the services offered on a host server. This can lead +to unauthorized access and possibly escalated privileges to that of the +administrator. Data stored on the machine can be compromised and trust +relationships between the victim server and other hosts can be exploited by the attacker. + +If stringent input checks are not performed by the CGI application, it +may also be possible for an attacker to execute system binaries or +malicious code of the attackers choosing. + +-- +Affected Systems: + All systems running CGI applications + +-- +Attack Scenarios: +An attacker can access an authentication mechanism and supply his/her +own credentials to gain access. Alternatively the attacker can exploit +weaknesses to gain access as the administrator by supplying input of +their choosing to the underlying CGI script. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/121.txt @@ -0,0 +1,112 @@ +Rule: + +-- +Sid: +121 + +-- +Summary: +Infector is a Trojan Horse. + +-- +Impact: +Possible theft of data via download, upload of files, execution of files +and reboot the targeted machine. + +-- +Detailed Information: +This Trojan affects the following operating systems: + + Windows 95 + Windows 98 + Windows ME + +The Trojan changes system registry settings to add the Infector sever to +programs normally started on boot. Due to the nature of this Trojan it +is unlikely that the attacker's client IP address has been spoofed. + + SID Message + --- ------- + 117 Infector 1.x + 120 Infector 1.6 Server to Client + 121 Infector 1.6 Client to Server Connection Request + +This Trojan is commonly used to install other Trojan programs. + +The Trojan also makes changes to the system registry and win.ini file. + +Notification of an active server is achieved via IRC or ICQ. + +-- +Attack Scenarios: +This Trojan may be delivered to the target in a number of ways. This +event is indicative of an existing infection being activated. Initial +compromise can be in the form of a Win32 installation program that may +use the extension ".jpg" or ".bmp" when delivered via e-mail for +example. + +-- +Ease of Attack: +This is Trojan activity, the target machine may already be compromised. +Updated virus definition files are essential in detecting this Trojan. + +The Trojan server is located at :\WINDOWS\Apxil32.exe a backup +copy is made and usually named D3x32.drv. + +-- +False Positives: +None Known + +-- +False Negatives: +None Known + +-- +Corrective Action: + +Edit the system registry to remove the extra keys or restore a +previously known good copy of the registry. + +Affected registry keys are: + + HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ + HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices + +Registry keys added are: + + apxil32 = apxil32.exe + +Removal of this entry is required. + +Delete the file :\WINDOWS\Apxil32.exe + +Ending the Trojan process is also necessary. A reboot of the infected +machine is recommended. + +A change is also made to the win.ini file, the line run=apxil32.exe +apxil32.exe is added and should be deleted. + +-- +Contributors: +Original Rule Writer Max Vision +Sourcefire Research Team +Nigel Houghton + +-- +Additional References: + +Whitehats arachNIDS +http://www.whitehats.com/info/IDS315 +http://www.whitehats.com/info/IDS502 +http://www.whitehats.com/info/IDS503 + +Diamond Computer Systems Security Advisory +http://www.diamondcs.com.au/web/alerts/infector.htm + +Megasecurity: +http://www.megasecurity.org/trojans/i/infector/Infector_all.html + +Simovits: +http://www.simovits.com/trojans/tr_data/y1627.html + +-- --- /dev/null +++ b/doc/signatures/1082.txt @@ -0,0 +1,71 @@ +Rule: + +-- +Sid: +1082 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability on a web server or a web application resident on a web +server. + +-- +Impact: +Information gathering and system integrity compromise. Possible unauthorized +administrative access to the server. Possible execution of arbitrary code of +the attackers choosing in some cases. + +-- +Detailed Information: +This event is generated when an attempt is made to compromise a host +running a Web server or a vulnerable application on a web server. + +Many known vulnerabilities exist for each implementation and the +attack scenarios are legion. + +Some applications do not perform stringent checks when validating the +credentials of a client host connecting to the services offered on a +host server. This can lead to unauthorized access and possibly escalated +privileges to that of the administrator. Data stored on the machine can +be compromised and trust relationships between the victim server and +other hosts can be exploited by the attacker. + +-- +Affected Systems: + All systems using a web server. + +-- +Attack Scenarios: +Many attack vectors are possible from simple directory traversal to +exploitation of buffer overflow conditions. + +-- +Ease of Attack: +Simple. Exploits exist. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Ensure the system is using an up to date version of the software and has +had all vendor supplied patches applied. + +Check the host logfiles and application logs for signs of compromise. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- --- /dev/null +++ b/doc/signatures/2493.txt @@ -0,0 +1,93 @@ +Rule: + +-- +Sid: +2493 + +-- +Summary: +This rule no longer generates an event when an attempt is made to exploit a known +vulnerability in Microsoft RPC DCOM. + +-- +Impact: +Execution of arbitrary code leading to full administrator access of the +machine. Denial of Service (DoS). + +-- +Detailed Information: +This rule now uses flowbits and can be set to generate an event by +modifying the rule slightly to remove the "flowbits:no_alert;" option. +When traffic is detected that attempts to bind to the ISystemActivator +object in MS RPC DCOM communications this rule now activates sids 2351 +and 2352 to detect exploits against this service. Cool huh? + +A vulnerability exists in Microsoft RPC DCOM such that execution of +arbitrary code or a Denial of Service condition can be issued against a +host by sending malformed data via RPC. + +The Distributed Component Object Model (DCOM) handles DCOM requests sent +by clients to a server using RPC. A malformed request to an RPC port +will result in a buffer overflow condition that will present the +attacker with the opportunity to execute arbitrary code with the +privileges of the local system account. + +This vulnerability is also exploited by the Billy/Blaster worm. The worm +also uses the Trivial File Transfer Protocol (TFTP) to propagate. A +number of events generated by this rule may indicate worm activity. + +-- +Affected Systems: + Windows NT 4.0 + Windows NT 4.0 Terminal Server Edition + Windows 2000 + Windows XP + Windows Server 2003 + +-- +Attack Scenarios: +An attacker may make a request for a file with an overly long filename +via a network share. + +-- +Ease of Attack: +Simple. Expoit code exists. This is also exploited by a worm. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Block access to RPC ports 135, 139 and 445 for both TCP and UDP +protocols from external sources using a packet filtering firewall. + +Block access to port 69 used by the worm to propogate. + +Block access to port 4444 used by the worm. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +Microsoft: +http://www.microsoft.com/technet/security/bulletin/MS03-026.asp + +CVE: +http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352 + +Symantec: +http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html + +-- --- /dev/null +++ b/doc/signatures/2344.txt @@ -0,0 +1,59 @@ +Rule: + +-- +Sid: +2344 + +-- +Summary: +This event is generated when an attempt is made to exploit a known +vulnerability in ArGoSoft FTP Server. + +-- +Impact: +Execution of arbitrary code. Possible unauthorized administrative access. + +-- +Detailed Information: +ArGoSoft FTP Server fails to perform sufficient checks on user supplied data to the +XCWD command. An attacker may exploit this vulnerability to execute code of +their choosing as the user running the process. This may lead to remote +administrative access to the server. + +-- +Affected Systems: + ArGoSoft FTP Server 1.4.1 .1 + +-- +Attack Scenarios: +An attacker may connect to the server and supply spurious data to the +XCWD command causing the overrun to occur. + +-- +Ease of Attack: +Simple. + +-- +False Positives: +None known. + +-- +False Negatives: +None known. + +-- +Corrective Action: +Apply the appropriate vendor supplied patches. + +Upgrade to the latest non-affected version of the software. + +-- +Contributors: +Sourcefire Research Team +Brian Caswell +Nigel Houghton + +-- +Additional References: + +-- debian/patches/fix_upstream_typos0000664000000000000000000000363612317400025014510 0ustar Description: Fix upstream typos to satisfy lintian. Author: Jonathan Davies --- snort-2.9.6.0.orig/src/parser.c +++ snort-2.9.6.0/src/parser.c @@ -4515,7 +4515,7 @@ char * ProcessFileOption(SnortConfig *sc if(filespec == NULL) { - ParseError("no arguement in this file option, remove extra ':' at the end of the alert option\n"); + ParseError("no argument in this file option, remove extra ':' at the end of the alert option\n"); } /* look for ".." in the string and complain and exit if it is found */ --- snort-2.9.6.0.orig/src/sfutil/sfportobject.c +++ snort-2.9.6.0/src/sfutil/sfportobject.c @@ -3674,7 +3674,7 @@ char * PortObjectParseError( POParser * { case POPERR_NO_NAME: return "no name"; case POPERR_NO_ENDLIST_BRACKET: return "no end of list bracket." - " Elements must be comma seperated," + " Elements must be comma separated," " and no spaces may appear between" " brackets."; case POPERR_NOT_A_NUMBER: return "not a number"; --- snort-2.9.6.0.orig/src/dynamic-preprocessors/dns/spp_dns.c +++ snort-2.9.6.0/src/dynamic-preprocessors/dns/spp_dns.c @@ -276,7 +276,7 @@ static void ParseDNSArgs(DNSConfig *conf if (( !cur_tokenp ) || ( strcmp(cur_tokenp, "{" ))) { DynamicPreprocessorFatalMessage("%s(%d) Bad value specified for %s. Must start " - "with '{' and be space seperated.\n", + "with '{' and be space separated.\n", *(_dpd.config_file), *(_dpd.config_line), DNS_PORTS_KEYWORD); //free(argcpyp); debian/patches/config_disabled_rules0000664000000000000000000001700012317374526015060 0ustar Description: Disables rules files not available in Debian package Author: Javier Fernandez-Sanguino Pen~a Origin: vendor Last-Update: 2012-05-05 --- a/etc/snort.conf +++ b/etc/snort.conf @@ -561,115 +561,125 @@ # can be *very* out of date. For more information please read # the /usr/share/doc/snort-rules-default/README.Debian file +# +# If you install the official VRT Sourcefire rules please review this +# configuration file and re-enable (remove the comment in the first line) those +# rules files that are available in your system (in the /etc/snort/rules +# directory) + # site specific rules include $RULE_PATH/local.rules -include $RULE_PATH/app-detect.rules +#include $RULE_PATH/app-detect.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/backdoor.rules include $RULE_PATH/bad-traffic.rules -include $RULE_PATH/blacklist.rules -include $RULE_PATH/botnet-cnc.rules -include $RULE_PATH/browser-chrome.rules -include $RULE_PATH/browser-firefox.rules -include $RULE_PATH/browser-ie.rules -include $RULE_PATH/browser-other.rules -include $RULE_PATH/browser-plugins.rules -include $RULE_PATH/browser-webkit.rules +#include $RULE_PATH/blacklist.rules +#include $RULE_PATH/botnet-cnc.rules +#include $RULE_PATH/browser-chrome.rules +#include $RULE_PATH/browser-firefox.rules +#include $RULE_PATH/browser-ie.rules +#include $RULE_PATH/browser-other.rules +#include $RULE_PATH/browser-plugins.rules +#include $RULE_PATH/browser-webkit.rules include $RULE_PATH/chat.rules -include $RULE_PATH/content-replace.rules +#include $RULE_PATH/content-replace.