├── README.md ├── docker ├── build.sh ├── labs │ ├── lab2 │ │ ├── get-request.pcap │ │ └── local.rules │ ├── lab3 │ │ ├── neutrino_flash_exploit.pcap │ │ └── local.rules │ └── lab1 │ │ └── local.rules ├── tools │ └── fix_checksum ├── connect.sh ├── etc │ ├── reference.config │ ├── rules │ │ ├── chat.rules │ │ ├── ddos.rules │ │ ├── dns.rules │ │ ├── dos.rules │ │ ├── ftp.rules │ │ ├── icmp.rules │ │ ├── imap.rules │ │ ├── info.rules │ │ ├── misc.rules │ │ ├── nntp.rules │ │ ├── p2p.rules │ │ ├── pop2.rules │ │ ├── pop3.rules │ │ ├── rpc.rules │ │ ├── scan.rules │ │ ├── smtp.rules │ │ ├── snmp.rules │ │ ├── tftp.rules │ │ ├── voip.rules │ │ ├── local.rules │ │ ├── mysql.rules │ │ ├── virus.rules │ │ ├── finger.rules │ │ ├── oracle.rules │ │ ├── policy.rules │ │ ├── telnet.rules │ │ ├── exploit.rules │ │ ├── web-cgi.rules │ │ ├── web-iis.rules │ │ ├── web-php.rules │ │ ├── backdoor.rules │ │ ├── blacklist.rules │ │ ├── icmp-info.rules │ │ ├── other-ids.rules │ │ ├── rservices.rules │ │ ├── shellcode.rules │ │ ├── web-misc.rules │ │ ├── botnet-cnc.rules │ │ ├── multimedia.rules │ │ ├── web-client.rules │ │ ├── bad-traffic.rules │ │ ├── spyware-put.rules │ │ ├── web-activex.rules │ │ ├── web-attacks.rules │ │ ├── experimental.rules │ │ ├── phishing-spam.rules │ │ ├── web-coldfusion.rules │ │ ├── web-frontpage.rules │ │ ├── attack-responses.rules │ │ ├── specific-threats.rules │ │ ├── scada.rules │ │ ├── x11.rules │ │ ├── policy-multimedia.rules │ │ ├── protocol-finger.rules │ │ ├── protocol-nntp.rules │ │ ├── protocol-services.rules │ │ ├── content-replace.rules │ │ ├── pua-p2p.rules │ │ ├── os-solaris.rules │ │ ├── protocol-pop.rules │ │ ├── protocol-tftp.rules │ │ ├── protocol-other.rules │ │ ├── protocol-telnet.rules │ │ ├── protocol-snmp.rules │ │ └── indicator-scan.rules │ ├── preproc_rules │ │ ├── sensitive-data.rules │ │ └── deleted.rules │ ├── attribute_table.dtd │ ├── threshold.conf │ └── classification.config ├── include │ ├── vimrc │ ├── ir_black.vim │ └── hog.vim ├── Dockerfile └── run_pcap.sh └── LICENSE /README.md: -------------------------------------------------------------------------------- 1 | Snort 2 in a docker container 2 | -------------------------------------------------------------------------------- /docker/build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | docker build -t snort2 . 3 | -------------------------------------------------------------------------------- /docker/labs/lab2/get-request.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cisco-Talos/snort2-docker/HEAD/docker/labs/lab2/get-request.pcap -------------------------------------------------------------------------------- /docker/labs/lab3/neutrino_flash_exploit.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cisco-Talos/snort2-docker/HEAD/docker/labs/lab3/neutrino_flash_exploit.pcap -------------------------------------------------------------------------------- /docker/labs/lab1/local.rules: -------------------------------------------------------------------------------- 1 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TEST Curl outbound connection attempt"; flow:to_server,established; content:"User-Agent: "; http_header; content:"curl/"; http_header; fast_pattern; sid:1000000;) 2 | -------------------------------------------------------------------------------- /docker/labs/lab2/local.rules: -------------------------------------------------------------------------------- 1 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TEST Curl outbound connection attempt"; flow:to_server,established; content:"User-Agent: "; http_header; content:"curl/"; http_header; fast_pattern; sid:1000000;) 2 | -------------------------------------------------------------------------------- /docker/tools/fix_checksum: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # If you want to randomize the IP SRC/DST use: --seed=423 4 | 5 | if test -z "$1" 6 | then 7 | echo "usage: $(basename $0) [ random ]" 8 | echo "random is used if you would like to rerwite the src/dst ips to something random" 9 | echo 10 | exit 1 11 | elif test ! -e "$1" 12 | then 13 | echo "ERROR: $1 doesn't exist" 14 | exit 1 15 | fi 16 | 17 | if test ! -z "$2" 18 | then 19 | random="--seed=$RANDOM" 20 | else 21 | random="" 22 | fi 23 | 24 | cp $1 $1.orig 25 | tcprewrite --fixcsum -i $1 -o $1.tmp $random 26 | mv -v $1.tmp $1 27 | -------------------------------------------------------------------------------- /docker/labs/lab3/local.rules: -------------------------------------------------------------------------------- 1 | alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Exploit Kit decryption key detected"; flow:to_client,established; file_data; content:"|74 70 72 72 75 65 73 74 6A 62 61 66 65 69 61 78 66 6A 72 75 73 70 68 6D 6E 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5119; reference:url,malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html; classtype:attempted-user; sid:36193; rev:2;) 2 | -------------------------------------------------------------------------------- /docker/connect.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | OPTIND=1 6 | 7 | show_help() { 8 | echo "$0 -c " 9 | } 10 | 11 | while getopts ":p:c:q" opt; do 12 | case "$opt" in 13 | h|/?) 14 | echo "Unknown argument $OPTARG" 15 | show_help 16 | exit 0 17 | ;; 18 | c) 19 | conf="$(realpath $OPTARG)" 20 | ;; 21 | esac 22 | done 23 | shift $((OPTIND-1)) 24 | echo "Conf: $conf" 25 | 26 | if [[ -z $conf ]]; then 27 | echo "snort conf is required" 28 | show_help 29 | exit 1 30 | fi 31 | 32 | if [[ ! -d $conf ]]; then 33 | echo "snort conf directoy is not accessible: $conf" 34 | exit 1 35 | fi 36 | 37 | 38 | docker run -it \ 39 | -v $conf:/etc/snort \ 40 | snort2 \ 41 | /bin/bash 42 | 43 | -------------------------------------------------------------------------------- /docker/etc/reference.config: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | # The following defines URLs for the references found in the rules 3 | # 4 | # config reference: system URL 5 | 6 | config reference: bugtraq http://www.securityfocus.com/bid/ 7 | config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name= 8 | config reference: arachNIDS http://www.whitehats.com/info/IDS 9 | config reference: osvdb http://osvdb.org/show/osvdb/ 10 | 11 | # Note, this one needs a suffix as well.... lets add that in a bit. 12 | config reference: McAfee http://vil.nai.com/vil/content/v_ 13 | config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id= 14 | config reference: url http:// 15 | config reference: msb http://technet.microsoft.com/en-us/security/bulletin/ 16 | 17 | -------------------------------------------------------------------------------- /docker/include/vimrc: -------------------------------------------------------------------------------- 1 | " syntax highlighting 2 | syntax on 3 | 4 | " no welcome msg 5 | set shortmess+=I 6 | 7 | " numbered lines 8 | set number 9 | 10 | " fix slow escape 11 | set ttimeoutlen=0 12 | 13 | " spend more time on syntax highlight 14 | " set synmaxcol=10000 15 | autocmd BufEnter * :syntax sync fromstart 16 | 17 | " send more characters for redraws 18 | set ttyfast 19 | 20 | " search highlight 21 | set incsearch 22 | 23 | " set colorscheme 24 | if &t_Co >= 256 || has("gui_running") 25 | colorscheme ir_black 26 | endif 27 | 28 | " show status line 29 | set laststatus=2 30 | 31 | " show status line suggestions 32 | set wildmenu 33 | 34 | " netrw 35 | let g:netrw_banner = 0 36 | 37 | " spelling toggle 38 | nnoremap :set nospell! 39 | 40 | " spelling suggestion 41 | nnoremap z= 42 | -------------------------------------------------------------------------------- /docker/etc/rules/chat.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # CHAT RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/ddos.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # DDOS RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/dns.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------- 19 | # DNS RULES 20 | #----------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/dos.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------- 19 | # DOS RULES 20 | #----------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/ftp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------- 19 | # FTP RULES 20 | #----------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/icmp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # ICMP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/imap.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # IMAP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/info.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # INFO RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/misc.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # MISC RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/nntp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # NNTP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/p2p.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------- 19 | # P2P RULES 20 | #----------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/pop2.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # POP2 RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/pop3.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # POP3 RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/rpc.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------- 19 | # RPC RULES 20 | #----------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/scan.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # SCAN RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/smtp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # SMTP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/snmp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # SNMP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/tftp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # TFTP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/voip.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # VOIP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/local.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------- 19 | # LOCAL RULES 20 | #------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/mysql.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------- 19 | # MYSQL RULES 20 | #------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/virus.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------- 19 | # VIRUS RULES 20 | #------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/finger.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #-------------- 19 | # FINGER RULES 20 | #-------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/oracle.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #-------------- 19 | # ORACLE RULES 20 | #-------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/policy.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #-------------- 19 | # POLICY RULES 20 | #-------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/telnet.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #-------------- 19 | # TELNET RULES 20 | #-------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/exploit.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------- 19 | # EXPLOIT RULES 20 | #--------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/web-cgi.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------- 19 | # WEB-CGI RULES 20 | #--------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/web-iis.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------- 19 | # WEB-IIS RULES 20 | #--------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/web-php.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------- 19 | # WEB-PHP RULES 20 | #--------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/backdoor.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #---------------- 19 | # BACKDOOR RULES 20 | #---------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/blacklist.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------- 19 | # BLACKLIST RULES 20 | #----------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/icmp-info.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------- 19 | # ICMP-INFO RULES 20 | #----------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/other-ids.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------- 19 | # OTHER-IDS RULES 20 | #----------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/rservices.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------- 19 | # RSERVICES RULES 20 | #----------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/shellcode.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------- 19 | # SHELLCODE RULES 20 | #----------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/web-misc.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #---------------- 19 | # WEB-MISC RULES 20 | #---------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/botnet-cnc.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------ 19 | # BOTNET-CNC RULES 20 | #------------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/multimedia.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------ 19 | # MULTIMEDIA RULES 20 | #------------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/web-client.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------ 19 | # WEB-CLIENT RULES 20 | #------------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/bad-traffic.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------- 19 | # BAD-TRAFFIC RULES 20 | #------------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/spyware-put.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------- 19 | # SPYWARE-PUT RULES 20 | #------------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/web-activex.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------- 19 | # WEB-ACTIVEX RULES 20 | #------------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/web-attacks.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------- 19 | # WEB-ATTACKS RULES 20 | #------------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/experimental.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #-------------------- 19 | # EXPERIMENTAL RULES 20 | #-------------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/phishing-spam.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------------- 19 | # PHISHING-SPAM RULES 20 | #--------------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/web-coldfusion.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #---------------------- 19 | # WEB-COLDFUSION RULES 20 | #---------------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/web-frontpage.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------------- 19 | # WEB-FRONTPAGE RULES 20 | #--------------------- 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/attack-responses.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------------ 19 | # ATTACK-RESPONSES RULES 20 | #------------------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/rules/specific-threats.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------------ 19 | # SPECIFIC-THREATS RULES 20 | #------------------------ 21 | 22 | -------------------------------------------------------------------------------- /docker/etc/preproc_rules/sensitive-data.rules: -------------------------------------------------------------------------------- 1 | alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;) 2 | alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;) 3 | #alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,us_social_nodashes; classtype:sdf; sid:4; gid:138; rev:1;) 4 | alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Email Addresses"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,email; classtype:sdf; sid:5; gid:138; rev:1;) 5 | alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Phone Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,(\d{3}) ?\d{3}-\d{4}; classtype:sdf; sid:6; gid:138; rev:1;) 6 | -------------------------------------------------------------------------------- /docker/etc/preproc_rules/deleted.rules: -------------------------------------------------------------------------------- 1 | #alert ( msg: "DELETED HI_CLIENT_BASE36"; sid: 5; gid: 119; rev: 2; metadata: rule-type preproc, service http ; classtype:bad-unknown; ) 2 | #alert ( msg: "DELETED DCERPC_MEMORY_OVERFLOW"; sid: 1; gid: 130; rev: 2; metadata: rule-type preproc ; classtype:attempted-dos; ) 3 | #alert ( msg: "DELETED SMTP_DECODE_MEMCAP_EXCEEDED"; sid: 9; gid: 124; rev: 2; metadata: rule-type preproc, service smtp ; classtype:unknown; ) 4 | #alert ( msg: "DELETED ARPSPOOF_UNICAST_ARP_REQUEST"; sid: 1; gid: 112; rev: 2; metadata: rule-type preproc ; classtype:protocol-command-decode; ) 5 | #alert ( msg: "DELETED ARPSPOOF_ETHERFRAME_ARP_MISMATCH_SRC"; sid: 2; gid: 112; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; ) 6 | #alert ( msg: "DELETED ARPSPOOF_ETHERFRAME_ARP_MISMATCH_DST"; sid: 3; gid: 112; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; ) 7 | #alert ( msg: "DELETED ARPSPOOF_ARP_CACHE_OVERWRITE_ATTACK"; sid: 4; gid: 112; rev: 2; metadata: rule-type preproc ; classtype:bad-unknown; ) 8 | #alert ( msg: "DELETED FRAG3_IPV6_BAD_FRAG_PKT"; sid: 10; gid: 123; rev: 2; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2007-1365; ) 9 | #alert ( msg: "DELETED FRAG3_IPV6_BSD_ICMP_FRAG"; sid: 9; gid: 123; rev: 2; metadata: rule-type preproc ; classtype:attempted-admin; reference:cve,2007-1365; ) 10 | -------------------------------------------------------------------------------- /docker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:buster-slim 2 | ENV VERSION 2.9.19 3 | 4 | RUN mkdir -p /root/pcaps/ 5 | COPY labs /root/ 6 | COPY tools /root/ 7 | WORKDIR /root/src/ 8 | 9 | RUN apt-get update && \ 10 | apt-get -y install \ 11 | build-essential \ 12 | vim \ 13 | curl \ 14 | gcc \ 15 | flex \ 16 | bison \ 17 | pkg-config \ 18 | libpcap0.8 \ 19 | libpcap0.8-dev \ 20 | libpcre3 \ 21 | libpcre3-dev \ 22 | libdumbnet1 \ 23 | libdumbnet-dev \ 24 | libdaq2 \ 25 | libdaq-dev \ 26 | zlib1g \ 27 | zlib1g-dev \ 28 | liblzma5 \ 29 | liblzma-dev \ 30 | luajit \ 31 | libluajit-5.1-dev \ 32 | libssl1.1 \ 33 | libssl-dev \ 34 | tcpreplay && \ 35 | apt-get clean && \ 36 | curl -L -O https://snort.org/downloads/snort/snort-$VERSION.tar.gz && \ 37 | tar xf ./snort-$VERSION.tar.gz && \ 38 | cd ./snort-$VERSION && \ 39 | ./configure --enable-sourcefire --enable-open-appid && \ 40 | make -j$(nproc) && \ 41 | make install && \ 42 | ldconfig && \ 43 | cd /root && \ 44 | rm -rf /root/src && \ 45 | touch /root/pcaps/local.rules && \ 46 | echo 'export TERM=xterm-256color' >> ~/.bashrc 47 | 48 | # rule syntax file 49 | COPY include/hog.vim /root/.vim/syntax/hog.vim 50 | # colorscheme 51 | COPY include/ir_black.vim /root/.vim/colors/ir_black.vim 52 | # vimrc 53 | COPY include/vimrc /root/.vimrc 54 | 55 | CMD /bin/bash 56 | -------------------------------------------------------------------------------- /docker/etc/attribute_table.dtd: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 2-Clause License 2 | 3 | Copyright (c) 2020, Cisco Talos 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 17 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 20 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 22 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 23 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 24 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 25 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | -------------------------------------------------------------------------------- /docker/etc/rules/scada.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------- 19 | # SCADA RULES 20 | #------------- 21 | 22 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 2537 (msg:"SCADA Schneider Electric Accutech http request overflow attempt"; flow:to_server,established; content:"GET /"; depth:5; isdataat:128,relative; content:!" HTTP/1.1"; within:128; reference:bugtraq,57651; reference:cve,2013-0658; classtype:attempted-admin; sid:39941; rev:1;) 23 | -------------------------------------------------------------------------------- /docker/run_pcap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | OPTIND=1 6 | 7 | show_help() { 8 | echo "$0 [-q] -c -p " 9 | } 10 | 11 | while getopts ":p:c:q" opt; do 12 | case "$opt" in 13 | h|/?) 14 | echo "Unknown argument $OPTARG" 15 | show_help 16 | exit 0 17 | ;; 18 | p) 19 | pcap_dir="$(realpath $OPTARG)" 20 | ;; 21 | c) 22 | conf="$(realpath $OPTARG)" 23 | ;; 24 | q) 25 | quiet="-q" 26 | ;; 27 | esac 28 | done 29 | shift $((OPTIND-1)) 30 | echo "Pcaps: $pcap_dir" 31 | echo "Conf: $conf" 32 | 33 | if [[ -z $pcap_dir ]]; then 34 | echo "pcap directory is required" 35 | show_help 36 | exit 1 37 | fi 38 | 39 | if [[ ! -d $pcap_dir ]]; then 40 | echo "pcap directory is not accessible: $pcap_dir" 41 | show_help 42 | exit 1 43 | fi 44 | 45 | if [[ -z $conf ]]; then 46 | echo "snort conf is required" 47 | show_help 48 | exit 1 49 | fi 50 | 51 | if [[ ! -d $conf ]]; then 52 | echo "snort conf directoy is not accessible: $conf" 53 | exit 1 54 | fi 55 | 56 | 57 | docker run -it \ 58 | -v $conf:/etc/snort \ 59 | -v $pcap_dir:/root/pcaps \ 60 | snort2 \ 61 | snort $quiet \ 62 | -q \ 63 | -N \ 64 | -A cmg \ 65 | -I \ 66 | -c /etc/snort/snort.conf \ 67 | -Q \ 68 | --daq dump \ 69 | --daq-var load-mode=read-file \ 70 | --daq-var file=/dev/null \ 71 | --pcap-filter="*.pcap" \ 72 | --pcap-dir="/root/pcaps" \ 73 | --pcap-reset \ 74 | --pcap-show 75 | 76 | -------------------------------------------------------------------------------- /docker/etc/rules/x11.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------- 19 | # X11 RULES 20 | #----------- 21 | 22 | # alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"X11 xdmcp query"; flow:to_server; content:"|00 01 00 03 00 01 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:517; rev:7;) 23 | # alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"X11 xdmcp info query"; flow:to_server; content:"|00 01 00 02 00 01 00|"; fast_pattern:only; metadata:ruleset community; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:6;) 24 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:1225; rev:11;) 25 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:unknown; sid:1226; rev:14;) 26 | -------------------------------------------------------------------------------- /docker/etc/threshold.conf: -------------------------------------------------------------------------------- 1 | # Configure Thresholding and Suppression 2 | # ====================================== 3 | # 4 | # The threshold command is deprecated. Use detection_filter for thresholds 5 | # within a rule and event_filter for standalone threshold configurations. 6 | # Please see README.filters for more information on filters. 7 | # 8 | # Thresholding: 9 | # 10 | # This feature is used to reduce the number of logged alerts for noisy rules. 11 | # This can be tuned to significantly reduce false alarms, and it can also be 12 | # used to write a newer breed of rules. Thresholding commands limit the number 13 | # of times a particular event is logged during a specified time interval. 14 | # 15 | # There are 3 types of event_filters: 16 | # 17 | # 1) Limit 18 | # Alert on the 1st M events during the time interval, then ignore 19 | # events for the rest of the time interval. 20 | # 21 | # 2) Threshold 22 | # Alert every M times we see this event during the time interval. 23 | # 24 | # 3) Both 25 | # Alert once per time interval after seeing M occurrences of the 26 | # event, then ignore any additional events during the time interval. 27 | # 28 | # Threshold commands are formatted as: 29 | # 30 | # event_filter gen_id gen-id, sig_id sig-id, \ 31 | # type limit|threshold|both, track by_src|by_dst, \ 32 | # count n , seconds m 33 | # 34 | # Limit to logging 1 event per 60 seconds: 35 | # 36 | # event_filter gen_id 1, sig_id 1851, type limit, \ 37 | # track by_src, count 1, seconds 60 38 | # 39 | # Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering 40 | # each rule (rules are gen_id 1): 41 | # 42 | # event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60 43 | # 44 | # Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering 45 | # any alert for any event generator: 46 | # 47 | # event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60 48 | # 49 | # Suppression: 50 | # 51 | # Suppression commands are standalone commands that reference generators and 52 | # sids and IP addresses via a CIDR block (or IP list). This allows a rule to be 53 | # completely suppressed, or suppressed when the causitive traffic is going to 54 | # or comming from a specific IP or group of IP addresses. 55 | # 56 | # Suppress this event completely: 57 | # 58 | # suppress gen_id 1, sig_id 1852 59 | # 60 | # Suppress this event from this IP: 61 | # 62 | # suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54 63 | # 64 | # Suppress this event to this CIDR block: 65 | # 66 | # suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24 67 | # 68 | 69 | # Global event filter to limit events from a unique src to 1 in 60 seconds 70 | # Disabled by default turn on if you want this functionality 71 | # 72 | 73 | # event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60 74 | -------------------------------------------------------------------------------- /docker/etc/rules/policy-multimedia.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------------- 19 | # POLICY-MULTIMEDIA RULES 20 | #------------------------- 21 | 22 | # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-MULTIMEDIA Apple Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; fast_pattern:only; metadata:ruleset community, service http; classtype:policy-violation; sid:1436; rev:12;) 23 | # alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"POLICY-MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5; metadata:ruleset community; classtype:misc-activity; sid:1428; rev:8;) 24 | # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-MULTIMEDIA Youtube video player file request"; flow:to_server,established; content:"/get_video?video_id"; fast_pattern; nocase; http_uri; content:"youtube.com"; nocase; metadata:service http; classtype:policy-violation; sid:12436; rev:9;) 25 | # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA Shoutcast playlist redirection"; flow:to_client,established; content:"Content-type|3A|"; nocase; http_header; content:"audio/x-scpls"; within:50; fast_pattern; nocase; http_header; metadata:ruleset community, service http; classtype:policy-violation; sid:1439; rev:17;) 26 | # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA Icecast playlist redirection"; flow:to_client,established; content:"Content-type|3A|"; nocase; http_header; content:"audio/x-mpegurl"; within:50; fast_pattern; nocase; http_header; metadata:ruleset community, service http; classtype:policy-violation; sid:1440; rev:17;) 27 | # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-MULTIMEDIA Google video player request"; flow:to_server,established; content:"/googleplayer.swf"; nocase; http_uri; metadata:service http; classtype:policy-violation; sid:12437; rev:9;) 28 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY-MULTIMEDIA vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; metadata:ruleset community; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:7;) 29 | -------------------------------------------------------------------------------- /docker/etc/classification.config: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | # The following includes information for prioritizing rules 3 | # 4 | # Each classification includes a shortname, a description, and a default 5 | # priority for that classification. 6 | # 7 | # This allows alerts to be classified and prioritized. You can specify 8 | # what priority each classification has. Any rule can override the default 9 | # priority for that rule. 10 | # 11 | # Here are a few example rules: 12 | # 13 | # alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; 14 | # dsize: > 128; classtype:attempted-admin; priority:10; 15 | # 16 | # alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \ 17 | # content:"expn root"; nocase; classtype:attempted-recon;) 18 | # 19 | # The first rule will set its type to "attempted-admin" and override 20 | # the default priority for that type to 10. 21 | # 22 | # The second rule set its type to "attempted-recon" and set its 23 | # priority to the default for that type. 24 | # 25 | 26 | # 27 | # config classification:shortname,short description,priority 28 | # 29 | 30 | config classification: not-suspicious,Not Suspicious Traffic,3 31 | config classification: unknown,Unknown Traffic,3 32 | config classification: bad-unknown,Potentially Bad Traffic, 2 33 | config classification: attempted-recon,Attempted Information Leak,2 34 | config classification: successful-recon-limited,Information Leak,2 35 | config classification: successful-recon-largescale,Large Scale Information Leak,2 36 | config classification: attempted-dos,Attempted Denial of Service,2 37 | config classification: successful-dos,Denial of Service,2 38 | config classification: attempted-user,Attempted User Privilege Gain,1 39 | config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 40 | config classification: successful-user,Successful User Privilege Gain,1 41 | config classification: attempted-admin,Attempted Administrator Privilege Gain,1 42 | config classification: successful-admin,Successful Administrator Privilege Gain,1 43 | 44 | 45 | # NEW CLASSIFICATIONS 46 | config classification: rpc-portmap-decode,Decode of an RPC Query,2 47 | config classification: shellcode-detect,Executable Code was Detected,1 48 | config classification: string-detect,A Suspicious String was Detected,3 49 | config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2 50 | config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2 51 | config classification: system-call-detect,A System Call was Detected,2 52 | config classification: tcp-connection,A TCP Connection was Detected,4 53 | config classification: trojan-activity,A Network Trojan was Detected, 1 54 | config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2 55 | config classification: network-scan,Detection of a Network Scan,3 56 | config classification: denial-of-service,Detection of a Denial of Service Attack,2 57 | config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2 58 | config classification: protocol-command-decode,Generic Protocol Command Decode,3 59 | config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2 60 | config classification: web-application-attack,Web Application Attack,1 61 | config classification: misc-activity,Misc activity,3 62 | config classification: misc-attack,Misc Attack,2 63 | config classification: icmp-event,Generic ICMP event,3 64 | config classification: inappropriate-content,Inappropriate Content was Detected,1 65 | config classification: policy-violation,Potential Corporate Privacy Violation,1 66 | config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2 67 | config classification: sdf,Sensitive Data was Transmitted Across the Network,2 68 | config classification: file-format,Known malicious file or file based exploit,1 69 | config classification: malware-cnc,Known malware command and control traffic,1 70 | config classification: client-side-exploit,Known client side exploit attempt,1 71 | -------------------------------------------------------------------------------- /docker/etc/rules/protocol-finger.