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/dos.rules include $RULE_PATH/experimental.rules -include $RULE_PATH/exploit-kit.rules +#include $RULE_PATH/exploit-kit.rules include $RULE_PATH/exploit.rules -include $RULE_PATH/file-executable.rules -include $RULE_PATH/file-flash.rules -include $RULE_PATH/file-identify.rules -include $RULE_PATH/file-image.rules -include $RULE_PATH/file-java.rules -include $RULE_PATH/file-multimedia.rules -include $RULE_PATH/file-office.rules -include $RULE_PATH/file-other.rules -include $RULE_PATH/file-pdf.rules +#include $RULE_PATH/file-executable.rules +#include $RULE_PATH/file-flash.rules +#include $RULE_PATH/file-identify.rules +#include $RULE_PATH/file-image.rules +#include $RULE_PATH/file-java.rules +#include $RULE_PATH/file-multimedia.rules +#include $RULE_PATH/file-office.rules +#include $RULE_PATH/file-other.rules +#include $RULE_PATH/file-pdf.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/icmp-info.rules include $RULE_PATH/icmp.rules include $RULE_PATH/imap.rules -include $RULE_PATH/indicator-compromise.rules -include $RULE_PATH/indicator-obfuscation.rules -include $RULE_PATH/indicator-scan.rules -include $RULE_PATH/indicator-shellcode.rules +#include $RULE_PATH/indicator-compromise.rules +#include $RULE_PATH/indicator-obfuscation.rules +#include $RULE_PATH/indicator-scan.rules +#include $RULE_PATH/indicator-shellcode.rules include $RULE_PATH/info.rules -include $RULE_PATH/malware-backdoor.rules -include $RULE_PATH/malware-cnc.rules -include $RULE_PATH/malware-other.rules -include $RULE_PATH/malware-tools.rules +#include $RULE_PATH/malware-backdoor.rules +#include $RULE_PATH/malware-cnc.rules +#include $RULE_PATH/malware-other.rules +#include $RULE_PATH/malware-tools.rules include $RULE_PATH/misc.rules include $RULE_PATH/multimedia.rules include $RULE_PATH/mysql.rules include $RULE_PATH/netbios.rules include $RULE_PATH/nntp.rules include $RULE_PATH/oracle.rules -include $RULE_PATH/os-linux.rules -include $RULE_PATH/os-mobile.rules -include $RULE_PATH/os-other.rules -include $RULE_PATH/os-solaris.rules -include $RULE_PATH/os-windows.rules +#include $RULE_PATH/os-linux.rules +#include $RULE_PATH/os-mobile.rules +#include $RULE_PATH/os-other.rules +#include $RULE_PATH/os-solaris.rules +#include $RULE_PATH/os-windows.rules include $RULE_PATH/other-ids.rules include $RULE_PATH/p2p.rules -include $RULE_PATH/phishing-spam.rules -include $RULE_PATH/policy-multimedia.rules -include $RULE_PATH/policy-other.rules +#include $RULE_PATH/phishing-spam.rules +#include $RULE_PATH/policy-multimedia.rules +#include $RULE_PATH/policy-other.rules include $RULE_PATH/policy.rules -include $RULE_PATH/policy-social.rules -include $RULE_PATH/policy-spam.rules +#include $RULE_PATH/policy-social.rules +#include $RULE_PATH/policy-spam.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules -include $RULE_PATH/protocol-dns.rules -include $RULE_PATH/protocol-finger.rules -include $RULE_PATH/protocol-ftp.rules -include $RULE_PATH/protocol-icmp.rules -include $RULE_PATH/protocol-imap.rules -include $RULE_PATH/protocol-nntp.rules -include $RULE_PATH/protocol-pop.rules -include $RULE_PATH/protocol-rpc.rules -include $RULE_PATH/protocol-scada.rules -include $RULE_PATH/protocol-services.rules -include $RULE_PATH/protocol-snmp.rules -include $RULE_PATH/protocol-telnet.rules -include $RULE_PATH/protocol-tftp.rules -include $RULE_PATH/protocol-voip.rules -include $RULE_PATH/pua-adware.rules -include $RULE_PATH/pua-other.rules -include $RULE_PATH/pua-p2p.rules -include $RULE_PATH/pua-toolbars.rules +#include $RULE_PATH/protocol-dns.rules +#include $RULE_PATH/protocol-finger.rules +#include $RULE_PATH/protocol-ftp.rules +#include $RULE_PATH/protocol-icmp.rules +#include $RULE_PATH/protocol-imap.rules +#include $RULE_PATH/protocol-nntp.rules +#include $RULE_PATH/protocol-pop.rules +#include $RULE_PATH/protocol-rpc.rules +#include $RULE_PATH/protocol-scada.rules +#include $RULE_PATH/protocol-services.rules +#include $RULE_PATH/protocol-snmp.rules +#include $RULE_PATH/protocol-telnet.rules +#include $RULE_PATH/protocol-tftp.rules +#include $RULE_PATH/protocol-voip.rules +#include $RULE_PATH/pua-adware.rules +#include $RULE_PATH/pua-other.rules +#include $RULE_PATH/pua-p2p.rules +#include $RULE_PATH/pua-toolbars.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules -include $RULE_PATH/scada.rules +#include $RULE_PATH/scada.rules include $RULE_PATH/scan.rules -include $RULE_PATH/server-apache.rules -include $RULE_PATH/server-iis.rules -include $RULE_PATH/server-mail.rules -include $RULE_PATH/server-mssql.rules -include $RULE_PATH/server-mysql.rules -include $RULE_PATH/server-oracle.rules -include $RULE_PATH/server-other.rules -include $RULE_PATH/server-samba.rules -include $RULE_PATH/server-webapp.rules -include $RULE_PATH/shellcode.rules +#include $RULE_PATH/server-apache.rules +#include $RULE_PATH/server-iis.rules +#include $RULE_PATH/server-mail.rules +#include $RULE_PATH/server-mssql.rules +#include $RULE_PATH/server-mysql.rules +#include $RULE_PATH/server-oracle.rules +#include $RULE_PATH/server-other.rules +#include $RULE_PATH/server-samba.rules +#include $RULE_PATH/server-webapp.rules +# +# Note: These rules are disable by default as they are +# too coarse grained. Enabling them causes a large +# performance impact +#include $RULE_PATH/shellcode.rules include $RULE_PATH/smtp.rules include $RULE_PATH/snmp.rules -include $RULE_PATH/specific-threats.rules -include $RULE_PATH/spyware-put.rules +#include $RULE_PATH/specific-threats.rules +#include $RULE_PATH/spyware-put.rules include $RULE_PATH/sql.rules include $RULE_PATH/telnet.rules include $RULE_PATH/tftp.rules include $RULE_PATH/virus.rules -include $RULE_PATH/voip.rules -include $RULE_PATH/web-activex.rules +#include $RULE_PATH/voip.rules +#include $RULE_PATH/web-activex.rules include $RULE_PATH/web-attacks.