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------------- 19 | # PROTOCOL-FINGER RULES 20 | #----------------------- 21 | 22 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; metadata:ruleset community; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:3151; rev:8;) 23 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER version query"; flow:to_server,established; content:"version"; metadata:ruleset community; classtype:attempted-recon; sid:1541; rev:9;) 24 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER . query"; flow:to_server,established; content:"."; metadata:ruleset community; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:14;) 25 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER 0 query"; flow:to_server,established; content:"0"; metadata:ruleset community; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:14;) 26 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cybercop query"; flow:to_server,established; content:"|0A| "; depth:10; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:16;) 27 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER redirection attempt"; flow:to_server,established; content:"@"; metadata:ruleset community; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:15;) 28 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER bomb attempt"; flow:to_server,established; content:"@@"; metadata:ruleset community; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:14;) 29 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; metadata:ruleset community; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:14;) 30 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; metadata:ruleset community; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:15;) 31 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER null request"; flow:to_server,established; content:"|00|"; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:324; rev:12;) 32 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER root query"; flow:to_server,established; content:"root"; metadata:ruleset community; classtype:attempted-recon; sid:323; rev:11;) 33 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER search query"; flow:to_server,established; content:"search"; metadata:ruleset community; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:16;) 34 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; metadata:ruleset community; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:10;) 35 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; metadata:ruleset community; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:15;) 36 | -------------------------------------------------------------------------------- /docker/etc/rules/protocol-nntp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------------- 19 | # PROTOCOL-NNTP RULES 20 | #--------------------- 21 | 22 | # alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"PROTOCOL-NNTP return code buffer overflow attempt"; flow:to_client,established; content:"200"; isdataat:256,relative; pcre:"/^200\s[^\n]{256}/smi"; metadata:ruleset community; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:1792; rev:16;) 23 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; metadata:ruleset community; reference:bugtraq,1156; reference:cve,2000-0341; reference:nessus,10388; classtype:attempted-admin; sid:1538; rev:22;) 24 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; fast_pattern:only; pcre:"/^sendsys\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2424; rev:13;) 25 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; fast_pattern:only; pcre:"/^senduuname\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2425; rev:13;) 26 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP version overflow attempt"; flow:to_server,established; content:"version"; fast_pattern:only; pcre:"/^version\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2426; rev:13;) 27 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; fast_pattern:only; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2427; rev:13;) 28 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; fast_pattern:only; pcre:"/^ihave\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2428; rev:13;) 29 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; fast_pattern:only; pcre:"/^sendme\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2429; rev:13;) 30 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; fast_pattern:only; pcre:"/^newgroup\x3a[^\n]{32}/smi"; metadata:ruleset community, service nntp; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2430; rev:15;) 31 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; fast_pattern:only; pcre:"/^rmgroup\x3a[^\n]{32}/smi"; metadata:ruleset community, service nntp; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2431; rev:15;) 32 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; fast_pattern:only; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; metadata:ruleset community; classtype:attempted-admin; sid:2432; rev:10;) 33 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP cancel overflow attempt"; flow:to_server,established; content:"cancel"; fast_pattern:only; pcre:"/^cancel\x3a[^\n]{32}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:12464; rev:7;) 34 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH|20|"; depth:7; nocase; isdataat:160,relative; pcre:"/^SEARCH\s+[^\n]{160}/i"; metadata:ruleset community; reference:cve,2004-0574; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036; classtype:attempted-admin; sid:3078; rev:11;) 35 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP Control overflow attempt"; flow:to_server,established; content:"Control|3A| "; isdataat:23,relative; content:!"|0D 0A|"; within:23; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:43760; rev:1;) 36 | -------------------------------------------------------------------------------- /docker/include/ir_black.vim: -------------------------------------------------------------------------------- 1 | " ir_black color scheme 2 | set background=dark 3 | hi clear 4 | 5 | if exists("syntax_on") 6 | syntax reset 7 | endif 8 | 9 | let colors_name = "ir_black" 10 | 11 | "hi Example guifg=NONE guibg=NONE gui=NONE ctermfg=NONE ctermbg=NONE cterm=NONE 12 | 13 | " General colors 14 | hi Normal guifg=#f6f3e8 guibg=black gui=NONE ctermfg=NONE ctermbg=NONE cterm=NONE 15 | hi NonText guifg=#070707 guibg=black gui=NONE ctermfg=black ctermbg=NONE cterm=NONE 16 | 17 | hi Cursor guifg=black guibg=white gui=NONE ctermfg=black ctermbg=white cterm=reverse 18 | hi LineNr guifg=#3D3D3D guibg=black gui=NONE ctermfg=darkgray ctermbg=NONE cterm=NONE 19 | 20 | hi VertSplit guifg=#202020 guibg=#202020 gui=NONE ctermfg=darkgray ctermbg=234 cterm=NONE 21 | hi StatusLine guifg=#CCCCCC guibg=#202020 gui=italic ctermfg=white ctermbg=234 cterm=NONE 22 | hi StatusLineNC guifg=black guibg=#202020 gui=NONE ctermfg=blue ctermbg=234 cterm=NONE 23 | 24 | hi Folded guifg=#a0a8b0 guibg=#384048 gui=NONE ctermfg=NONE ctermbg=NONE cterm=NONE 25 | hi Title guifg=#f6f3e8 guibg=NONE gui=bold ctermfg=NONE ctermbg=NONE cterm=NONE 26 | hi Visual guifg=NONE guibg=#262D51 gui=NONE ctermfg=NONE ctermbg=17 cterm=NONE 27 | 28 | hi SpecialKey guifg=#808080 guibg=#343434 gui=NONE ctermfg=NONE ctermbg=NONE cterm=NONE 29 | 30 | hi WildMenu guifg=green guibg=yellow gui=NONE ctermfg=black ctermbg=yellow cterm=NONE 31 | hi PmenuSbar guifg=black guibg=white gui=NONE ctermfg=black ctermbg=white cterm=NONE 32 | "hi Ignore guifg=gray guibg=black gui=NONE ctermfg=NONE ctermbg=NONE cterm=NONE 33 | 34 | hi Error guifg=NONE guibg=NONE gui=undercurl ctermfg=white ctermbg=red cterm=NONE 35 | hi ErrorMsg guifg=white guibg=#FF6C60 gui=BOLD ctermfg=white ctermbg=red cterm=NONE 36 | hi WarningMsg guifg=white guibg=#FF6C60 gui=BOLD ctermfg=white ctermbg=red cterm=NONE 37 | 38 | " Message displayed in lower left, such as --INSERT-- 39 | hi ModeMsg guifg=black guibg=#C6C5FE gui=BOLD ctermfg=black ctermbg=cyan cterm=BOLD 40 | 41 | if version >= 700 " Vim 7.x specific colors 42 | hi CursorLine guifg=NONE guibg=#121212 gui=NONE ctermfg=NONE ctermbg=NONE cterm=BOLD 43 | hi CursorColumn guifg=NONE guibg=#121212 gui=NONE ctermfg=NONE ctermbg=NONE cterm=BOLD 44 | hi MatchParen guifg=#f6f3e8 guibg=#857b6f gui=BOLD ctermfg=white ctermbg=darkgray cterm=NONE 45 | hi Pmenu guifg=#f6f3e8 guibg=#444444 gui=NONE ctermfg=NONE ctermbg=NONE cterm=NONE 46 | hi PmenuSel guifg=#000000 guibg=#cae682 gui=NONE ctermfg=NONE ctermbg=NONE cterm=NONE 47 | hi Search guifg=NONE guibg=NONE gui=underline ctermfg=NONE ctermbg=NONE cterm=underline 48 | endif 49 | 50 | " Syntax highlighting 51 | hi Comment guifg=#7C7C7C guibg=NONE gui=NONE ctermfg=darkgray ctermbg=NONE cterm=NONE 52 | hi String guifg=#A8FF60 guibg=NONE gui=NONE ctermfg=green ctermbg=NONE cterm=NONE 53 | hi Number guifg=#FF73FD guibg=NONE gui=NONE ctermfg=magenta ctermbg=NONE cterm=NONE 54 | 55 | hi Keyword guifg=#96CBFE guibg=NONE gui=NONE ctermfg=blue ctermbg=NONE cterm=NONE 56 | hi PreProc guifg=#96CBFE guibg=NONE gui=NONE ctermfg=blue ctermbg=NONE cterm=NONE 57 | hi Conditional guifg=#6699CC guibg=NONE gui=NONE ctermfg=blue ctermbg=NONE cterm=NONE 58 | 59 | hi Todo guifg=#8f8f8f guibg=NONE gui=NONE ctermfg=red ctermbg=NONE cterm=NONE 60 | hi Constant guifg=#99CC99 guibg=NONE gui=NONE ctermfg=cyan ctermbg=NONE cterm=NONE 61 | 62 | hi Identifier guifg=#C6C5FE guibg=NONE gui=NONE ctermfg=cyan ctermbg=NONE cterm=NONE 63 | hi Function guifg=#FFD2A7 guibg=NONE gui=NONE ctermfg=brown ctermbg=NONE cterm=NONE 64 | hi Type guifg=#FFFFB6 guibg=NONE gui=NONE ctermfg=yellow ctermbg=NONE cterm=NONE 65 | hi Statement guifg=#6699CC guibg=NONE gui=NONE ctermfg=lightblue ctermbg=NONE cterm=NONE 66 | 67 | hi Special guifg=#E18964 guibg=NONE gui=NONE ctermfg=white ctermbg=NONE cterm=NONE 68 | hi Delimiter guifg=#00A0A0 guibg=NONE gui=NONE ctermfg=cyan ctermbg=NONE cterm=NONE 69 | hi Operator guifg=white guibg=NONE gui=NONE ctermfg=white ctermbg=NONE cterm=NONE 70 | 71 | hi link Character Constant 72 | hi link Boolean Constant 73 | hi link Float Number 74 | hi link Repeat Statement 75 | hi link Label Statement 76 | hi link Exception Statement 77 | hi link Include PreProc 78 | hi link Define PreProc 79 | hi link Macro PreProc 80 | hi link PreCondit PreProc 81 | hi link StorageClass Type 82 | hi link Structure Type 83 | hi link Typedef Type 84 | hi link Tag Special 85 | hi link SpecialChar Special 86 | hi link SpecialComment Special 87 | hi link Debug Special 88 | -------------------------------------------------------------------------------- /docker/etc/rules/protocol-services.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------------- 19 | # PROTOCOL-SERVICES RULES 20 | #------------------------- 21 | 22 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin guest"; flow:to_server,established; content:"guest|00|guest|00|"; fast_pattern:only; classtype:attempted-user; sid:20602; rev:3;) 23 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin nobody"; flow:to_server,established; content:"nobody|00|nobody|00|"; fast_pattern:only; classtype:attempted-user; sid:20601; rev:3;) 24 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; metadata:ruleset community; classtype:attempted-admin; sid:2114; rev:6;) 25 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; metadata:ruleset community; classtype:attempted-admin; sid:2113; rev:6;) 26 | # alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"|01|rlogind|3A| Permission denied."; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:611; rev:13;) 27 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:609; rev:10;) 28 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:608; rev:10;) 29 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:607; rev:10;) 30 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:606; rev:10;) 31 | # alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"login incorrect"; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:605; rev:12;) 32 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,458; reference:cve,1999-0113; classtype:attempted-admin; sid:604; rev:13;) 33 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:603; rev:10;) 34 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:602; rev:10;) 35 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:601; rev:10;) 36 | # alert tcp any any -> $HOME_NET [3260,860] (msg:"PROTOCOL-SERVICES Linux iscsi_add_notunderstood_response request buffer overflow attempt"; flow:to_server,established; content:"TargetName="; fast_pattern:only; isdataat:94; content:!"="; depth:64; offset:30; pcre:"/[\w\x2e\x2b\x3a\x2d@_]{64,}\x3d[\w\x2e\x2b\x3a\x2d@_]+\x00/"; reference:cve,2013-2850; reference:url,seclists.org/oss-sec/2013/q2/448; classtype:attempted-user; sid:31590; rev:1;) 37 | # alert tcp any any -> $HOME_NET [3260,860] (msg:"PROTOCOL-SERVICES Linux iscsi_add_notunderstood_response request buffer overflow attempt"; flow:to_server,established; content:"TargetName="; fast_pattern:only; content:"|00|"; offset:30; isdataat:64,relative; content:!"="; within:64; pcre:"/[\w\x2e\x2b\x3a\x2d@_]{64,}\x3d[\w\x2e\x2b\x3a\x2d@_]+?\x00/R"; reference:cve,2013-2850; reference:url,seclists.org/oss-sec/2013/q2/448; classtype:attempted-user; sid:31589; rev:1;) 38 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES Cisco Prime Lan Management rsh command execution attempt"; flow:to_server,established; content:"|00|casuser|00|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00casuser\x00/i"; metadata:policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,57221; reference:cve,2012-6392; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms; classtype:attempted-admin; sid:25535; rev:8;) 39 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh root"; flow:to_server,established; content:"|00|root|00|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i"; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-admin; sid:610; rev:15;) 40 | -------------------------------------------------------------------------------- /docker/etc/rules/content-replace.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------------- 19 | # CONTENT-REPLACE RULES 20 | #----------------------- 21 | 22 | # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CONTENT-REPLACE AIM deny out-bound file transfer attempts"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; content:"DEST"; distance:-5; replace:"XXXX"; byte_test:2,=,0,-24,relative; classtype:policy-violation; sid:12038; rev:3;) 23 | # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CONTENT-REPLACE MSN deny out-bound file transfer attempts"; flow:established,to_server; content:"INVITE MSNMSGR"; nocase; replace:"AAAAAAAAAAAAAA"; content:"context"; nocase; replace:"aaaaaaa"; classtype:policy-violation; sid:12032; rev:3;) 24 | # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts"; flow:established,to_server; content:"/notifyft"; nocase; replace:"/XXXXXXXX"; content:"Host|3A|filetransfer.msg.yahoo.com"; classtype:policy-violation; sid:12040; rev:3;) 25 | # alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"CONTENT-REPLACE Jabber deny out-bound file transfer attempts"; flow:established,to_server; content:"jabber.org/protocol"; nocase; content:"file xmlns="; nocase; content:"|22|set|22|"; replace:"|22|NOT|22|"; classtype:policy-violation; sid:12034; rev:3;) 26 | # alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CONTENT-REPLACE IRC deny out-bound file transfer attempts"; flow:established,to_server; content:"PRIVMSG"; nocase; content:"|3A 01|DCC SEND"; nocase; content:"SEND"; distance:-4; nocase; replace:"XXXX"; classtype:policy-violation; sid:12036; rev:3;) 27 | # alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts"; flow:established,to_client; content:"YMSG"; content:"|00 DC|"; within:8; distance:6; replace:"AA"; classtype:policy-violation; sid:12041; rev:3;) 28 | # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CONTENT-REPLACE MSN deny in-bound file transfer attempts"; flow:established,to_client; content:"MSG"; content:"msnmsgrp2p"; nocase; replace:"AAAAAAAAAA"; content:"INVITE MSNMSGR"; nocase; replace:"AAAAAAAAAAAAAA"; content:"context"; nocase; classtype:policy-violation; sid:12031; rev:3;) 29 | # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CONTENT-REPLACE AIM deny in-bound file transfer attempts"; flow:to_client,established; content:"*|02|"; depth:2; content:"|00 04 00 07|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; content:"DEST"; distance:-5; replace:"XXXX"; byte_test:2,=,0,-24,relative; classtype:policy-violation; sid:12037; rev:3;) 30 | # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts"; flow:established,to_client; content:"YMSG"; depth:4; content:"|00|F"; depth:2; offset:10; replace:"OK"; classtype:policy-violation; sid:12039; rev:3;) 31 | # alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"CONTENT-REPLACE Jabber deny in-bound file transfer attempts"; flow:established,to_client; content:"profile="; nocase; content:"jabber.org/protocol"; nocase; content:"id="; nocase; replace:"NO="; classtype:policy-violation; sid:12033; rev:3;) 32 | # alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts"; flow:established,to_server; content:"YMSG"; content:"|00 DC|"; within:8; distance:6; replace:"AA"; classtype:policy-violation; sid:12042; rev:3;) 33 | # alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CONTENT-REPLACE IRC deny in-bound file transfer attempts"; flow:established,to_server; content:"PRIVMSG"; nocase; content:"|3A 01|DCC SEND"; nocase; content:"SEND"; distance:-4; nocase; replace:"XXXX"; classtype:policy-violation; sid:12035; rev:3;) 34 | # alert tcp $HOME_NET any -> $EXTERNAL_NET [443,5190] (msg:"CONTENT-REPLACE AIM or ICQ deny unencrypted login connection"; flow:established,to_server; dsize:<500; content:"*|01|"; depth:2; replace:"|FF FF|"; reference:url,www.protocolbase.net/protocols/protocol_ICQ.php; classtype:policy-violation; sid:15415; rev:6;) 35 | # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"CONTENT-REPLACE AIM deny server certificate for encrypted login"; flow:established,to_client; ssl_version:tls1.0; content:"0|16 06 03|U|04 03 13 0F|kdc.uas.aol.com"; nocase; replace:"0|16 06 03|U|04 03 13 00|xxx.xxx.xxx.com"; classtype:policy-violation; sid:15417; rev:4;) 36 | # alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CONTENT-REPLACE MSN deny login"; flow:established,to_server; content:"USR "; depth:4; replace:"FFF "; classtype:policy-violation; sid:15420; rev:2;) 37 | # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"CONTENT-REPLACE ICQ deny http proxy login"; flow:established,to_server; content:"Host|3A| http.proxy.icq.com"; nocase; content:"GET /hello"; depth:10; nocase; replace:"GET /gdbye"; metadata:service http; classtype:policy-violation; sid:15416; rev:4;) 38 | # alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CONTENT-REPLACE Yahoo Messenger deny outbound login attempt"; flow:established,to_server; content:"YMSG"; depth:4; content:"|00|W"; depth:2; offset:10; replace:"|FF FF|"; classtype:policy-violation; sid:15429; rev:2;) 39 | # alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"CONTENT-REPLACE QQ 2008 deny udp login"; content:"|02 12|Q|00|"; depth:4; replace:"|FF FF FF FF|"; classtype:policy-violation; sid:15440; rev:2;) 40 | # alert udp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"CONTENT-REPLACE QQ 2009 deny udp login"; content:"|02 16|!|00|"; depth:4; replace:"|FF FF FF FF|"; classtype:policy-violation; sid:15438; rev:2;) 41 | # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CONTENT-REPLACE QQ 2009 deny tcp login"; flow:established,to_server; content:"|00|N|02 12|Q|00|"; depth:6; replace:"|FF FF FF FF FF FF|"; classtype:policy-violation; sid:15441; rev:2;) 42 | # alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"CONTENT-REPLACE QQ 2009 deny tcp login"; flow:established,to_server; content:"|00|N|02 16|!|00|"; depth:6; replace:"|FF FF FF FF FF FF|"; classtype:policy-violation; sid:15439; rev:2;) 43 | # alert tcp $HOME_NET any -> $EXTERNAL_NET [443,5222] (msg:"CONTENT-REPLACE Google Talk deny login"; flow:established,to_server; content:" $HOME_NET [135,139,445,6503,6504] (msg:"CONTENT-REPLACE Microsoft Windows Encrypted DCERPC request attempt"; flow:established,to_server; content:"|05 00 0B|"; content:"NTLMSSP|00 01 00 00 00|"; distance:0; content:"|0A 06 00 00|"; within:4; distance:-20; replace:"|0A 02 00 00|"; metadata:policy max-detect-ips drop; classtype:protocol-command-decode; sid:18469; rev:7;) 45 | -------------------------------------------------------------------------------- /docker/etc/rules/pua-p2p.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------- 19 | # PUA-P2P RULES 20 | #--------------- 21 | 22 | # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; metadata:ruleset community; classtype:policy-violation; sid:1432; rev:11;) 23 | # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; metadata:ruleset community; classtype:policy-violation; sid:556; rev:10;) 24 | # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; metadata:ruleset community; classtype:policy-violation; sid:557; rev:11;) 25 | # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent announce request"; flow:to_server,established; content:"/announce"; content:"info_hash="; content:"peer_id="; content:"event="; metadata:ruleset community, service http; classtype:policy-violation; sid:2180; rev:10;) 26 | # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; metadata:ruleset community; classtype:policy-violation; sid:2181; rev:8;) 27 | # alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"PUA-P2P eDonkey server response"; flow:established,to_client; content:"Server|3A| eMule"; fast_pattern:only; metadata:ruleset community; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:9;) 28 | # alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"PUA-P2P Manolito Search Query"; flow:to_server; content:"|01 02 00 14|"; depth:4; offset:16; metadata:ruleset community; reference:url,openlito.sourceforge.net; reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:9;) 29 | # alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"PUA-P2P AOL Instant Messenger file receive attempt"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; distance:0; byte_test:2,=,2,-25,relative; classtype:policy-violation; sid:3681; rev:6;) 30 | # alert tcp $EXTERNAL_NET 5190 -> $HOME_NET any (msg:"PUA-P2P AOL Instant Messenger file send attempt"; flow:to_client,established; content:"*|02|"; depth:2; content:"|00 04 00 07|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; distance:0; byte_test:2,=,2,-25,relative; classtype:policy-violation; sid:3680; rev:7;) 31 | # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Skype client setup get newest version attempt"; flow:to_server,established; content:"/ui/"; http_uri; content:"/getnewestversion"; http_uri; content:"Host|3A| ui.skype.com"; fast_pattern:only; metadata:service http; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5694; rev:11;) 32 | # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Skype client start up get latest version attempt"; flow:to_server,established; content:"/ui/"; http_uri; content:"/getlatestversion?ver="; http_uri; content:"Host|3A| ui.skype.com"; fast_pattern:only; metadata:service http; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5693; rev:10;) 33 | # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PUA-P2P Skype client login"; flow:to_client,established; flowbits:isset,skype.login; dsize:5; content:"|17 03 01 00|"; depth:4; classtype:policy-violation; sid:5999; rev:7;) 34 | # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P Skype client login startup"; flow:to_server,established; dsize:5; content:"|16 03 01 00|"; depth:4; flowbits:set,skype.login; classtype:policy-violation; sid:5998; rev:7;) 35 | # alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"PUA-P2P Outbound Joltid PeerEnabler traffic detected"; flow:established,to_server; content:"User-Agent|3A| PeerEnabler"; nocase; content:"joltid"; within:20; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453078786; reference:url,www.joltid.com; classtype:policy-violation; sid:12691; rev:5;) 36 | # alert udp $HOME_NET any <> $EXTERNAL_NET any (msg:"PUA-P2P Bittorrent uTP peer request"; content:"info_hash"; content:"get_peers"; fast_pattern:only; reference:url,www.bittorrent.org/beps/bep_0000.html; classtype:policy-violation; sid:16282; rev:4;) 37 | # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent scrape request"; flow:established,to_server; content:"GET"; depth:4; content:"/scrape"; distance:1; content:"info_hash="; offset:4; reference:url,www.bittorrent.org/beps/bep_0000.html; classtype:policy-violation; sid:16281; rev:3;) 38 | # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Skype client successful install"; flow:to_server,established; content:"/ui/"; http_uri; content:"/installed"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; classtype:policy-violation; sid:5692; rev:12;) 39 | alert tcp $HOME_NET any -> $EXTERNAL_NET 16800:17000 (msg:"PUA-P2P P2PTv TVAnts TCP tracker connect traffic detected"; flow:to_server,established; content:"|04 00 07 00|"; depth:4; content:"TVANTS SHARE"; depth:12; offset:8; flowbits:set,tvant.session; classtype:policy-violation; sid:12210; rev:4;) 40 | alert tcp $EXTERNAL_NET 16800:17000 -> $HOME_NET any (msg:"PUA-P2P P2PTv TVAnts TCP connection traffic detected"; flow:to_client,established; content:"|04 00|"; depth:2; pcre:"/[\x01\x02\x03\x04\x05\x06\x07]\x00.{4}\x43\x00/R"; flowbits:set,tvant.session; classtype:policy-violation; sid:12211; rev:5;) 41 | alert udp $HOME_NET 16800:17000 -> $EXTERNAL_NET any (msg:"PUA-P2P P2PTv TVAnt udp traffic detected"; content:"|04 00|"; depth:2; pcre:"/[\x05\x06\x07]\x00.{6}[SD]S/R"; flowbits:set,tvant.session; classtype:policy-violation; sid:12209; rev:6;) 42 | # alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"PUA-P2P Ruckus P2P encrypted authentication connection"; flow:to_server,established; content:"|00 00|"; content:"www.ruckus.com"; within:14; distance:7; classtype:policy-violation; sid:12427; rev:4;) 43 | # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Ruckus P2P client activity"; flow:to_server,established; content:"User-Agent|3A| Ruckus/"; fast_pattern:only; metadata:service http; classtype:policy-violation; sid:12425; rev:7;) 44 | # alert udp $HOME_NET 5353 -> 224.0.0.251 5353 (msg:"PUA-P2P Ruckus P2P broadcast domain probe"; flow:to_server; content:"ruckus|04|_tcp|05|local"; fast_pattern:only; classtype:policy-violation; sid:12426; rev:5;) 45 | # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-P2P Vuze BitTorrent client outbound connection"; flow:to_server,established; content:"User-Agent|3A| Azureus"; fast_pattern:only; http_header; metadata:service http; reference:url,www.vuze.com; classtype:policy-violation; sid:29357; rev:1;) 46 | -------------------------------------------------------------------------------- /docker/etc/rules/os-solaris.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------ 19 | # OS-SOLARIS RULES 20 | #------------------ 21 | 22 | # alert udp $EXTERNAL_NET 513 -> $HOME_NET 513 (msg:"OS-SOLARIS Oracle Solaris in.rwhod hostname denial of service attempt"; flow:to_server; content:"|01 01 00 00|"; depth:4; isdataat:40,relative; content:!"|00|"; within:32; distance:8; reference:bugtraq,13401; reference:cve,2004-1351; classtype:attempted-dos; sid:20725; rev:3;) 23 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"OS-SOLARIS Oracle Solaris username overflow authentication bypass attempt"; flow:to_server,established; content:"c c c c c c c c c"; metadata:service telnet; reference:cve,2001-0797; classtype:attempted-admin; sid:13613; rev:6;) 24 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris printd arbitrary file deletion vulnerability"; flow:to_server,established; content:"|0A|U"; content:"../.."; fast_pattern:only; content:"|0A|"; reference:bugtraq,14510; reference:cve,2005-4797; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; classtype:misc-attack; sid:12080; rev:9;) 25 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris lpd unlink file attempt"; flow:to_server,established; flowbits:isset,lp.controlfile; content:"|02|"; depth:1; content:"dfA"; nocase; pcre:"/^\x02\d+ dfA/smi"; metadata:service printer; reference:bugtraq,14510; reference:cve,2005-4797; classtype:misc-attack; sid:10418; rev:7;) 26 | # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"OS-SOLARIS Oracle Solaris login environment variable authentication bypass attempt"; flow:to_server,established; content:"|FF FA|"; rawbytes; content:"USER|01|-f"; distance:0; rawbytes; metadata:service telnet; reference:bugtraq,22512; reference:cve,2007-0882; classtype:attempted-admin; sid:10136; rev:10;) 27 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris LPD overflow attempt"; flow:to_server,established; content:"|02|//////////"; depth:11; dsize:>1000; reference:bugtraq,3274; reference:cve,2001-1583; classtype:attempted-admin; sid:3527; rev:12;) 28 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"OS-SOLARIS Oracle Solaris npls x86 overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; metadata:ruleset community; reference:bugtraq,2319; reference:cve,1999-1588; classtype:attempted-admin; sid:300; rev:13;) 29 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:267; rev:13;) 30 | # alert udp $EXTERNAL_NET 67 -> $HOME_NET 68 (msg:"OS-SOLARIS Oracle Solaris DHCP Client Arbitrary Code Execution attempt"; flow:to_server; content:"|63 82 53 63|"; content:"|35 01 05|"; distance:0; fast_pattern; content:"|0F|"; distance:0; content:"|20|"; within:100; metadata:policy max-detect-ips drop, service dhcp; reference:bugtraq,14687; reference:cve,2005-2870; classtype:attempted-user; sid:17433; rev:13;) 31 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris printd Daemon Arbitrary File Deletion attempt"; flow:to_server,established; flowbits:isset,lp.controlfile; content:"|0A 55|"; content:"|2F|"; distance:0; metadata:policy max-detect-ips drop, service printer; reference:bugtraq,14510; reference:cve,2005-4797; reference:url,attack.mitre.org/techniques/T1070; reference:url,attack.mitre.org/techniques/T1107; classtype:misc-attack; sid:17353; rev:12;) 32 | alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-SOLARIS Oracle Solaris lpd control file upload attempt"; flow:to_server,established; flowbits:isset,lp.cascade; content:"|02|"; depth:1; content:"cfA"; nocase; pcre:"/^\x02\d+ cfA/smi"; flowbits:set,lp.controlfile; metadata:policy max-detect-ips drop, service printer; classtype:misc-attack; sid:4144; rev:12;) 33 | # alert udp $EXTERNAL_NET 177 -> $HOME_NET any (msg:"OS-SOLARIS XMDCP double-free attempt"; flow:to_client; content:"|00 1C|"; depth:2; offset:17; reference:cve,2004-0368; classtype:attempted-admin; sid:37511; rev:1;) 34 | # alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"OS-SOLARIS XMDCP double-free attempt"; flow:to_server,established; content:"|00 01 00 07|"; depth:4; content:!"