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-client.rules debian/snort-mysql.postrm0000664000000000000000000000435412317374213012757 0ustar #! /bin/sh # postrm script for snort # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' overwrit>r> # for details, see /usr/doc/packaging-manual/ # TODO : Should use /etc/default/snort definitions? case "$1" in purge|disappear) # Remove logfiles rm -rf /var/log/snort/ # Remove configuration if [ -e /etc/snort/snort.debian.conf ] ; then rm /etc/snort/snort.debian.conf fi if [ -e /etc/snort/snort.common.parameters ] ; then rm /etc/snort/snort.common.parameters fi if [ -e /etc/default/snort ] ; then rm /etc/default/snort fi if [ -e /etc/snort/db-pending-config ] ; then rm /etc/snort/db-pending-config fi if [ -e /etc/snort/database.conf ] ; then rm /etc/snort/database.conf fi # Remove files created to follow checksums if [ -e /var/lib/snort/snort.debian.conf.md5sum ]; then rm /var/lib/snort/snort.debian.conf.md5sum fi if [ -e /var/lib/snort/database.conf.md5sum ]; then rm /var/lib/snort/database.conf.md5sum fi # Remove configuration dir [ -d /etc/snort ] && rmdir --ignore-fail-on-non-empty /etc/snort # Remove init.d update-rc.d -f snort remove >/dev/null # Remove user/group if ! getent passwd | grep -q "^snort:"; then userdel snort 2>/dev/null || true fi if ! getent group | grep -q "^snort:" ; then delgroup --only-if-empty snort 2>/dev/null || true fi ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade) # We may not delete the user snort, as there may be # files owned by it in /var/log/snort and /etc/snort. if [ -e /etc/snort/db-pending-config ] ; then rm /etc/snort/db-pending-config fi ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# debian/snort-common.postrm0000664000000000000000000000270112317374526013103 0ustar #! /bin/sh # postrm script for snort # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' overwrit>r> # for details, see /usr/doc/packaging-manual/ case "$1" in purge) # old versions of the snort-common package created the database # configuration file on installation. # If it is still there and is empty, it can be safely removed. # If not empty, then the file has information that was introduced # by the configuration of the (deprecated) snort database 'flavor' # packages (previous to 2.9.3) which should have purged the file. # So we leave it there to prevent interfering with local changes. # should deal with it themselves when purge if [ -e /etc/snort/database.conf ] && [ ! -s /etc/snort/database.conf ] then rm -f /etc/snort/database.conf fi ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade) # nothing esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# debian/snort-mysql.docs0000664000000000000000000000035512317374213012360 0ustar doc/AUTHORS doc/BUGS doc/CREDITS doc/NEWS doc/README doc/README.PLUGINS doc/USAGE doc/README.database doc/README.csv debian/my/snort_rules.html debian/README.Maintainer debian/README-database.Debian debian/README-database-upgrade.Debian debian/snort.config0000664000000000000000000001033212317374526011535 0ustar #!/bin/sh -e . /usr/share/debconf/confmodule test $DEBIAN_SCRIPT_DEBUG && set -v -x INTERFACES="" if [ -r /etc/snort/snort.debian.conf ] ; then . /etc/snort/snort.debian.conf # Set the variables in debconf using the configuration values # (if defined) [ ! -z "$DEBIAN_SNORT_STARTUP" ] && { db_set snort/startup "$DEBIAN_SNORT_STARTUP"; db_fset snort/startup seen true ; } [ ! -z "$DEBIAN_SNORT_HOME_NET" ] && { db_set snort/address_range "$DEBIAN_SNORT_HOME_NET"; db_fset snort/address_range seen true ; } if [ ! -z "$DEBIAN_SNORT_OPTIONS" ] ; then # Remove the -p option wich is added in postinst due to the 'DISABLE_PROMISCUOUS' debconf option DEBIAN_SNORT_OPTIONS=`echo "$DEBIAN_SNORT_OPTIONS" | sed -e 's/ -p$//'` db_get snort/reverse_order if [ "x$RET" = "xyes" ]; then # Remove the -o option which was introduced by Debconf # (snort/reverse_order) in versions previous to 2.8.5.2-2 DEBIAN_SNORT_OPTIONS=`echo "$DEBIAN_SNORT_OPTIONS" | sed -e 's/ -o$//'` fi db_set snort/options "$DEBIAN_SNORT_OPTIONS" db_fset snort/options seen true fi [ ! -z "$DEBIAN_SNORT_INTERFACE" ] && { db_set snort/interface "$DEBIAN_SNORT_INTERFACE"; db_fset snort/interface seen true ; } [ ! -z "$DEBIAN_SNORT_SEND_STATS" ] && { db_set snort/send_stats "$DEBIAN_SNORT_SEND_STATS"; db_fset snort/send_stats seen true ; } [ ! -z "$DEBIAN_SNORT_STATS_RCPT" ] && { db_set snort/stats_rcpt "$DEBIAN_SNORT_STATS_RCPT" ; db_fset snort/stats_rcpt seen true ; } [ ! -z "$DEBIAN_SNORT_STATS_THRESHOLD" ] && { db_set snort/stats_treshold "$DEBIAN_SNORT_STATS_THRESHOLD"; db_fset snort/stats_treshold seen true ; } fi check_interfaces() { # Check the interface status, abort with error if one is configured but it # is not available [ -z "$INTERFACES" ] && return 0 ints=`echo $INTERFACES | sed -e 's/,/ /g'` for iface in $ints; do if ! LC_ALL=C ifconfig "$iface" 2>/dev/null | grep -w UP >/dev/null; then return 1 fi done return 0 } db_input low snort/startup || true db_go # /etc/ppp/ip-up.d/snort is called with interface and IP number db_get snort/startup if [ "x$RET" = "xdialup" ]; then db_set snort/interface "" db_set snort/address_range "" db_set snort/disable_promiscuous true else db_beginblock # Interface default in case the configuration file does not exist if [ -z "$DEBIAN_SNORT_INTERFACE" ] ; then INTERFACES=eth0 else INTERFACES="$DEBIAN_SNORT_INTERFACE" fi # Ask for a valid set of interfaces ok='' count=0 while [ ! "$ok" ] && [ "$count" -lt 2 ]; do # Depending on whether the default interface is up or down we set the # question priority priority='medium' if ! check_interfaces then priority='high' db_fset snort/interface seen false fi set +e db_input $priority snort/interface if [ $? -eq 30 ]; then # User is not being shown the question, break out break fi set -e db_go || true # Check the interfaces db_get snort/interface INTERFACES=$RET if ! check_interfaces ; then db_fset snort/invalid_interface seen false db_input critical snort/invalid_interface else ok='yes' fi # Increment the count, we only go through this two times count=$(($count+1)) done db_input high snort/address_range || true db_input low snort/disable_promiscuous || true db_endblock db_go fi db_beginblock db_input low snort/options || true db_endblock db_go db_beginblock db_input low snort/send_stats || true db_go db_get snort/send_stats if [ "x$RET" = "xtrue" ]; then # TODO: This values should not be empty (even # if we default to 'root' and '1' in the scripts) # so the config script should check wether the # values here are legitimate. db_beginblock db_input medium snort/stats_rcpt || true db_input low snort/stats_treshold || true db_endblock db_go fi DEFAULT=/etc/default/snort PARAMETERS=/etc/snort/snort.common.parameters if [ -e "$DEFAULT" ] && [ -e "$PARAMETERS" ] ; then db_beginblock db_input high snort/config_parameters || true db_endblock db_go fi db_get snort/startup if [ "x$RET" = "xmanual" ]; then db_beginblock db_input medium snort/please_restart_manually || true db_endblock db_go fi db_stop debian/snort-inline.common.parameters0000664000000000000000000000006112317374213015165 0ustar -m 027 -D -l /var/log/snort -d -u snort -g snort debian/snort-pgsql.postrm0000664000000000000000000000440712317374213012737 0ustar #! /bin/sh # postrm script for snort # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `remove' # * `purge' # * `upgrade' # * `failed-upgrade' # * `abort-install' # * `abort-install' # * `abort-upgrade' # * `disappear' overwrit>r> # for details, see /usr/doc/packaging-manual/ # TODO : Should use /etc/default/snort definitions? case "$1" in purge|disappear) # Remove logfiles rm -rf /var/log/snort/ # Remove configuration if [ -e /etc/snort/snort.debian.conf ] ; then rm /etc/snort/snort.debian.conf fi if [ -e /etc/snort/snort.common.parameters ] ; then rm /etc/snort/snort.common.parameters fi if [ -e /etc/default/snort ] ; then rm /etc/default/snort fi if [ -e /etc/snort/db-pending-config ] ; then rm /etc/snort/db-pending-config fi if [ -e /etc/snort/database.conf ] ; then rm /etc/snort/database.conf fi # Remove files created to follow checksums if [ -e /var/lib/snort/snort.debian.conf.md5sum ]; then rm /var/lib/snort/snort.debian.conf.md5sum fi if [ -e /var/lib/snort/database.conf.md5sum ]; then rm /var/lib/snort/database.conf.md5sum fi # Remove configuration dir [ -d /etc/snort ] && rmdir --ignore-fail-on-non-empty /etc/snort # Remove init.d update-rc.d -f snort remove >/dev/null # Remove user/group if ! getent passwd | grep -q "^snort:"; then userdel snort 2>/dev/null || true fi if ! getent group | grep -q "^snort:" ; then delgroup --only-if-empty snort 2>/dev/null || true fi ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade) # We may not delete the user snort, as there may be # files owned by it in /var/log/snort and /etc/snort. if [ -e /etc/snort/db-pending-config ] ; then rm /etc/snort/db-pending-config fi ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# debian/source/0000775000000000000000000000000012317374213010473 5ustar debian/source/format0000664000000000000000000000001412317374526011710 0ustar 3.0 (quilt) debian/snort-doc.doc-base.faq0000664000000000000000000000054412317374213013253 0ustar Document: snort-faq Title: Snort FAQ Author: The Snort Core Team Abstract: Frequently Asked Questions for the Snort NIDS This document provides answers to some of the most common (and frequently asked) questions related to the Snort network intrusion detection system. Section: Network/Monitoring Format: pdf Files: /usr/share/doc/snort-doc/faq.pdf.gz debian/snort-inline.preinst0000664000000000000000000000565212317374213013232 0ustar #!/bin/sh set -e # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' DEFAULT=/etc/default/snort PARAMETERS=/etc/snort/snort.common.parameters # Initialise variables SNORTUSER="" SNORTGROUP="" LOGDIR="" check_parameters() { # Check if the old parameters file is there and this is # an upgrade (default is not) # Abort if either the old parameters file does not exist # or if the new default has already been installed [ ! -r "$PARAMETERS" ] && return [ -r "$DEFAULT" ] && return # Extract our values from there logdir=`cat $PARAMETERS | perl -ne 'print $1 if /-l\s+([\w\/]+)/'` user_snort=`cat $PARAMETERS | perl -ne 'print $1 if /-u\s+(\w+)/'` group_snort=`cat $PARAMETERS | perl -ne 'print $1 if /-g\s+(\w+)/'` extraparms=`cat $PARAMETERS | sed -e 's/-l[[:space:]]\+[\/[:alnum:]]\+[[:space:]]\+//g; s/-u[[:space:]]\+[[:alnum:]]\+[[:space:]]*//g; s/-g[[:space:]]\+[[:alnum:]]\+[[:space:]]*//g;'` echo "Creating new $DEFAULT configuration based on $PARAMETERS" cat <$DEFAULT # Parameters for the daemon PARAMS="$extraparms" # Logging directory LOGDIR="$logdir" # Snort user SNORTUSER="$user_snort" # Snort group SNORTGROUP="$group_snort" EOF return } case "$1" in install|upgrade) check_parameters [ -r "$DEFAULT" ] && . $DEFAULT # Sane defaults, just in case [ -z "$SNORTUSER" ] && SNORTUSER=snort [ -z "$SNORTGROUP" ] && SNORTGROUP=snort [ -z "$LOGDIR" ] && LOGDIR=/var/log/snort # create snort user to avoid running snort