|00 00|"; within:2; distance:5; reference:cve,2004-0368; classtype:attempted-admin; sid:39936; rev:1;) 35 | # alert tcp $EXTERNAL_NET any -> $HOME_NET [111,32768:] (msg:"OS-SOLARIS Solaris RPC XDR overflow code execution attempt"; flow:to_server,established; content:"|80 00 04 E8|"; depth:4; content:"|00 00 00 00 00 00 00 02 00 01|"; within:10; distance:4; content:"|00 00 55 DE|"; within:4; distance:10; byte_jump:4,0,relative,post_offset 8; isdataat:288,relative; reference:cve,2017-3623; reference:url,seclists.org/dailydave/2016/q4/15; classtype:attempted-admin; sid:42226; rev:2;) 36 | alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-SOLARIS Solaris dtappgather local privilege escalation attempt"; flow:to_server,established; file_data; content:"|68 FF 83 2A CF 8D 85 94 EB FF FF 50 8D 85 94 EB FF FF 50 E8 E1 F3 FF FF 83 C4 0C 8B 45 08 3D 01 00 00 00 0F 85 20 00 00 00 6A 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,packetstormsecurity.com/files/142120/Solaris-x86-SPARC-EXTREMEPARR-dtappgather-Privilege-Escalation.html; classtype:attempted-admin; sid:42254; rev:2;) 37 | alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-SOLARIS Solaris dtappgather local privilege escalation attempt"; flow:to_client,established; file_data; content:"|68 FF 83 2A CF 8D 85 94 EB FF FF 50 8D 85 94 EB FF FF 50 E8 E1 F3 FF FF 83 C4 0C 8B 45 08 3D 01 00 00 00 0F 85 20 00 00 00 6A 02|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,packetstormsecurity.com/files/142120/Solaris-x86-SPARC-EXTREMEPARR-dtappgather-Privilege-Escalation.html; classtype:attempted-admin; sid:42253; rev:2;) 38 | # alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"|5C|63|5C|300|5C|120|5C|260|5C|33|5C|350|5C|41|5C|0|5C|0|5C|0|5C|350|5C|0|5C|0|5C|0|5C|0|5C|137|5C|213|5C|307|5C|5|5C|44|5C|0|5C|0|5C|0|5C|120|5C|203|5C|307|5C|157|5C|127|5C|63|5C|300|5C|260|5C|13|5C|350|5C|6|5C|0|5C|0|5C|0|5C|63|5C|300|5C|120|5C|120|5C|260|5C|1|5C|232|5C|0|5C|0|5C|0|5C|0|5C|47|5C|0|5C|303"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42283; rev:1;) 39 | # alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"|5C|63|5C|300|5C|353|5C|6|5C|137|5C|210|5C|107|5C|6|5C|353|5C|55|5C|350|5C|365|5C|377|5C|377|5C|377|5C|232|5C|172|5C|121|5C|114|5C|37|5C|47|5C|5|5C|303|5C|63|5C|322|5C|130|5C|215|5C|170|5C|24|5C|122|5C|127|5C|120|5C|253|5C|222|5C|253|5C|210|5C|102|5C|10|5C|260|5C|73|5C|350|5C|342|5C|377|5C|377|5C|377|5C|63|5C|300|5C|120|5C|260|5C|1|5C|350|5C|330|5C|377|5C|377|5C|377|5C|350|5C|333|5C|377|5C|377|5C|377|5C|57|5C|142|5C|151|5C|156|5C|57|5C|153|5C|163|5C|150|5C|"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42282; rev:1;) 40 | # alert tcp $EXTERNAL_NET any -> $HOME_NET [23,2323] (msg:"OS-SOLARIS Solaris catflap telnet remote code execution attempt"; flow:to_server,established; content:"|5C|100|5C|0|5C|0|5C|2|5C|220|5C|20|5C|0|5C|0|5C|202|5C|20|5C|40|5C|33|5C|221|5C|320|5C|40|5C|10|5C|220|5C|3|5C|340|5C|176|5C|222|5C|3|5C|340|5C|54|5C|202|5C|20|5C|40|5C|13|5C|221|5C|320|5C|40|5C|10|5C|220|5C|20|5C|0|5C|0|5C|202|5C|20|5C|40|5C|1|5C|221|5C|320|5C|40|5C|10|5C|0|5C|2"; fast_pattern:only; metadata:service telnet; classtype:attempted-admin; sid:42281; rev:1;) 41 | -------------------------------------------------------------------------------- /docker/etc/rules/protocol-pop.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #-------------------- 19 | # PROTOCOL-POP RULES 20 | #-------------------- 21 | 22 | # alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"PROTOCOL-POP libcurl MD5 digest buffer overflow attempt"; flow:to_client,established; content:"+ "; depth:2; base64_decode:relative; base64_data; content:"realm=|22|"; isdataat:32,relative; content:!"|22|"; within:32; metadata:service pop3; reference:bugtraq,57842; reference:cve,2013-0249; classtype:attempted-user; sid:26391; rev:2;) 23 | alert tcp $HOME_NET any -> $EXTERNAL_NET 110 (msg:"PROTOCOL-POP STAT command"; flow:to_server, established; content:"STAT"; nocase; flowbits:set,pop3.stat; flowbits:noalert; metadata:service pop3; classtype:protocol-command-decode; sid:16594; rev:8;) 24 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP PASS format string attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s+[^\n]*?%/smi"; metadata:ruleset community, service pop3; reference:bugtraq,10976; reference:cve,2004-0777; classtype:attempted-admin; sid:2666; rev:9;) 25 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,9794; reference:cve,2004-2375; classtype:attempted-admin; sid:2409; rev:11;) 26 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP login brute force attempt"; flow:to_server,established,no_stream; content:"USER"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:ruleset community, service pop3; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2274; rev:11;) 27 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP USER format string attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s+[^\n]*?%/smi"; metadata:ruleset community, service pop3; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:12;) 28 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP UIDL negative argument attempt"; flow:to_server,established; content:"UIDL"; fast_pattern:only; pcre:"/^UIDL\s+-\d/smi"; metadata:ruleset community, service pop3; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2122; rev:17;) 29 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP DELE negative argument attempt"; flow:to_server,established; content:"DELE"; fast_pattern:only; pcre:"/^DELE\s+-\d/smi"; metadata:ruleset community, service pop3; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2121; rev:17;) 30 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2112; rev:9;) 31 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2111; rev:9;) 32 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2110; rev:9;) 33 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:50,relative; pcre:"/^TOP\s[^\n]{50}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2109; rev:10;) 34 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2108; rev:9;) 35 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:1938; rev:10;) 36 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:1937; rev:13;) 37 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:1936; rev:14;) 38 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:19;) 39 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:16;) 40 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,133; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:16;) 41 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:288; rev:13;) 42 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; fast_pattern:only; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:287; rev:12;) 43 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:18;) 44 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP USER overflow attempt"; flow:to_server,established; content:"USER"; isdataat:50,relative; pcre:"/^USER\s[^\n]{50}/smi"; metadata:policy max-detect-ips drop, ruleset community, service pop3; reference:bugtraq,11256; reference:bugtraq,19651; reference:bugtraq,789; reference:cve,1999-0494; reference:cve,2002-1781; reference:cve,2006-2502; reference:cve,2006-4364; reference:nessus,10311; reference:url,www.delegate.org/mail-lists/delegate-en/1475; classtype:attempted-admin; sid:1866; rev:25;) 45 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; metadata:policy max-detect-ips drop, ruleset community, service pop3; reference:bugtraq,21645; reference:bugtraq,791; reference:cve,1999-1511; reference:cve,2006-6605; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:24;) 46 | -------------------------------------------------------------------------------- /docker/etc/rules/protocol-tftp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------------- 19 | # PROTOCOL-TFTP RULES 20 | #--------------------- 21 | 22 | # alert udp any any -> any 69 (msg:"PROTOCOL-TFTP PUT filename overflow attempt"; flow:to_server; content:"|00|"; depth:1; byte_test:1,<,3,0,relative; isdataat:101,relative; content:!"|00|"; within:100; distance:2; metadata:ruleset community; reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; reference:cve,2003-0729; reference:cve,2006-4948; reference:cve,2006-6184; reference:cve,2008-1611; reference:cve,2009-2957; reference:cve,2009-2958; reference:nessus,18264; classtype:attempted-admin; sid:2337; rev:22;) 23 | # alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET Admin.dll"; flow:to_server; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; metadata:ruleset community; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:10;) 24 | # alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET nc.exe"; flow:to_server; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; metadata:ruleset community; classtype:successful-admin; sid:1441; rev:10;) 25 | # alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET shadow"; flow:to_server; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; metadata:ruleset community; classtype:successful-admin; sid:1442; rev:10;) 26 | # alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET passwd"; flow:to_server; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; metadata:ruleset community; classtype:successful-admin; sid:1443; rev:10;) 27 | # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP parent directory"; flow:to_server; content:".."; offset:2; metadata:ruleset community; reference:cve,1999-0183; reference:cve,2002-1209; reference:cve,2011-4722; classtype:bad-unknown; sid:519; rev:14;) 28 | # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP root directory"; flow:to_server; content:"|00 01|/"; depth:3; metadata:ruleset community; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:12;) 29 | # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Put"; flow:to_server; content:"|00 02|"; depth:2; metadata:ruleset community; reference:cve,1999-0183; reference:url,github.com/rapid7/metasploit-framework/blob/unstable/unstable-modules/auxiliary/d20tftpbd.rb; classtype:bad-unknown; sid:518; rev:15;) 30 | # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Get"; flow:to_server; content:"|00 01|"; depth:2; metadata:ruleset community; classtype:bad-unknown; sid:1444; rev:9;) 31 | # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP NULL command attempt"; flow:to_server; content:"|00 00|"; depth:2; metadata:ruleset community; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:8;) 32 | # alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET transfer mode overflow attempt"; flow:to_server; content:"|00 01|"; content:"|00|"; distance:1; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,13821; reference:cve,2005-1812; classtype:attempted-admin; sid:3817; rev:6;) 33 | # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP 3COM server transport mode buffer overflow attempt"; flow:to_server; content:"|00|"; depth:1; pcre:"/^(\x01|\x02)[^\x00]+\x00[^\x00]{473}/Rs"; metadata:policy max-detect-ips drop; reference:bugtraq,21301; reference:cve,2006-6183; classtype:attempted-admin; sid:9621; rev:8;) 34 | # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - RRQ"; flow:to_server; content:"|00 01|"; depth:2; content:"|00|"; distance:0; content:!"|00|"; within:16; reference:bugtraq,47789; reference:cve,2008-1610; reference:cve,2011-1851; classtype:attempted-admin; sid:19014; rev:5;) 35 | # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP UDP large packet use after free attempt"; flow:stateless; content:"|00 01|"; depth:2; content:"blksize|00|"; byte_test:5,>=,1500,0,relative,string,dec; metadata:service tftp; reference:cve,2013-4563; reference:cve,2018-8476; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8476; classtype:attempted-user; sid:32637; rev:3;) 36 | # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP HP Intelligent Management Center TFTP server MODE remote code execution attempt - WRQ"; flow:to_server; content:"|00 02|"; depth:2; content:"|00|"; distance:0; content:!"|00|"; within:16; metadata:policy max-detect-ips drop; reference:bugtraq,47789; reference:cve,2008-1610; reference:cve,2011-1851; classtype:attempted-admin; sid:19013; rev:9;) 37 | # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Multiple TFTP product buffer overflow attempt"; flow:to_server; dsize:>515; metadata:policy max-detect-ips drop, service tftp; reference:bugtraq,20131; reference:bugtraq,45378; reference:bugtraq,46434; reference:bugtraq,47789; reference:bugtraq,8505; reference:cve,2003-0729; reference:cve,2006-4948; reference:cve,2008-1610; reference:cve,2010-4323; reference:cve,2011-1852; reference:url,secunia.com/advisories/43819; classtype:attempted-admin; sid:18767; rev:12;) 38 | # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Open TFTP Server log generation buffer overflow attempt"; flow:to_server; content:"|00 05|"; depth:2; isdataat:482,relative; content:!"|00|"; within:480; distance:2; metadata:policy max-detect-ips drop, service tftp; reference:bugtraq,29111; reference:cve,2008-2161; classtype:attempted-admin; sid:13927; rev:9;) 39 | # alert udp any any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP PUT Microsoft RIS filename overwrite attempt"; flow:to_server; content:"|00 02|"; depth:2; content:"images"; distance:0; nocase; content:"windows"; distance:0; nocase; content:"|00|"; distance:0; metadata:policy max-detect-ips drop; reference:cve,2006-5584; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-077; classtype:policy-violation; sid:9638; rev:11;) 40 | # alert udp any any -> any 69 (msg:"PROTOCOL-TFTP PUT transfer mode overflow attempt"; flow:to_server; content:"|00 02|"; content:"|00|"; distance:1; isdataat:100,relative; content:!"|00|"; within:100; metadata:policy max-detect-ips drop; reference:bugtraq,13821; reference:bugtraq,21301; reference:cve,2005-1812; reference:cve,2006-6183; classtype:attempted-admin; sid:3818; rev:11;) 41 | # alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET filename overflow attempt"; flow:to_server; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; metadata:policy max-detect-ips drop, ruleset community, service tftp; reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,36121; reference:bugtraq,5328; reference:cve,2002-0813; reference:cve,2006-4948; reference:cve,2007-1435; reference:cve,2009-2957; reference:cve,2009-2958; reference:nessus,18264; classtype:attempted-admin; sid:1941; rev:24;) 42 | # alert udp $EXTERNAL_NET any -> $HOME_NET 5010 (msg:"PROTOCOL-TFTP Comtrol RocketLinx factory reset request"; flow:to_server; content:"|00 00 00 2D 00 00 00 01 01 00 00 00 03 00 00 00 06 00 C0 4E 30 01 93|"; depth:23; classtype:bad-unknown; sid:39452; rev:1;) 43 | # alert udp $EXTERNAL_NET any -> $HOME_NET 5010 (msg:"PROTOCOL-TFTP Comtrol RocketLinx switch reboot request"; flow:to_server; content:"|00 00 00 2C 00 00 00 01 01 00 00 00 03 00 00 00 06 00 C0 4E 30 01 93|"; depth:23; classtype:bad-unknown; sid:39451; rev:1;) 44 | # alert udp $EXTERNAL_NET any -> $HOME_NET 5010 (msg:"PROTOCOL-TFTP Firmware upgrade request"; flow:to_server; dsize:9; content:"|00 00 00 1F 00 00 00 01 01|"; depth:9; classtype:bad-unknown; sid:39450; rev:1;) 45 | # alert udp any any -> any 69 (msg:"PROTOCOL-TFTP WRITE long filename attempt"; flow:to_server; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; metadata:service tftp; classtype:misc-activity; sid:45612; rev:1;) 46 | # alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP NetGain Systems Enterprise Manager TFTP directory traversal attempt"; flow:to_server; content:"|00 02|"; depth:2; content:"../"; distance:0; content:"|00|"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2017-16597; classtype:attempted-admin; sid:47564; rev:1;) 47 | -------------------------------------------------------------------------------- /docker/etc/rules/protocol-other.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #---------------------- 19 | # PROTOCOL-OTHER RULES 20 | #---------------------- 21 | 22 | alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"I|00|P|00|C|00|$|00 00 00|"; fast_pattern:only; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; classtype:misc-activity; sid:43003; rev:5;) 23 | alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"IPC$|00|"; fast_pattern:only; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; classtype:misc-activity; sid:43002; rev:5;) 24 | # alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt"; flow:to_server; content:"|01 02 00|"; depth:3; content:"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-recon; sid:40907; rev:2;) 25 | # alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt"; flow:to_server; dsize:>336; content:"|01 01 00|"; depth:3; byte_test:4,>=,0x0264,4,big; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-user; sid:40866; rev:3;) 26 | # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"PROTOCOL-OTHER Websocket upgrade request without a client key detected"; flow:to_server,established; content:"Upgrade: ws"; fast_pattern:only; http_header; content:!"Sec-WebSocket-Key"; http_header; metadata:service http; reference:cve,2015-8027; classtype:misc-activity; sid:37028; rev:1;) 27 | alert tcp $HOME_NET 1900 -> $HOME_NET any (msg:"PROTOCOL-OTHER MiniUPNP rootdesc.xml buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rootdesc; file_data; content:""; within:100; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2015-6031; reference:url,www.talosintelligence.com/reports/TALOS-2015-0035; classtype:attempted-user; sid:35690; rev:4;) 28 | # alert tcp $HOME_NET 1900 -> $HOME_NET any (msg:"PROTOCOL-OTHER MiniUPNP rootdesc.xml buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.rootdesc; file_data; content:""; within:100; pcre:"/<\s*[^\s]{100}/"; metadata:service http; reference:cve,2015-6031; reference:url,www.talosintelligence.com/reports/TALOS-2015-0035; classtype:attempted-user; sid:35689; rev:4;) 29 | alert tcp $HOME_NET any -> $HOME_NET 1900 (msg:"PROTOCOL-OTHER MiniUPNP rootdesc.xml file request"; flow:to_server,established; content:"/rootDesc.xml HTTP/1."; fast_pattern:only; flowbits:set,file.rootdesc; flowbits:noalert; metadata:service http; reference:cve,2015-6031; reference:url,www.talosintelligence.com/reports/TALOS-2015-0035; classtype:misc-activity; sid:35688; rev:5;) 30 | # alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP invalid MCS serverRandomLen out of bounds read attempt"; flow:to_client,established; content:"|03 00|"; content:"|02 F0 80 7F 66|"; within:5; distance:2; content:"|03 0C 08 00 EB 03 00 00 02 0C|"; byte_test:4,>,0x7FFFFFFF,10,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2837; reference:url,www.talosintelligence.com/reports/TALOS-2017-0339/; classtype:attempted-user; sid:42998; rev:3;) 31 | # alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP invalid EncryptedPlatformChallenge null pointer dereference attempt"; flow:to_client,established; content:"|03 00|"; byte_extract:2,0,pktlen,relative; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; content:"|80 00|"; within:2; distance:2; content:"|02|"; within:1; distance:2; byte_test:2,>,pktlen,9,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2839; reference:url,www.talosintelligence.com/reports/TALOS-2017-0341/; classtype:attempted-user; sid:42975; rev:3;) 32 | # alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP invalid cbCompanyName out of bounds read attempt"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; distance:2; content:"|80 00|"; within:2; distance:2; content:"|01|"; within:1; distance:2; byte_test:4,>,0xFFFFFFFB,39,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2838; reference:url,www.talosintelligence.com/reports/TALOS-2017-0340/; classtype:attempted-user; sid:42974; rev:3;) 33 | # alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP RSA modulus length integer underflow attempt"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; distance:2; content:"|01 00 00 00 01 00 00 00 06 00|"; content:"RSA1"; within:4; distance:2; byte_test:4,<,8,0,relative,little; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2836; reference:url,www.talosintelligence.com/reports/TALOS-2017-0338/; classtype:attempted-user; sid:42973; rev:3;) 34 | # alert tcp $EXTERNAL_NET 3389 -> $HOME_NET any (msg:"PROTOCOL-OTHER FreeRDP PER length integer underflow attempt"; flow:to_client,established; content:"|03 00|"; depth:2; content:"|02 F0 80 68 00 01 03 EB 70|"; within:9; distance:2; byte_test:1,<,4,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service rdp; reference:cve,2017-2834; reference:cve,2017-2835; reference:url,www.talosintelligence.com/reports/TALOS-2017-0336/; reference:url,www.talosintelligence.com/reports/TALOS-2017-0337/; classtype:attempted-user; sid:42941; rev:3;) 35 | # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"PROTOCOL-OTHER ARM mbed TLS x509 invalid public key remote code execution attempt"; flow:to_client,established; content:"|04 08 30 06 01 01 FF 02 01 0A 30 22 06 03 55 1D 0E 04 1B 04 63 6F C0 C0 30 0A 06 08 2A 86 48 CE 3D 04 03 02 03|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service ssl; reference:url,www.talosintelligence.com/reports/TALOS-2017-0274; classtype:attempted-user; sid:41364; rev:3;) 36 | # alert tcp $EXTERNAL_NET any -> $HOME_NET [445,139] (msg:"PROTOCOL-OTHER NETBIOS Session Service header length field denial of service attempt"; flow:to_server,established,no_stream; dsize:4; content:"|00 01|"; depth:2; byte_test:2,>=,0x2710, 0, relative; detection_filter:track by_src, count 25, seconds 1; metadata:service netbios-ssn; reference:url,smbloris.com/; classtype:attempted-dos; sid:43928; rev:2;) 37 | # alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-OTHER STCP heartbeat chunk denial of service attempt"; ip_proto:132; content:"|04 00|"; byte_jump:2,0,relative,post_offset -4; content:"|04 00|"; within:2; byte_jump:2,0,relative,post_offset -4; content:"|04 00|"; within:2; byte_jump:2,0,relative,post_offset -4; content:"|04 00|"; within:2; reference:url,ietf.org/rfc/rfc5062.txt; classtype:denial-of-service; sid:44015; rev:1;) 38 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"ScMM"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46124; rev:2;) 39 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"MMcS"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46123; rev:2;) 40 | # alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"ScMM"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46122; rev:2;) 41 | # alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"MMcS"; depth:4; metadata:ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46121; rev:2;) 42 | # alert udp $EXTERNAL_NET any -> $HOME_NET 520 (msg:"PROTOCOL-OTHER Routing Information Protocol version 1 potential amplified distributed denial of service attempt"; flow:to_server; content:"|01 01 00 00 00|"; depth:5; fast_pattern; content:"|00 00|"; within:2; distance:1; detection_filter:track by_src, count 50, seconds 1; reference:url,blogs.akamai.com/2015/07/ripv1-reflection-ddos-making-a-comeback.html; classtype:attempted-dos; sid:46098; rev:1;) 43 | # alert udp $EXTERNAL_NET 389 -> $HOME_NET any (msg:"PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt"; flow:to_server; content:"|30 84 00 00 00|"; depth:5; dsize:>2000; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; classtype:attempted-dos; sid:46374; rev:1;) 44 | # alert udp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"PROTOCOL-OTHER CLDAP potential reflected distributed denial of service attempt"; flow:to_server; content:"|30 84 00 00 00|"; depth:5; detection_filter:track by_src, count 5, seconds 60; reference:url,www.akamai.com/us/en/multimedia/documents/state-of-the-internet/cldap-threat-advisory.pdf; classtype:attempted-dos; sid:46373; rev:1;) 45 | -------------------------------------------------------------------------------- /docker/include/hog.vim: -------------------------------------------------------------------------------- 1 | " Vim syntax file 2 | " Language: hog (Snort.conf + .rules) 3 | " Maintainer: Victor Roemer, . 4 | " Last Change: 2015 Oct 24 -> Rename syntax items from Snort -> Hog 5 | " 2012 Oct 24 -> Originalish release 6 | 7 | " quit when a syntax file was already loaded 8 | if exists("b:current_syntax") 9 | finish 10 | endif 11 | 12 | setlocal iskeyword-=: 13 | setlocal iskeyword+=- 14 | syn case ignore 15 | 16 | " Hog ruletype crap 17 | syn keyword HogRuleType ruletype nextgroup=HogRuleTypeName skipwhite 18 | syn match HogRuleTypeName "[[:alnum:]_]\+" contained nextgroup=HogRuleTypeBody skipwhite 19 | syn region HogRuleTypeBody start="{" end="}" contained contains=HogRuleTypeType,HogOutput fold 20 | syn keyword HogRuleTypeType type contained 21 | 22 | " Hog Configurables 23 | syn keyword HogPreproc preprocessor nextgroup=HogConfigName skipwhite 24 | syn keyword HogConfig config nextgroup=HogConfigName skipwhite 25 | syn keyword HogOutput output nextgroup=HogConfigName skipwhite 26 | syn match HogConfigName "[[:alnum:]_-]\+" contained nextgroup=HogConfigOpts skipwhite 27 | syn region HogConfigOpts start=":" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold keepend contained contains=HogSpecial,HogNumber,HogIPAddr,HogVar,HogComment 28 | 29 | " Event filter's and threshold's 30 | syn region HogEvFilter start="event_filter\|threshold" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogEvFilterKeyword,HogEvFilterOptions,HogComment 31 | syn keyword HogEvFilterKeyword skipwhite event_filter threshold 32 | syn keyword HogEvFilterOptions skipwhite type nextgroup=HogEvFilterTypes 33 | syn keyword HogEvFilterTypes skipwhite limit threshold both contained 34 | syn keyword HogEvFilterOptions skipwhite track nextgroup=HogEvFilterTrack 35 | syn keyword HogEvFilterTrack skipwhite by_src by_dst contained 36 | syn keyword HogEvFilterOptions skipwhite gen_id sig_id count seconds nextgroup=HogNumber 37 | 38 | " Suppressions 39 | syn region HogEvFilter start="suppress" skip="\\.\{-}$\|^\s*#.\{-}$\|^\s*$" end="$" fold transparent keepend contains=HogSuppressKeyword,HogComment 40 | syn keyword HogSuppressKeyword skipwhite suppress 41 | syn keyword HogSuppressOptions skipwhite gen_id sig_id nextgroup=HogNumber 42 | syn keyword HogSuppressOptions skipwhite track nextgroup=HogEvFilterTrack 43 | syn keyword HogSuppressOptions skipwhite ip nextgroup=HogIPAddr 44 | 45 | " Attribute table 46 | syn keyword HogAttribute attribute_table nextgroup=HogAttributeFile 47 | syn match HogAttributeFile contained ".*$" contains=HogVar,HogAttributeType,HogComment 48 | syn keyword HogAttributeType filename 49 | 50 | " Hog includes 51 | syn keyword HogInclude include nextgroup=HogIncludeFile skipwhite 52 | syn match HogIncludeFile ".*$" contained contains=HogVar,HogComment 53 | 54 | " Hog dynamic libraries 55 | syn keyword HogDylib dynamicpreprocessor dynamicengine dynamicdetection nextgroup=HogDylibFile skipwhite 56 | syn match HogDylibFile "\s.*$" contained contains=HogVar,HogDylibType,HogComment 57 | syn keyword HogDylibType directory file contained 58 | 59 | " Variable dereferenced with '$' 60 | syn match HogVar "\$[[:alnum:]_]\+" 61 | 62 | ", Variables declared with 'var' 63 | syn keyword HogVarType var nextgroup=HogVarSet skipwhite 64 | syn match HogVarSet "[[:alnum:]_]\+" display contained nextgroup=HogVarValue skipwhite 65 | syn match HogVarValue ".*$" contained contains=HogString,HogNumber,HogVar,HogComment 66 | 67 | " Variables declared with 'ipvar' 68 | syn keyword HogIPVarType ipvar nextgroup=HogIPVarSet skipwhite 69 | syn match HogIPVarSet "[[:alnum:]_]\+" display contained nextgroup=HogIPVarList,HogSpecial skipwhite 70 | syn region HogIPVarList start="\[" end="]" contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot 71 | 72 | " Variables declared with 'portvar' 73 | syn keyword HogPortVarType portvar nextgroup=HogPortVarSet skipwhite 74 | syn match HogPortVarSet "[[:alnum:]_]\+" display contained nextgroup=HogPortVarList,HogPort,HogOpRange,HogOpNot,HogSpecial skipwhite 75 | syn region HogPortVarList start="\[" end="]" contains=HogPortVarList,HogVar,HogOpNot,HogPort,HogOpRange,HogOpNot 76 | syn match HogPort "\<\%(\d\+\|any\)\>" display contains=HogOpRange nextgroup=HogOpRange 77 | 78 | " Generic stuff 79 | syn match HogIPAddr contained "\<\%(\d\{1,3}\(\.\d\{1,3}\)\{3}\|any\)\>" nextgroup=HogIPCidr 80 | syn match HogIPAddr contained "\<\d\{1,3}\(\.\d\{1,3}\)\{3}\>" nextgroup=HogIPCidr 81 | syn match HogIPCidr contained "\/\([0-2][0-9]\=\|3[0-2]\=\)" 82 | syn region HogHexEsc contained start='|' end='|' oneline 83 | syn region HogString contained start='"' end='"' extend oneline contains=HogHexEsc 84 | 85 | " XXX 86 | syn region HogRegexStr contained start='"' end='"' extend oneline 87 | 88 | syn match HogNumber contained display "\<\d\+\>" 89 | syn match HogNumber contained display "\<\d\+\>" 90 | syn match HogNumber contained display "0x\x\+\>" 91 | syn keyword HogSpecial contained true false yes no default all any 92 | syn keyword HogSpecialAny contained any 93 | syn match HogOpNot "!" contained 94 | syn match HogOpRange ":" contained 95 | 96 | " Rules 97 | syn keyword HogRuleAction activate alert drop block dynamic log pass reject sdrop sblock skipwhite nextgroup=HogRuleProto,HogRuleBlock 98 | syn keyword HogRuleProto ip tcp udp icmp http skipwhite contained nextgroup=HogRuleSrcIP,HogRuleBlock 99 | syn match HogRuleSrcIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleSrcPort 100 | syn match HogRuleSrcPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleDir 101 | syn match HogRuleDir "->\|<>" skipwhite contained nextgroup=HogRuleDstIP 102 | syn match HogRuleDstIP "\S\+" transparent skipwhite contained contains=HogIPVarList,HogIPAddr,HogVar,HogOpNot nextgroup=HogRuleDstPort 103 | syn match HogRuleDstPort "\S\+" transparent skipwhite contained contains=HogPortVarList,HogVar,HogPort,HogOpRange,HogOpNot nextgroup=HogRuleBlock 104 | syn region HogRuleBlock start="(" end=")" transparent skipwhite contained contains=HogRuleOption,HogComment fold 105 | ",HogString,HogComment,HogVar,HogOptNot 106 | "syn region HogRuleOption start="\" end="\ze;" skipwhite contained contains=HogNumber 107 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP msg gid sid rev classtype priority metadata service content nocase rawbytes 108 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP depth offset distance within http_client_body http_cookie http_raw_cookie http_header 109 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP http_raw_header http_method http_uri http_raw_uri http_raw_body http_stat_code http_stat_msg 110 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP fast_pattern uricontent urilen isdataat pkt_data file_data base64_decode base64_data 111 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP byte_test byte_jump byte_extract ftpbounce asn1 cvs dce_iface dce_opnum dce_stub_data 112 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP sip_method sip_stat_code sip_header sip_body gtp_type gtp_info gtp_version ssl_version 113 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP ssl_state fragoffset ttl tos id ipopts fragbits dsize flags flow flowbits seq ack window 114 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP itype icode icmp_id icmp_seq rpc ip_proto sameip stream_reassemble stream_size 115 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP logto session resp react tag activates activated_by count replace detection_filter 116 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleSROP threshold reference sd_pattern file_type file_group 117 | syn keyword HogRuleOption skipwhite contained nextgroup=HogRuleRegex pcre regex 118 | 119 | " XXX 120 | syn region HogRuleRegex start=':' end=";" transparent keepend contained contains=HogRegexStr 121 | 122 | syn region HogRuleSROP start=':' end=";" transparent keepend contained contains=HogRuleChars,HogString,HogNumber 123 | syn match HogRuleChars "\%(\k\|\.\|?\|=\|/\|%\|&\)\+" contained 124 | syn match HogURLChars "\%(\.\|?\|=\)\+" contained 125 | 126 | " Hog File Type Rules 127 | syn match HogFileType /^\s*file.