as root # 1. create group if not existing if ! getent group | grep -q "^$SNORTGROUP:" ; then addgroup --quiet --system $SNORTGROUP 2>/dev/null || true fi # 2. create homedir if not existing test -d $LOGDIR || mkdir $LOGDIR # 3. create user if not existing if ! getent passwd | grep -q "^$SNORTUSER:"; then adduser --quiet \ --system \ --ingroup $SNORTGROUP \ --no-create-home \ --disabled-password \ $SNORTUSER 2>/dev/null || true fi # 4. adjust passwd entry usermod -c "Snort IDS" \ -d $LOGDIR \ -g $SNORTGROUP \ $SNORTUSER # 5. adjust file and directory permissions if ! dpkg-statoverride --list $LOGDIR >/dev/null then chown -R $SNORTUSER:adm $LOGDIR chmod u=rwx,g=rxs,o= $LOGDIR fi # setup /etc/snort test -d /etc/snort || mkdir /etc/snort # move config file to new location if [ -e /etc/snort.conf ]; then mv /etc/snort.conf /etc/snort/snort.conf fi # rename probably existing cron job with old name if [ -e /etc/cron.daily/snort ]; then mv /etc/cron.daily/snort /etc/cron.daily/5snort fi ;; configure) ;; abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 0 ;; esac # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. #DEBHELPER# exit 0 debian/snort-inline.logrotate0000664000000000000000000000041712317374213013540 0ustar /var/log/snort/portscan.log /var/log/snort/alert /var/log/snort/portscan2.log { daily rotate 7 compress missingok notifempty create 0640 snort adm sharedscripts postrotate /etc/init.d/snort restart > /dev/null 2>&1 endscript } debian/copyright_review.sh0000664000000000000000000000024712317374526013132 0ustar #!/bin/ # Review copyright statements and filter out known ones # (in copyright_list) SOURCE=../src grep -ri copyright $SOURCE | grep -v -f copyright_list exit 0 debian/snort.debian.conf0000664000000000000000000000066712317374526012450 0ustar # This file is used for options that are changed by Debian to leave # the original lib files untouched. # You have to use "dpkg-reconfigure snort(-flavour)?" to change them. # # Replace (-flavour)? by pgsql, mysql or keep it empty depending on # what flavour of Snort you run. # DEBIAN_SNORT_STARTUP=boot DEBIAN_SNORT_HOME_NET="192.168.0.0/16" DEBIAN_SNORT_OPTIONS="-i eth0" DEBIAN_SNORT_STATS_RCPT="root" DEBIAN_SNORT_STATS_THRESHOLD="1" debian/TODO0000664000000000000000000001143512317374526007676 0ustar TODO things for Snort in Debian ------------------------------- - [upgrade to 2.9.3] Detect if the snort-mysql/pgsl packages were installed before and warn if there are problems in the snort.conf configuration that might lead to the package not running. This could be done by e.g. checking in the snort.conf if there are any 'output database' lines (introduced by a user) or an 'include database.conf' (provided by the Debian packages prior to the 2.9.3 version) - Provide support to avoid specifying the address range for multiple interfaces (or skip this if you have more than once and substitute by a note telling the admin to configure this in the snort.$IFACE.conf file). This could be done using 'ip addr show $IFACE' and extracting the value from the 'inet' component. Note: This should only be done if only *one interface is available - Try to use the interface defined IP address to set the address range (and lower the questions priority This should also handle multiple interfaces. (see bug #248000) - Add a note in the debconf propmt that users can use '\$eth0_ADDRESS' (or '\$eth1_ADDRESS' etc..) to use the interface's address regardless of the configured address. (Note that \$ or otherwise it will be expanded in the scripts) REVIEW: How does Snort use this to expand it in HOME_NET Note, this has been requested at least in https://bugs.launchpad.net/ubuntu/+source/snort/+bug/566543 - Fix bugs related to an interface being used which is not available This seems to break when configuring the package: https://bugs.launchpad.net/ubuntu/+source/snort/+bug/655116 - snort-{mysql,pgsl}: Database configuration should ensure that only valid characters are included here. Since the information is written into a configuration file at least hashes should be prevented. See: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567495 - snort-{mysql,pgsl}: Offer the user an option to automatically create the database since the schemas (at /usr/share/doc/snort*) stuff is not available on installation. This confuses users since they are asked for some information (network interface, IP address) but not the information related to database configuration. Use dbconfig-common for this. Review what other packages (gnudip? horde? imp? sitebar? openwebmail?) have done and consider the use of the generic user for database administration. Note that database permissions for the 'snort' user need to be properly setup! Also see: http://lists.debian.org/debian-devel/2004/08/msg01104.html http://lists.debian.org/debian-devel/2004/10/msg00340.html and http://lists.debian.org/debian-devel/2004/10/msg00962.html - Include Rpm improvements to the init.d file suchas : * The init.d file could use separate LOGDIR files per interface instead of one for all instances (bound to break) just like it's done in the RedHat init script. The check_logdir function should be called per possible LOGDIR definition. If the LOGDIR did not exist it should be created with proper permissions. Note: logrotate definitions will need to be changed if this is changed * stats option in the init.d file * Additional /etc/default/snort parameters similar to the RPM ones for compatibility - Include ntop improvements to init.d script: check if interface is up - Use LSB functions in Init.d script - Break up the init.d script into reusable functions Also: add a check in order to determine if the snort sensor started up properly or it did not. - The check_log_dir check in the init.d script