*$/ transparent contains=HogFileTypeOpt,HogFileFROP 128 | syn keyword HogFileTypeOpt skipwhite contained nextgroup=HogRuleFROP file type ver category id rev content offset msg group 129 | syn region HogFileFROP start=':' end=";" transparent keepend contained contains=NotASemicoln 130 | syn match NotASemiColn ".*$" contained 131 | 132 | 133 | " Comments 134 | syn keyword HogTodo XXX TODO NOTE contained 135 | syn match HogTodo "Step\s\+#\=\d\+" contained 136 | syn region HogComment start="#" end="$" contains=HogTodo,@Spell 137 | 138 | syn case match 139 | 140 | if !exists("hog_minlines") 141 | let hog_minlines = 100 142 | endif 143 | exec "syn sync minlines=" . hog_minlines 144 | 145 | hi link HogRuleType Statement 146 | hi link HogRuleTypeName Type 147 | hi link HogRuleTypeType Keyword 148 | 149 | hi link HogPreproc Statement 150 | hi link HogConfig Statement 151 | hi link HogOutput Statement 152 | hi link HogConfigName Type 153 | 154 | "hi link HogEvFilter 155 | hi link HogEvFilterKeyword Statement 156 | hi link HogSuppressKeyword Statement 157 | hi link HogEvFilterTypes Constant 158 | hi link HogEvFilterTrack Constant 159 | 160 | hi link HogAttribute Statement 161 | hi link HogAttributeFile String 162 | hi link HogAttributeType Statement 163 | 164 | hi link HogInclude Statement 165 | hi link HogIncludeFile String 166 | 167 | hi link HogDylib Statement 168 | hi link HogDylibType Statement 169 | hi link HogDylibFile String 170 | 171 | " Variables 172 | " var 173 | hi link HogVar Identifier 174 | hi link HogVarType Keyword 175 | hi link HogVarSet Identifier 176 | hi link HogVarValue String 177 | " ipvar 178 | hi link HogIPVarType Keyword 179 | hi link HogIPVarSet Identifier 180 | " portvar 181 | hi link HogPortVarType Keyword 182 | hi link HogPortVarSet Identifier 183 | hi link HogPort Constant 184 | 185 | hi link HogTodo Todo 186 | hi link HogComment Comment 187 | hi link HogString String 188 | hi link HogRegexStr String 189 | hi link HogHexEsc PreProc 190 | hi link HogNumber Number 191 | hi link HogSpecial Constant 192 | hi link HogSpecialAny Constant 193 | hi link HogIPAddr Constant 194 | hi link HogIPCidr Constant 195 | hi link HogOpNot Operator 196 | hi link HogOpRange Operator 197 | 198 | hi link HogRuleAction Statement 199 | hi link HogRuleProto Identifier 200 | hi link HogRuleDir Operator 201 | hi link HogRuleOption Keyword 202 | hi link HogRuleChars String 203 | 204 | hi link HogFileType HogRuleAction 205 | hi link HogFileTypeOpt HogRuleOption 206 | hi link NotASemiColn HogRuleChars 207 | 208 | let b:current_syntax = "hog" 209 | -------------------------------------------------------------------------------- /docker/etc/rules/protocol-telnet.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------------- 19 | # PROTOCOL-TELNET RULES 20 | #----------------------- 21 | 22 | # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET RuggedCom default backdoor login attempt"; flow:to_server,established; flowbits:isset,telnet.ruggedcom; content:"factory"; metadata:policy security-ips drop, service telnet; reference:cve,2012-1803; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.securityfocus.com/archive/1/522467; classtype:attempted-admin; sid:21938; rev:5;) 23 | # alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login failed"; flow:to_client,established; content:"Login failed"; nocase; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:492; rev:15;) 24 | # alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login incorrect"; flow:to_client,established; content:"Login incorrect"; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:718; rev:16;) 25 | # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:16;) 26 | # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; fast_pattern:only; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:18;) 27 | # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:15;) 28 | # alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET Attempted SU from wrong group"; flow:to_client,established; content:"to su root"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:attempted-admin; sid:715; rev:14;) 29 | # alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET not on console"; flow:to_client,established; content:"not on system console"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:717; rev:15;) 30 | # alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET root login"; flow:to_client,established; content:"login|3A| root"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:suspicious-login; sid:719; rev:15;) 31 | # alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET bsd telnet exploit response"; flow:to_client,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; fast_pattern:only; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:25;) 32 | # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET bsd exploit client finishing"; flow:to_server,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:23;) 33 | # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; metadata:ruleset community, service telnet; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:17;) 34 | # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; metadata:ruleset community, service telnet; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:17;) 35 | # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; reference:url,attack.mitre.org/techniques/T1078; classtype:suspicious-login; sid:2406; rev:14;) 36 | alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; metadata:ruleset community, service telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3274; rev:13;) 37 | alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login buffer overflow attempt"; flow:to_server,established; content:"|FF FA|'|00 00|TTYPROMPT|01|"; fast_pattern:only; rawbytes; flowbits:set,ttyprompt; metadata:ruleset community, service telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3147; rev:14;) 38 | # alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET client ENV OPT USERVAR information disclosure"; flow:to_client,established; content:"|FF FA|'|01 03|"; fast_pattern:only; rawbytes; metadata:service telnet; reference:bugtraq,13940; reference:cve,2005-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-033; classtype:attempted-recon; sid:3687; rev:10;) 39 | # alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET client ENV OPT VAR information disclosure"; flow:to_client,established; content:"|FF FA|'|01 00|"; fast_pattern:only; rawbytes; metadata:service telnet; reference:bugtraq,13940; reference:cve,2005-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-033; classtype:attempted-recon; sid:3688; rev:10;) 40 | # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET kerberos login environment variable authentication bypass attempt"; flow:to_server,established; content:"|FF FA|"; rawbytes; content:"USER|01|-e"; distance:0; rawbytes; metadata:service telnet; reference:cve,2007-0956; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt; classtype:attempted-admin; sid:10464; rev:7;) 41 | # alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET Client env_opt_add Buffer Overflow attempt"; flow:to_client,established; content:"|FF FA 27 01|"; rawbytes; isdataat:128,relative,rawbytes; content:!"|FF F0|"; within:128; rawbytes; metadata:policy max-detect-ips drop, service telnet; reference:bugtraq,12919; reference:cve,2005-0468; classtype:attempted-dos; sid:17269; rev:6;) 42 | # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET FreeBSD telnetd enc_keyid overflow attempt"; flow:established,to_server; content:"|FF FA 26 07|"; fast_pattern; rawbytes; isdataat:66,relative,rawbytes; content:!"|FF F0|"; within:66; rawbytes; metadata:service telnet; reference:bugtraq,51182; reference:cve,2011-4862; reference:url,security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc; classtype:attempted-admin; sid:20812; rev:8;) 43 | # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET FreeBSD telnetd dec_keyid overflow attempt"; flow:established,to_server; content:"|FF FA 26 08|"; fast_pattern; rawbytes; isdataat:66,relative,rawbytes; content:!"|FF F0|"; within:66; rawbytes; metadata:service telnet; reference:bugtraq,51182; reference:cve,2011-4862; reference:url,security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc; classtype:attempted-admin; sid:20813; rev:8;) 44 | # alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET RuggedCom telnet initial banner"; flow:to_client,established; content:"RuggedCom"; fast_pattern:only; flowbits:set,telnet.ruggedcom; flowbits:noalert; metadata:service telnet; classtype:misc-activity; sid:21939; rev:4;) 45 | # alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET Client env_opt_add Buffer Overflow attempt"; flow:to_client,established; content:"|FF FA 22 03|"; rawbytes; isdataat:128,relative,rawbytes; content:!"|FF F0|"; within:128; rawbytes; metadata:policy max-detect-ips drop, service telnet; reference:bugtraq,12919; reference:cve,2005-0468; classtype:attempted-dos; sid:25856; rev:3;) 46 | # alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; fast_pattern:only; content:"bin/sh"; metadata:ruleset community, service telnet; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:18;) 47 | alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"PROTOCOL-TELNET Microsoft Telnet Server buffer overflow attempt"; flow:to_server,established; content:"|FF F6 FF F6 FF F6 FF F6 FF F6 FF F6 FF F6 FF F6 FF F6 FF F6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service telnet; reference:cve,2015-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-002; classtype:attempted-user; sid:33050; rev:2;) 48 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"PROTOCOL-TELNET Microsoft Telnet Server buffer overflow attempt"; flow:to_server,established; content:"|FF F6|"; fast_pattern:only; content:"|FF F6|"; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service telnet; reference:cve,2015-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-002; classtype:attempted-user; sid:33451; rev:2;) 49 | # alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET client ENV OPT escape overflow attempt"; flow:to_client,established; content:"|FF FA|'|01|"; rawbytes; pcre:"/(\x02([\x01\x02\x03]|\xFF\xFF)){100,}/RBsm"; content:"|FF F0|"; distance:0; rawbytes; metadata:policy max-detect-ips drop, service telnet; reference:bugtraq,12918; reference:cve,2005-0469; classtype:attempted-user; sid:3537; rev:11;) 50 | # alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET client LINEMODE SLC overflow attempt"; flow:to_client,established; content:"|FF FA 22 03|"; rawbytes; isdataat:123,relative,rawbytes; content:!"|FF|"; within:124; rawbytes; metadata:policy max-detect-ips drop, service telnet; reference:bugtraq,12918; reference:cve,2005-0469; classtype:attempted-user; sid:3533; rev:12;) 51 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"PROTOCOL-TELNET TippingPoint IPS telnet login failure xss attempt"; flow:to_server,established; content:""; fast_pattern:only; metadata:policy max-detect-ips drop, service telnet; classtype:misc-attack; sid:45191; rev:1;) 52 | -------------------------------------------------------------------------------- /docker/etc/rules/protocol-snmp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------------- 19 | # PROTOCOL-SNMP RULES 20 | #--------------------- 21 | 22 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP NT UserList"; flow:to_server; content:"+|06 10|@|14 D1 02 19|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:12;) 23 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP missing community string attempt"; content:"0"; depth:1; content:"|02|"; within:6; content:"|04 00|"; within:8; pcre:"/^\x30(\x84....|\x82..|[^\x80-\xFF])\x02(\x84\x00\x00\x00\x01.|\x82\x00\x01.|\x01.)\x04\x00/"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:12;) 24 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt"; flow:to_server; content:"|02 01 00 04 82 01 00|"; offset:4; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:19;) 25 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt with evasion"; flow:to_server; content:" |04 82 01 00|"; depth:5; offset:7; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:19;) 26 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access udp"; flow:to_server; content:"|06|public"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:19;) 27 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access tcp"; flow:to_server,established; content:"public"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:20;) 28 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access udp"; flow:to_server; content:"private"; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:18;) 29 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access tcp"; flow:to_server,established; content:"private"; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:18;) 30 | # alert udp any any -> 255.255.255.255 161 (msg:"PROTOCOL-SNMP Broadcast request"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:17;) 31 | # alert udp any any -> 255.255.255.255 162 (msg:"PROTOCOL-SNMP broadcast trap"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:17;) 32 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request udp"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:17;) 33 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request tcp"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:18;) 34 | # alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap udp"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:17;) 35 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap tcp"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:18;) 36 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"PROTOCOL-SNMP AgentX/tcp request"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:18;) 37 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:13;) 38 | # alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:12;) 39 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP oversized sysName set request"; content:"+|06 01 02 01 01 05 00|"; byte_test:1,>,99,1,relative; metadata:service snmp; reference:bugtraq,26001; reference:cve,2007-5381; classtype:attempted-admin; sid:12712; rev:4;) 40 | # alert udp $EXTERNAL_NET any -> $HOME_NET [161,1118] (msg:"PROTOCOL-SNMP Samsung printer default community string"; content:"|04 0B|s|21|a|40|m|23|n|24|p|25|c"; depth:14; offset:5; metadata:service snmp; reference:url,attack.mitre.org/techniques/T1078; reference:url,l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; reference:url,www.kb.cert.org/vuls/id/281284; classtype:attempted-admin; sid:24814; rev:5;) 41 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:13;) 42 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Brocade snAgentUserAccntPassword enumeration attempt"; flow:to_server; content:"|30 12 06 0E 2B 06 01 04 01 8F 47 01 01 02 09 02 01 02 05 00|"; fast_pattern:only; metadata:service snmp; reference:url,www.kb.cert.org/vuls/id/139516; classtype:attempted-recon; sid:31059; rev:2;) 43 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Brocade snAgentUserAccntName enumeration attempt"; flow:to_server; content:"|30 12 06 0E 2B 06 01 04 01 8F 47 01 01 02 09 02 01 01 05 00|"; fast_pattern:only; metadata:service snmp; reference:url,www.kb.cert.org/vuls/id/139516; classtype:attempted-recon; sid:31058; rev:2;) 44 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Motorola Netopia 3347 series WPA key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 82 30 01 03 01 1A 01 09 01 05 01 05 00|"; fast_pattern:only; metadata:service snmp; reference:url,www.kb.cert.org/vuls/id/779628; classtype:attempted-recon; sid:31057; rev:2;) 45 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Motorola Netopia 3347 series WEP key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 82 30 