could best check if the LOGDIR directory is writable by the snort user. It might not be good (security-wise) to force it's owned by the snort user (since then it would be able to remove its own logs) - Check if --enable-flexresp works with libnet 1.1.x - The snort-common package currently does not check if you _accepted_ the config file provided, this is related to bug #247665 which is partially fixed by the snort-common Source-Version depends introduced in 2.2.0-2 - Add some common logcheck rules (see #222584, and #217175) DONE - Determine, if the interface is configured and up. (see bug #248000) - Have a way in preinst to migragte from the old common.parameters to the new /etc/default/snort so that all users can benefit from it. - Provide an update script, as required in #191105 Done: snort-rules-default currently recommends: 'oinkmaster' better that than maintaining a separate update script unmaintained upstream. - Rewrite the "address range" question. It actually does not explain what it is actually used for (HOME_NET) NOT REQUIRED - Use ucf to integrate changes by the maintainer when upgrading. Justification: The package has be changed to try to not make changes through scripts in the maintainer's file debian/snort.cron.daily0000664000000000000000000000236512317374526012341 0ustar #!/bin/sh -e test -f /usr/sbin/snort || exit 0 LOGFILE=/var/log/snort/alert PATH=/bin:/usr/bin:/sbin:/usr/sbin CONFIG=/etc/snort/snort.debian.conf . $CONFIG # Don't generate stats if we are configured not to [ "$DEBIAN_SNORT_SEND_STATS" = "false" ] && exit 0 export DEBIAN_SNORT_STATS_RCPT DEBIAN_SNORT_STATS_THRESHOLD # Just in case it's not properly configured for whatever reason [ -z "$DEBIAN_SNORT_STATS_THRESHOLD" ] && DEBIAN_SNORT_STATS_THRESHOLD=1 [ -z "$DEBIAN_SNORT_STATS_RCPT" ] && DEBIAN_SNORT_STATS_RCPT=root # Cannot use logrotate to rotate these logfiles... # 'rotate' saved RAW-Ethernet streams # New snort has different naming scheme, old one still here for upgrades find /var/log/snort -name "snort-*@*.log" -mtime +15 | xargs --no-run-if-empty rm find /var/log/snort -name "tcpdump.log.*" -mtime +15 | xargs --no-run-if-empty rm find /var/log/snort -name "snort.log.*" -mtime +15 | xargs --no-run-if-empty rm # Mail snort stats if [ -s $LOGFILE ]; then (echo "To: $DEBIAN_SNORT_STATS_RCPT"; snort-stat -a -t $DEBIAN_SNORT_STATS_THRESHOLD < $LOGFILE) | sendmail -t fi # Restarting snort is now handled by the logrotate configuration. # The 'intelligence' of not to start in certain startup-modes moved # to the init.d script as well. exit 0 debian/oldrules.md50000664000000000000000000000303712317374526011445 0ustar 3bc265bef3ff5fc675f9f1acf8ea6390 attack-responses.rules c20eb0f3f140b7659ebd37f2e3553f2d backdoor.rules 08b710276367c03fcd26d1b3512a870d bad-traffic.rules 48683f29e6452e4e43f1af004f537485 ddos.rules f605e07289ace0adc279aa46225834a5 dns.rules b231ab5af973df5f06201f16be8a37ff dos.rules 31788f18caaed776f021e5029bdd6757 exploit.rules 3f0c90491298edd0dfc37a6afc9ffac6 finger.rules a2f2068460b622a85624b664d9108b36 ftp.rules c580f094d32435915f893c2661fb73dc icmp-info.rules 3abbb384dd222225560ec87b324b63ce icmp.rules 9159fed0eda9c16245f4c6edb94c0d7c info.rules 8005f28d5e2400c474a7b765029eefb5 local.rules 8204b5ce028496bca3f95a06dfca10b9 misc.rules f63f7c3c9a9f627521b0dcce1e134f1f netbios.rules fe402fc3c9e795ea22af59be84683be5 policy.rules 00b1e66fe86b46bf94460320ca71d972 porn.rules c23be32425937a87219ccd0ee4f85813 rpc.rules 82a173d9144a11ea1e686fcec730549a rservices.rules c9dd621a43c896dde6dd2da09575897f scan.rules 55a0e660ea08c314cf4d5c19f7973f83 shellcode.rules b304d4b570e94112d6b025d6a55007c1 smtp.rules ccff2e48615eb7d27466b26a9dd66b66 sql.rules f68e3bee2ab97ce729f20a0f4751ca04 telnet.rules a263d7e4526e8012aafd9daf62690519 tftp.rules 2abd1c03364a8a1c01650764cf2af2f1 virus.rules fe239ae24a682d3d47251c28689fc9ec web-attacks.rules 2e99d333c4ab20bfd3f5694915b6d591 web-cgi.rules 3051d9dda0ed859487580733b2a318d2 web-coldfusion.rules b7fc9e8371d04b5ec203651c15135657 web-frontpage.rules e7100df55b15a262f45d0a2940594d1f web-iis.rules 028a217dbdc67fea026a1f7c3dd6560b web-misc.rules 6e85b6a55b84bffc29fd58b8e6747b65 x11.rules debian/snort.DATABASE.templates0000664000000000000000000000245312317374213013427 0ustar Template: snort{PACKAGE}/configure_db Type: boolean Default: true _Description: Set up a database for snort{PACKAGE} to log to? No database has been set up for Snort to log to. Before continuing, you should make sure you have: . - the server host name (that server must allow TCP connections from this machine); - a database on that server; - a username and password to access the database. . If some of these requirements are missing, reject this option and run with regular file logging support. . Database logging can be reconfigured later by running 'dpkg-reconfigure -plow snort{PACKAGE}'. Template: snort{PACKAGE}/db_host Type: string _Description: Database server hostname: Please specify the host name of a database server that allows incoming connections from this host. Template: snort{PACKAGE}/db_database Type: string _Description: Database name: Please specify the name of an existing database to which the database user has write access. Template: snort{PACKAGE}/db_user Type: string _Description: Username for database access: Please specify a database server username with write access to the database. Template: snort{PACKAGE}/db_pass Type: password _Description: Password for the database connection: Please enter the password to use to connect to the Snort Alert database. debian/snort-inline.init.d0000664000000000000000000001453112317374213012727 0ustar #!