01 03 01 1A 01 0F 01 03 01 05 00|"; fast_pattern:only; metadata:service snmp; reference:url,www.kb.cert.org/vuls/id/779628; classtype:attempted-recon; sid:31056; rev:2;) 46 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee U10C019 series password enumeration attempt"; flow:to_server; content:"|30 16 06 12 2B 06 01 04 01 A4 4C 02 11 01 01 01 02 61 64 6D 69 6E 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31100; rev:2;) 47 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee U10C019 series WPA key enumeration attempt"; flow:to_server; content:"|30 15 06 11 2B 06 01 04 01 A3 0B 02 04 01 01 06 02 02 01 05 06 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31099; rev:2;) 48 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee U10C019 series WEP key enumeration attempt"; flow:to_server; content:"|30 12 06 0E 2B 06 01 04 01 A4 4C 02 0E 02 05 01 02 01 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31098; rev:2;) 49 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP CableHome Devices cabhPsDevUIPassword enumeration attempt"; flow:to_server; content:"|30 13 06 0F 2B 06 01 04 01 A3 0B 02 04 01 01 06 01 02 00 05 00|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69630; reference:bugtraq,69631; reference:cve,2014-4862; reference:cve,2014-4863; reference:url,oid-info.com/get/1.3.6.1.4.1.4491.2.4.1.1.6.1.2; classtype:attempted-recon; sid:31097; rev:3;) 50 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee DDW3611 series WPA key enumeration attempt"; flow:to_server; content:"|30 15 06 11 2B 06 01 04 01 A3 0B 02 04 01 01 06 02 02 01 05 0C 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31096; rev:2;) 51 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Ubee DDW3611 series WEP key enumeration attempt"; flow:to_server; content:"|30 18 06 14 2B 06 01 04 01 A4 4C 26 02 02 02 01 05 04 02 03 01 02 0C 01 05 00|"; fast_pattern:only; metadata:service snmp; classtype:attempted-recon; sid:31095; rev:2;) 52 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP HP Huawei password disclosure attempt"; flow:to_server; content:"|2B 06 01 04 01 8F 5B 0A|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,56183; reference:cve,2012-3268; classtype:attempted-recon; sid:31578; rev:1;) 53 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP HP Huawei password disclosure attempt"; flow:to_server; content:"|2B 06 01 04 01 81 C7 22|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,56183; reference:cve,2012-3268; classtype:attempted-recon; sid:31577; rev:1;) 54 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Multiple Products WPA key enumeration attempt"; flow:to_server; content:"|30 16 06 12 2B 06 01 04 01 A2 3D 02 02 02 01 05 04 02 04 01 02 20|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69630; reference:cve,2014-4862; classtype:attempted-recon; sid:31856; rev:3;) 55 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Multiple Products 64 bit WEP key enumeration attempt"; flow:to_server; content:"|2B 06 01 04 01 A2 3D 02 02 02 01 05 04 02 02 01 02 20|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69630; reference:cve,2014-4862; classtype:attempted-recon; sid:31855; rev:3;) 56 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Multiple Products 128 bit WEP key enumeration attempt"; flow:to_server; content:"|2B 06 01 04 01 A2 3D 02 02 02 01 05 04 02 03 01 02 20|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69630; reference:cve,2014-4862; classtype:attempted-recon; sid:31854; rev:3;) 57 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Arris DG950A WPA key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 A0 13 01 14 01 01 03 1A 01 02 0C 05 00|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69631; reference:cve,2014-4863; classtype:attempted-recon; sid:31853; rev:2;) 58 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Arris DG950A 64 bit WEP key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 A0 13 01 14 01 01 03 18 01 02 0C 05 00|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69631; reference:cve,2014-4863; classtype:attempted-recon; sid:31852; rev:2;) 59 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Arris DG950A 128 bit WEP key enumeration attempt"; flow:to_server; content:"|30 14 06 10 2B 06 01 04 01 A0 13 01 14 01 01 03 19 01 02 0C 05 00|"; fast_pattern:only; metadata:service snmp; reference:bugtraq,69631; reference:cve,2014-4863; classtype:attempted-recon; sid:31851; rev:2;) 60 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"PROTOCOL-SNMP Multiple vendors AgentX receive_agentx integer overflow attempt"; flow:established,to_server; content:"|FF FF FF FF|"; depth:4; offset:16; metadata:policy max-detect-ips drop, service snmp; reference:bugtraq,39561; reference:cve,2010-1319; classtype:attempted-admin; sid:18926; rev:9;) 61 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Allen-Bradley MicroLogix PLC firmware update detected"; flow:to_server; content:"|2B 06 01 04 01 5F 02 03 01 01 01 01 00|"; fast_pattern:only; metadata:service snmp; reference:cve,2016-5645; reference:url,www.talosintelligence.com/reports/TALOS-2016-0184; classtype:policy-violation; sid:39877; rev:2;) 62 | alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Allen-Bradley MicroLogix PLC SNMP request via undocumented community string attempt"; flow:to_server; content:"wheel"; content:"|2B 06 01 04 01 5F|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service snmp; reference:cve,2016-5645; reference:url,www.talosintelligence.com/reports/TALOS-2016-0184; classtype:attempted-recon; sid:39876; rev:3;) 63 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Cambium cnPilot SNMP request with read-only community string attempt"; flow:to_server; content:"|2B 06 01 04 01 82 C0 32|"; fast_pattern:only; content:"public"; metadata:service snmp; reference:cve,2017-5262; reference:url,blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities; classtype:attempted-recon; sid:45611; rev:1;) 64 | # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP Cambium ePMP SNMP request with read-only community string attempt"; flow:to_server; content:"|2B 06 01 04 01 81 8A 31|"; fast_pattern:only; content:"public"; metadata:service snmp; reference:bugtraq,99083; reference:cve,2017-7918; reference:cve,2017-7922; reference:url,ipositivesecurity.com/2017/04/07/cambium-snmp-security-vulnerabilities/; classtype:attempted-recon; sid:45618; rev:1;) 65 | -------------------------------------------------------------------------------- /docker/etc/rules/indicator-scan.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #---------------------- 19 | # INDICATOR-SCAN RULES 20 | #---------------------- 21 | 22 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH brute force login attempt"; flow:to_server,established,no_stream; content:"SSH-"; depth:4; detection_filter:track by_src, count 5, seconds 60; metadata:policy max-detect-ips drop, service ssh; reference:cve,2012-6066; reference:cve,2015-5600; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,attack.mitre.org/techniques/T1110; classtype:misc-activity; sid:19559; rev:10;) 23 | # alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"INDICATOR-SCAN xtacacs failed login response"; flow:to_client; content:"|80 02|"; depth:2; content:"|02|"; distance:4; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:misc-activity; sid:2041; rev:8;) 24 | # alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"INDICATOR-SCAN isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:misc-activity; sid:2043; rev:7;) 25 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"INDICATOR-SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:616; rev:9;) 26 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:619; rev:11;) 27 | # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:622; rev:12;) 28 | # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:630; rev:11;) 29 | # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:626; rev:13;) 30 | # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:627; rev:13;) 31 | # alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"INDICATOR-SCAN Amanda client-version request"; flow:to_server; content:"Amanda"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:634; rev:9;) 32 | # alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"INDICATOR-SCAN XTACACS logout"; flow:to_server; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:635; rev:10;) 33 | # alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"INDICATOR-SCAN cybercop udp bomb"; flow:to_server; content:"cybercop"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:636; rev:8;) 34 | # alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN Webtrends Scanner UDP Probe"; flow:to_server; content:"|0A|help|0A|quite|0A|"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,www.netiq.com/products/vsm/default.asp; classtype:attempted-recon; sid:637; rev:12;) 35 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1638; rev:10;) 36 | # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:1133; rev:18;) 37 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"INDICATOR-SCAN UPnP service discover attempt"; flow:to_server,established; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:8081; rev:5;) 38 | # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Proxyfire.net anonymous proxy scan"; flow:to_server,established; content:"proxyfire.net/fastenv"; nocase; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,www.proxyfire.net/index.php; classtype:network-scan; sid:18179; rev:6;) 39 | # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Skipfish scan iPhone agent string"; flow:established,to_server; content:"User-Agent: Mozilla/5.0 (iPhone|3B| U|3B| CPU iPhone OS 4_1 like Mac OS X|3B| en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8B117 Safari/6531.22.7 SF/"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,code.google.com/p/skipfish/; classtype:network-scan; sid:23604; rev:5;) 40 | # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Skipfish scan default agent string"; flow:established,to_server; content:"User-Agent: Mozilla/5.0 SF/"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,attack.mitre.org/techniques/T1078; reference:url,code.google.com/p/skipfish/; classtype:network-scan; sid:23601; rev:5;) 41 | # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Skipfish scan Firefox agent string"; flow:established,to_server; content:"User-Agent: Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| en-US|3B| rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 SF/"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,code.google.com/p/skipfish/; classtype:network-scan; sid:23602; rev:5;) 42 | # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN Skipfish scan MSIE agent string"; flow:established,to_server; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0|3B| .NET CLR 1.1.4322|3B| InfoPath.1|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729|3B| SF/"; fast_pattern:only; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,code.google.com/p/skipfish/; classtype:network-scan; sid:23603; rev:5;) 43 | # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1100; rev:18;) 44 | # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1101; rev:18;) 45 | # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN DirBuster brute forcing tool detected"; flow:to_server,established; content:"User-Agent|3A| DirBuster"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,attack.mitre.org/techniques/T1110; reference:url,sourceforge.net/projects/dirbuster/; classtype:web-application-attack; sid:19933; rev:8;) 46 | # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN sqlmap SQL injection scan attempt"; flow:to_server,established; content:"User-Agent|3A| sqlmap"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,sqlmap.sourceforge.net; classtype:web-application-activity; sid:19779; rev:7;) 47 | # alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"INDICATOR-SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:613; rev:11;) 48 | # alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP WANIPConnection"; flow:to_server; content:"M-SEARCH *"; depth:10; content:"MX: 2|0D 0A|"; nocase; content:"ssdp|3A|discover"; nocase; content:"urn:schemas-upnp-org:service:WANIPConnection:1"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:28003; rev:2;) 49 | # alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP WANPPPConnection"; flow:to_server; content:"M-SEARCH *"; depth:10; content:"MX: 2|0D 0A|"; nocase; content:"ssdp|3A|discover"; nocase; content:"urn:schemas-upnp-org:service:WANPPPConnection:1"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:28002; rev:2;) 50 | # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN User-Agent known malicious user-agent Masscan"; flow:to_server,established; content:"User-Agent|3A| masscan"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,github.com/robertdavidgraham/masscan/blob/master/doc/masscan.8.markdown; classtype:misc-activity; sid:28301; rev:3;) 51 | # alert udp $EXTERNAL_NET 2425 -> $HOME_NET 2425 (msg:"INDICATOR-SCAN inbound probing for IPTUX messenger port "; flow:to_server; content:"iptux"; depth:5; offset:2; content:"lws|3A|lws"; within:7; distance:9; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,github.com/iptux-src/iptux; classtype:misc-activity; sid:28552; rev:2;) 52 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-SCAN User-Agent known malicious user-agent The Mole"; flow:to_server,established; content:"User-Agent: Mozilla/The Mole"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,themole.sourceforge.net/; classtype:misc-activity; sid:29462; rev:3;) 53 | # alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP service discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1917; rev:16;) 54 | # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt"; flow:to_server,established; file_data; content:"|22|pcap|22 2C 20 22|rar|22 2C 20 22|zip|22 2C 20 22|chls|22 2C 20 22|py|22 2C 20 22|halog|22 2C 20 22|har|22 2C 20 22|hwl|22 2C 20 22|cap|22|"; fast_pattern:only; metadata:service smtp; reference:cve,2016-3351; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-104; classtype:attempted-recon; sid:40095; rev:2;) 55 | # alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt"; flow:to_client,established; file_data; content:"|22|pcap|22 2C 20 22|rar|22 2C 20 22|zip|22 2C 20 22|chls|22 2C 20 22|py|22 2C 20 22|halog|22 2C 20 22|har|22 2C 20 22|hwl|22 2C 20 22|cap|22|"; fast_pattern:only; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-3351; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,technet.microsoft.com/en-us/security/bulletin/MS16-104; classtype:attempted-recon; sid:40094; rev:2;) 56 | alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"INDICATOR-SCAN Cisco Smart Install Protocol scan TFTP response"; flow:to_server; dsize:20; content:"|00 01|random_file|00|octet|00|"; depth:20; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service tftp; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-recon; sid:41793; rev:3;) 57 | # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN PHP info leak attempt"; flow:to_server,established; content:"/phpinfo.php"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,secure.php.net/manual/en/function.phpinfo.php; classtype:attempted-recon; sid:42289; rev:2;) 58 | # alert udp $EXTERNAL_NET 53 -> $HOME_NET 53 (msg:"INDICATOR-SCAN DNS version.bind string information disclosure attempt"; flow:to_server; content:"versio"; fast_pattern; content:"|00 10 00 03|"; within:260; metadata:policy max-detect-ips drop, policy security-ips drop, service dns; reference:cve,2017-0171; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:42785; rev:4;) 59 | --------------------------------------------------------------------------------