/bin/sh -e test $DEBIAN_SCRIPT_DEBUG && set -v -x DAEMON=/usr/sbin/snort NAME=snort DESC="Network Intrusion Detection System" CONFIG=/etc/snort/snort.debian.conf # Old (obsolete) way to provide parameters if [ -r /etc/snort/snort.common.parameters ] ; then COMMON=`cat /etc/snort/snort.common.parameters` elif [ -r /etc/default/snort ] ; then # Only read this if the old configuration is not present . /etc/default/snort COMMON="$PARAMS -l $LOGDIR -u $SNORTUSER -g $SNORTGROUP" fi test -x $DAEMON || exit 0 test -f $CONFIG && . $CONFIG test -z "$DEBIAN_SNORT_HOME_NET" && DEBIAN_SNORT_HOME_NET="192.168.0.0/16" # to find the lib files cd /etc/snort check_log_dir() { # Does the logging directory belong to Snort? # If we cannot determine the logdir return without error # (we will not check it) # This will only be used by people using /etc/default/snort [ -n "$LOGDIR" ] || return 0 [ -n "$SNORTUSER" ] || return 0 if [ ! -e "$LOGDIR" ] ; then echo -n "ERR: logging directory $LOGDIR does not exist" return 1 elif [ ! -d "$LOGDIR" ] ; then echo -n "ERR: logging directory $LOGDIR does not exist" return 1 else real_log_user=`stat -c %U $LOGDIR` # An alternative way is to check if the snort user can create # a file there... if [ "$real_log_user" != "$SNORTUSER" ] ; then echo -n "ERR: logging directory $LOGDIR does not belong to the snort user $SNORTUSER" return 1 fi fi return 0 } case "$1" in start) if [ -e /etc/snort/db-pending-config ] ; then echo "WARN: /etc/snort/db-pending-config file found" echo "WARN: Snort will not start as its database is not yet configured." echo "WARN: Please configure the database as described in" echo "WARN: /usr/share/doc/snort-{pgsql,mysql}/README-database.Debian" echo "WARN: and remove /etc/snort/db-pending-config" exit 1 fi echo -n "Starting $DESC: " if ! check_log_dir; then echo " will not start $DESC!" exit 1 fi if [ "$DEBIAN_SNORT_STARTUP" = "dialup" ]; then shift set +e /etc/ppp/ip-up.d/snort "$@" exit $? fi # Usually, we start all interfaces interfaces="$DEBIAN_SNORT_INTERFACE" # If we are requested to start a specific interface... test "$2" && interfaces="$2" myret=0 got_instance=0 for interface in $interfaces; do got_instance=1 echo -n "$NAME($interface)" PIDFILE=/var/run/snort_$interface.pid fail="failed (check /var/log/daemon.log)" /sbin/start-stop-daemon --stop --signal 0 --quiet \ --pidfile "$PIDFILE" --exec $DAEMON >/dev/null && fail="already running" CONFIGFILE=/etc/snort/snort.$interface.conf if [ ! -e "$CONFIGFILE" ]; then echo "using /etc/snort/snort.conf" CONFIGFILE=/etc/snort/snort.conf else echo "using /etc/snort/snort.$interface.conf" fi set +e /sbin/start-stop-daemon --start --quiet --pidfile "$PIDFILE" \ --exec $DAEMON -- $COMMON $DEBIAN_SNORT_OPTIONS \ -c $CONFIGFILE \ -S "HOME_NET=[$DEBIAN_SNORT_HOME_NET]" \ -i $interface >/dev/null ret=$? set -e case "$ret" in 0) echo "." ;; *) echo "...$fail." myret=$(expr "$myret" + 1) ;; esac done if [ "$got_instance" = 0 ]; then echo "No snort instance found to be started!" >&2 exit 1 fi exit $myret ;; stop) if [ "$DEBIAN_SNORT_STARTUP" = "dialup" ]; then shift set +e /etc/ppp/ip-down.d/snort "$@" exit $? fi # Usually, we stop all current running interfaces pidpattern=/var/run/snort_*.pid # If we are requested to stop a specific interface... test "$2" && pidpattern=/var/run/snort_"$2".pid got_instance=0 for PIDFILE in $pidpattern; do # This check is also needed, if the above pattern doesn't match test -f "$PIDFILE" || continue got_instance=1 interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//') echo -n "Stopping $DESC: $NAME($interface)" /sbin/start-stop-daemon --stop --retry 5 --quiet --oknodo \ --pidfile "$PIDFILE" --exec $DAEMON >/dev/null rm -f "$PIDFILE" echo "." done if [ "$got_instance" = 0 ]; then echo "No snort instance found to be stopped!" >&2 fi ;; restart|force-restart|reload|force-reload) # Usually, we restart all current running interfaces pidpattern=/var/run/snort_*.pid # If we are requested to restart a specific interface... test "$2" && pidpattern=/var/run/snort_"$2".pid got_instance=0 for PIDFILE in $pidpattern; do # This check is also needed, if the above pattern doesn't match test -f "$PIDFILE" || continue got_instance=1 interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//') $0 stop $interface || true $0 start $interface || true done if [ "$got_instance" = 0 ]; then echo "No snort instance found to be restarted!" >&2 fi ;; status) echo -n "Status of snort daemon(s):" interfaces="$DEBIAN_SNORT_INTERFACE" # If we are requested to check for a specific interface... test "$2" && interfaces="$2" for interface in $interfaces; do echo -n " $interface " pidfile=/var/run/snort_$interface.pid if [ -f "$pidfile" ] ; then pidval=`cat $pidfile` if ps -p $pidval | grep -q snort; then echo -n "(ok)" else echo -n "(nok!)" fi else echo -n "(nok!)" fi done echo "." ;; config-check) if [ "$DEBIAN_SNORT_STARTUP" = "dialup" ]; then echo "Config-check is currently not supported for snort in Dialup configuration" exit 0 fi # usually, we test all interfaces interfaces="$DEBIAN_SNORT_INTERFACE" # if we are requested to test a specific interface... test "$2" && interfaces="$2" myret=0 got_instance=0 for interface in $interfaces; do got_instance=1 echo -n "checking $desc config: $name($interface)" CONFIGFILE=/etc/snort/snort.$interface.conf if [ ! -e "$CONFIGFILE" ]; then CONFIGFILE=/etc/snort/snort.conf fi COMMON=`echo $COMMON | sed -e 's/-D//'` set +e $DAEMON -T $COMMON $DEBIAN_SNORT_OPTIONS \ -c $CONFIGFILE \ -S "HOME_NET=[$DEBIAN_SNORT_HOME_NET]" \ -i $interface >/dev/null 2>&1 ret=$? set -e case "$ret" in 0) echo ".ok." ;; *) echo "...failed." myret=$(expr "$myret" + 1) ;; esac done if [ "$got_instance" = 0 ]; then echo "no snort instance found to be started!" >&2 exit 1 fi exit $myret ;; *) echo "Usage: $0 {start|stop|restart|force-restart|reload|force-reload|status|config-check}" exit 1 ;; esac exit 0