├── .github └── workflows │ ├── docker.yml │ ├── stale.yml │ └── test.yml ├── .gitignore ├── AUTHORS ├── CONTRIBUTING.md ├── LICENSE ├── MAINTAINERS ├── Makefile ├── README.md ├── mercury ├── Dockerfile ├── __init__.py ├── app.py ├── requirements.txt ├── test_app.py └── test_lo.pcap ├── network_tap ├── Dockerfile ├── README.md ├── __init__.py ├── healthcheck │ ├── hc.py │ └── requirements.txt ├── ncapture │ ├── Dockerfile │ ├── requirements.txt │ ├── run.sh │ ├── send_message.py │ └── test_ncapture.sh └── ncontrol │ ├── ncontrol.py │ ├── paths.py │ ├── requirements.txt │ ├── routes.py │ └── test_ncontrol.py ├── network_tools_lib ├── VERSION └── network_tools_lib.py ├── p0f ├── Dockerfile ├── __init__.py ├── app.py ├── requirements.txt ├── test_app.py ├── test_lo.cap └── tsharkwrapper.sh ├── pcap_stats ├── Dockerfile ├── __init__.py ├── asn.sh ├── nmap-mac-prefixes.txt ├── pcap_stats.py ├── requirements.txt └── test_pcap_stats.py ├── pcap_to_node_pcap ├── .dockerignore ├── Dockerfile ├── __init__.py ├── pcap_to_node_pcap.py ├── requirements.txt ├── test_lo.cap └── test_pcap_to_node_pcap.py ├── rbqwrapper ├── Dockerfile ├── rbqwrapper.py ├── requirements.txt └── test_rbqwrapper.py ├── renovate.json ├── replay_pcap ├── Dockerfile └── replay.sh ├── snort ├── Dockerfile ├── __init__.py ├── daq-2.0.7.tar.gz ├── downloadhelper.sh ├── requirements.txt ├── snort-2.9.18.tar.gz ├── snort.py ├── snortrules-snapshot-29150 │ ├── etc │ │ ├── classification.config │ │ ├── reference.config │ │ ├── sid-msg.map │ │ ├── snort.conf │ │ ├── threshold.conf │ │ └── unicode.map │ ├── preproc_rules │ │ ├── decoder.rules │ │ ├── preprocessor.rules │ │ └── sensitive-data.rules │ ├── rules │ │ ├── VRT-License.txt │ │ ├── app-detect.rules │ │ ├── attack-responses.rules │ │ ├── backdoor.rules │ │ ├── bad-traffic.rules │ │ ├── blacklist.rules │ │ ├── botnet-cnc.rules │ │ ├── browser-chrome.rules │ │ ├── browser-firefox.rules │ │ ├── browser-ie.rules │ │ ├── browser-other.rules │ │ ├── browser-plugins.rules │ │ ├── browser-webkit.rules │ │ ├── chat.rules │ │ ├── content-replace.rules │ │ ├── ddos.rules │ │ ├── deleted.rules │ │ ├── dns.rules │ │ ├── dos.rules │ │ ├── experimental.rules │ │ ├── exploit-kit.rules │ │ ├── exploit.rules │ │ ├── file-executable.rules │ │ ├── file-flash.rules │ │ ├── file-identify.rules │ │ ├── file-image.rules │ │ ├── file-java.rules │ │ ├── file-multimedia.rules │ │ ├── file-office.rules │ │ ├── file-other.rules │ │ ├── file-pdf.rules │ │ ├── finger.rules │ │ ├── ftp.rules │ │ ├── icmp-info.rules │ │ ├── icmp.rules │ │ ├── imap.rules │ │ ├── indicator-compromise.rules │ │ ├── indicator-obfuscation.rules │ │ ├── indicator-scan.rules │ │ ├── indicator-shellcode.rules │ │ ├── info.rules │ │ ├── local.rules │ │ ├── malware-backdoor.rules │ │ ├── malware-cnc.rules │ │ ├── malware-other.rules │ │ ├── malware-tools.rules │ │ ├── misc.rules │ │ ├── multimedia.rules │ │ ├── mysql.rules │ │ ├── netbios.rules │ │ ├── nntp.rules │ │ ├── oracle.rules │ │ ├── os-linux.rules │ │ ├── os-mobile.rules │ │ ├── os-other.rules │ │ ├── os-solaris.rules │ │ ├── os-windows.rules │ │ ├── other-ids.rules │ │ ├── p2p.rules │ │ ├── phishing-spam.rules │ │ ├── policy-multimedia.rules │ │ ├── policy-other.rules │ │ ├── policy-social.rules │ │ ├── policy-spam.rules │ │ ├── policy.rules │ │ ├── pop2.rules │ │ ├── pop3.rules │ │ ├── protocol-dns.rules │ │ ├── protocol-finger.rules │ │ ├── protocol-ftp.rules │ │ ├── protocol-icmp.rules │ │ ├── protocol-imap.rules │ │ ├── protocol-nntp.rules │ │ ├── protocol-other.rules │ │ ├── protocol-pop.rules │ │ ├── protocol-rpc.rules │ │ ├── protocol-scada.rules │ │ ├── protocol-services.rules │ │ ├── protocol-snmp.rules │ │ ├── protocol-telnet.rules │ │ ├── protocol-tftp.rules │ │ ├── protocol-voip.rules │ │ ├── pua-adware.rules │ │ ├── pua-other.rules │ │ ├── pua-p2p.rules │ │ ├── pua-toolbars.rules │ │ ├── rpc.rules │ │ ├── rservices.rules │ │ ├── scada.rules │ │ ├── scan.rules │ │ ├── server-apache.rules │ │ ├── server-iis.rules │ │ ├── server-mail.rules │ │ ├── server-mssql.rules │ │ ├── server-mysql.rules │ │ ├── server-oracle.rules │ │ ├── server-other.rules │ │ ├── server-samba.rules │ │ ├── server-webapp.rules │ │ ├── shellcode.rules │ │ ├── smtp.rules │ │ ├── snmp.rules │ │ ├── specific-threats.rules │ │ ├── spyware-put.rules │ │ ├── sql.rules │ │ ├── telnet.rules │ │ ├── tftp.rules │ │ ├── virus.rules │ │ ├── voip.rules │ │ ├── web-activex.rules │ │ ├── web-attacks.rules │ │ ├── web-cgi.rules │ │ ├── web-client.rules │ │ ├── web-coldfusion.rules │ │ ├── web-frontpage.rules │ │ ├── web-iis.rules │ │ ├── web-misc.rules │ │ ├── web-php.rules │ │ └── x11.rules │ └── so_rules │ │ ├── browser-chrome.rules │ │ ├── browser-ie.rules │ │ ├── browser-other.rules │ │ ├── browser-webkit.rules │ │ ├── exploit-kit.rules │ │ ├── file-executable.rules │ │ ├── file-flash.rules │ │ ├── file-image.rules │ │ ├── file-java.rules │ │ ├── file-multimedia.rules │ │ ├── file-office.rules │ │ ├── file-other.rules │ │ ├── file-pdf.rules │ │ ├── indicator-shellcode.rules │ │ ├── malware-cnc.rules │ │ ├── malware-other.rules │ │ ├── netbios.rules │ │ ├── os-linux.rules │ │ ├── os-other.rules │ │ ├── os-windows.rules │ │ ├── policy-other.rules │ │ ├── policy-social.rules │ │ ├── precompiled │ │ └── Debian-9 │ │ │ └── x86-64 │ │ │ └── 2.9.15.0 │ │ │ ├── browser-chrome.so │ │ │ ├── browser-ie.so │ │ │ ├── browser-other.so │ │ │ ├── browser-webkit.so │ │ │ ├── exploit-kit.so │ │ │ ├── file-executable.so │ │ │ ├── file-flash.so │ │ │ ├── file-image.so │ │ │ ├── file-java.so │ │ │ ├── file-multimedia.so │ │ │ ├── file-office.so │ │ │ ├── file-other.so │ │ │ ├── file-pdf.so │ │ │ ├── indicator-shellcode.so │ │ │ ├── malware-cnc.so │ │ │ ├── malware-other.so │ │ │ ├── netbios.so │ │ │ ├── os-linux.so │ │ │ ├── os-other.so │ │ │ ├── os-windows.so │ │ │ ├── policy-other.so │ │ │ ├── policy-social.so │ │ │ ├── protocol-dns.so │ │ │ ├── protocol-nntp.so │ │ │ ├── protocol-other.so │ │ │ ├── protocol-scada.so │ │ │ ├── protocol-snmp.so │ │ │ ├── protocol-tftp.so │ │ │ ├── protocol-voip.so │ │ │ ├── pua-p2p.so │ │ │ ├── server-apache.so │ │ │ ├── server-iis.so │ │ │ ├── server-mail.so │ │ │ ├── server-mysql.so │ │ │ ├── server-oracle.so │ │ │ ├── server-other.so │ │ │ └── server-webapp.so │ │ ├── protocol-dns.rules │ │ ├── protocol-nntp.rules │ │ ├── protocol-other.rules │ │ ├── protocol-scada.rules │ │ ├── protocol-snmp.rules │ │ ├── protocol-tftp.rules │ │ ├── protocol-voip.rules │ │ ├── pua-p2p.rules │ │ ├── server-apache.rules │ │ ├── server-iis.rules │ │ ├── server-mail.rules │ │ ├── server-mysql.rules │ │ ├── server-oracle.rules │ │ ├── server-other.rules │ │ ├── server-webapp.rules │ │ └── src │ │ ├── Makefile │ │ ├── Makefile.icc15.0 │ │ ├── README │ │ ├── _meta.c │ │ ├── _meta.h │ │ ├── browser-ie_kb958690-emf-polylines.c │ │ ├── browser-other_mozilla-sslv2-cmk.c │ │ ├── category-build.pl │ │ ├── deleted_exploit-squid-ntlm-auth.c │ │ ├── deleted_ipswitch-rcptto-overflow.c │ │ ├── deleted_kb2293211-ms-excel-mergecells-rce.c │ │ ├── deleted_kb975561-ms-movie-maker-heap-bo.c │ │ ├── deleted_kb979902-wmp-mjpeg-header-size-mismatch.c │ │ ├── deleted_linux-icmp-handling-dos.c │ │ ├── deleted_openldap-authcid.c │ │ ├── deleted_smb-trans-response-paramcount.c │ │ ├── deleted_web-client-kb954593-emf-nan.c │ │ ├── deleted_web-client-kb969462-excel-obj-ftcbls-rce.c │ │ ├── deleted_web-client-kb974571-windows-crypto-api-commonname-spoofing.c │ │ ├── deleted_web-client-ttf-kernel-bug.c │ │ ├── exploit-kit_g01-exploit-kit-dga.c │ │ ├── exploit-kit_rbf-classifier.h │ │ ├── file-executable_norton-av-aspack-heap-corruption.c │ │ ├── file-executable_php-libmagic.c │ │ ├── file-flash_cve-2007-0071-swf-definesceneandframelabeldata-rce.c │ │ ├── file-image_adobe-bmp-bad-dimensions.c │ │ ├── file-image_kb924090-pict-type-3.c │ │ ├── file-image_kb924090-pict-type-4.c │ │ ├── file-image_libpng-malformed-chunk.c │ │ ├── file-image_openoffice-tiff-integer-overflow.c │ │ ├── file-image_oracle-oit-memory-corruption.c │ │ ├── file-image_png-chunk-len-overflow.c │ │ ├── file-java_jdk-jpg-icc-parsing.c │ │ ├── file-multimedia_adobe-shockwave-ffffff88.c │ │ ├── file-multimedia_apple-crgn-atom-overflow.c │ │ ├── file-multimedia_cve-2008-5616-mplayer-demux-open-vqf-bo.c │ │ ├── file-multimedia_kb954154-wmp-malicious-playlist.c │ │ ├── file-multimedia_kb971557-avi-invalid-length.c │ │ ├── file-multimedia_kb973812-APIC.c │ │ ├── file-multimedia_kb975558-media-player-asf-MP4S.c │ │ ├── file-multimedia_quicktime-ctab-atom-heapcorrupt.c │ │ ├── file-multimedia_realplayer-wave-string-overflow.c │ │ ├── file-office_kb2027452-ms-excel-hfpicture-bo.c │ │ ├── file-office_kb2027452-ms-excel-sxview-ref-ho.c │ │ ├── file-office_kb2293211-ms-excel-table-cleanup.c │ │ ├── file-office_kb2315011-outlook-rtf.c │ │ ├── file-office_kb2423930-embedded-office-art.c │ │ ├── file-office_kb2489279-ms-excel-dv-record-bo.c │ │ ├── file-office_kb2545814-powerpoint-recolorinfoatom.c │ │ ├── file-office_kb57634-visio-packed-obj-remote-code-exec.c │ │ ├── file-office_kb924090-wpg-invalid-rle.c │ │ ├── file-office_kb947077-word-stream-parsing.c │ │ ├── file-office_kb949029-excel-sst.c │ │ ├── file-office_kb949785-powerpoint-malformed-msoDrawing-property-table.c │ │ ├── file-office_kb951207-ms-word-rtf.c │ │ ├── file-office_kb951207-word-css.c │ │ ├── file-office_kb954066-excel-obj-record-invalid-ft.c │ │ ├── file-office_kb956416-excel-rept-underflow.c │ │ ├── file-office_kb957173-dpendgroup-rtf.c │ │ ├── file-office_kb967340-powerpoint-msofbtTextbox.c │ │ ├── file-office_kb968272-excel-extrst.c │ │ ├── file-office_kb968557-excel-malformed-obj-record.c │ │ ├── file-office_kb969462-excel-brai-rce.c │ │ ├── file-office_kb969462-excel-externsheet-rce.c │ │ ├── file-office_kb972652-excel-bad-ib-value.c │ │ ├── file-office_microsoft-excel-invalid-data-item-overflow-attempt.c │ │ ├── file-office_openoffice-table-parsing-heap-bo.c │ │ ├── file-office_rtf-nested-listoverridetables.c │ │ ├── file-other_atmfd-adobe-font-driver-reserved-command.c │ │ ├── file-other_winamp-maki-parsing-integer-overflow.c │ │ ├── file-pdf_adobe-jp2c-rgnatom.c │ │ ├── file-pdf_obfuscated-pdf-header.c │ │ ├── malware-cnc_locky-ver1.c │ │ ├── netbios_kb961501-smb-printss-reponse.c │ │ ├── netbios_kb971468-srvnet-race-condition.c │ │ ├── netbios_kb980232-smb-client-trans-response-ring0.c │ │ ├── netbios_kb980232-smb-client-trans2-datacount.c │ │ ├── netbios_smb-andx-reply.c │ │ ├── netbios_smb-filename-len-overflow.c │ │ ├── netbios_smb-rap-read-access-violation.c │ │ ├── netbios_writex.c │ │ ├── os-linux_linux-sctp-setaddr-dos.c │ │ ├── os-linux_linux-snmp-nat-netfilter.c │ │ ├── os-other_vxworks-tcp-urgent.c │ │ ├── os-windows_ad-kerberos-referral-tgt-renewal.c │ │ ├── os-windows_igmpv3.c │ │ ├── os-windows_kb2279986-opentype-font-heap-overflow.c │ │ ├── os-windows_kb2527308-cover-page-editor-cdrawpoly.c │ │ ├── os-windows_kb924090-bmp-filter.c │ │ ├── os-windows_kb946538-active-directory-ldap.c │ │ ├── os-windows_kb948590-gdi-emf-overflow.c │ │ ├── os-windows_kb948590-gdi-integeroverflow.c │ │ ├── os-windows_kb948745-microsoft-wins.c │ │ ├── os-windows_kb950762-pgm-fragoff.c │ │ ├── os-windows_kb952044-defender.c │ │ ├── os-windows_kb952954-image-color-mgmt.c │ │ ├── os-windows_kb953235-active-directory-ldap-cookie.c │ │ ├── os-windows_kb954593-gdi-rce.c │ │ ├── os-windows_kb954593-gif-too-many-blocks.c │ │ ├── os-windows_kb957097-smb-reflex.c │ │ ├── os-windows_kb957280-active-directory-baseobject.c │ │ ├── os-windows_kb967723-small-or-zero-tcp-window.c │ │ ├── os-windows_kb969883-ms-wins-replication-request-rce.c │ │ ├── os-windows_kb969947-win-kernel-fontparsing-rce.c │ │ ├── os-windows_kb974145-tcp-sack-invalid-range.c │ │ ├── os-windows_kb978338-isatap-ipv6-src-spoofing.c │ │ ├── os-windows_kb981210-cab-sip-authenticode.c │ │ ├── os-windows_microsoft-gdi-tiff-memory-corruption.c │ │ ├── os-windows_microsoft-windows-rdp-connect-initial-pdu.c │ │ ├── os-windows_ms-windows-tcp-mss.c │ │ ├── os-windows_ms06-32.c │ │ ├── os-windows_pgm-nak-overflow.c │ │ ├── os-windows_radius-invalid-request.c │ │ ├── os-windows_windows-explorer-briefcase-database.c │ │ ├── policy-social_gnupg-packet-length.c │ │ ├── policy-social_pidgin-integeroverflow.c │ │ ├── protocol-dns_2007-1030-label-compression-pointer-loop.c │ │ ├── protocol-dns_bind-tkey-dos.c │ │ ├── protocol-dns_ddns-any-update.c │ │ ├── protocol-dns_dga-detector.c │ │ ├── protocol-dns_dns-spoof-mismatched-txid.c │ │ ├── protocol-dns_dns-zero-len-rdata.c │ │ ├── protocol-dns_kb945553-dns-cache-poison.c │ │ ├── protocol-dns_kb953230-dns-authoritative-nameserver-spoof.c │ │ ├── protocol-dns_libspf2-txt-record.c │ │ ├── protocol-dns_tmg-firewall-client-long-hostent.c │ │ ├── protocol-nntp_xhdr-bo.c │ │ ├── protocol-snmp_castle-rock-snmp.c │ │ ├── protocol-snmp_hmac-authentication-bypass.c │ │ ├── pua-p2p_winny.c │ │ ├── server-apache_apache-auth-ldap-log-reason.c │ │ ├── server-iis_ms-aspdotnet-viewstate.c │ │ ├── server-mail_bdat-overflow.c │ │ ├── server-mail_exchange-base64.c │ │ ├── server-mail_exchange-modprops.c │ │ ├── server-mail_ibm-domino-int-overflow.c │ │ ├── server-mail_kb959239-exchange-compressed-rtf.c │ │ ├── server-mail_mailenable-ntlm.c │ │ ├── server-mail_mercur-imapd-ntlmssp.c │ │ ├── server-mysql_mysql-com-table-dump.c │ │ ├── server-oracle_oracle-ldap-bind-request-version.c │ │ ├── server-other_cisco-asa-ike-bof.c │ │ ├── server-other_citrix-metaframe-bo.c │ │ ├── server-other_cups-ipp-memory-corruption.c │ │ ├── server-other_cve-2004-0728-microsoft-sms-remote-control-service.c │ │ ├── server-other_cve-2006-4509-novell.c │ │ ├── server-other_cve-2006-4510-novell.c │ │ ├── server-other_f5-bigip-memory-disclosure.c │ │ ├── server-other_fortinet-stack-bof.c │ │ ├── server-other_hp-openview-data-protector.c │ │ ├── server-other_ibm-domino-ldap-bof.c │ │ ├── server-other_imail-ldap.c │ │ ├── server-other_kb961759-isa-invalid-rst.c │ │ ├── server-other_landesk-qip-heal.c │ │ ├── server-other_ldap-object-parameter-name-overflow.c │ │ ├── server-other_mit-kerberos-sname-null-ptr-deref.c │ │ ├── server-other_mit-kerberos-tgs-req-null-ptr-deref.c │ │ ├── server-other_mit-kerberos-uninitialized-ptr.c │ │ ├── server-other_novell-edirectory-nullfilter.c │ │ ├── server-other_openldap-bind-request-dos.c │ │ ├── server-other_openssl-dtls-hs-fragment.c │ │ ├── server-other_sun-ldap.c │ │ ├── server-other_tivoli-director-bind-string-overflow.c │ │ ├── server-webapp_generic-web-server-hash-collision.c │ │ ├── so-util.h │ │ ├── so-util_base.c │ │ ├── so-util_base64-decode.c │ │ ├── so-util_base64-decode.h │ │ ├── so-util_ber.c │ │ ├── so-util_ber.h │ │ ├── so-util_dns.c │ │ ├── so-util_dns.h │ │ └── test.conf └── test_snort.py ├── tcpdump_hex_parser ├── Dockerfile ├── __init__.py ├── tcpdump_hex_parser.py └── test_tcpdump_hex_parser.py └── tcprewrite_dot1q ├── Dockerfile ├── __init__.py ├── en10mb.c ├── requirements.txt ├── tcprewrite.py └── test_tcprewrite.py /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | name: 'Close stale issues and PRs' 2 | on: 3 | schedule: 4 | - cron: '30 1 * * *' 5 | 6 | jobs: 7 | stale: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: actions/stale@v8 11 | with: 12 | stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.' 13 | stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.' 14 | close-issue-message: 'This issue was closed because it has been stalled for 5 days with no activity.' 15 | close-pr-message: 'This PR was closed because it has been stalled for 10 days with no activity.' 16 | days-before-issue-stale: 30 17 | days-before-pr-stale: 45 18 | days-before-issue-close: 5 19 | days-before-pr-close: 10 20 | exempt-issue-labels: 'dependencies' 21 | -------------------------------------------------------------------------------- /.github/workflows/test.yml: -------------------------------------------------------------------------------- 1 | name: test 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | test: 7 | 8 | runs-on: ubuntu-22.04 9 | 10 | steps: 11 | - uses: actions/checkout@v3 12 | - name: test 13 | run: | 14 | export DEBIAN_FRONTEND=noninteractive && \ 15 | echo 'debconf debconf/frontend select Noninteractive' | sudo debconf-set-selections && \ 16 | sudo apt-get update && \ 17 | sudo apt-get install -yq --no-install-recommends libev-dev python3 python3-dev python3-setuptools dialog apt-utils tshark libpcap0.8 libpcap-dev p0f tcpdump && \ 18 | pip3 install -U pip && \ 19 | pip3 install pytype pytest-cov && \ 20 | find . -name requirements.txt -type f -exec pip3 install -r {} \; && \ 21 | export PATH=/home/runner/.local/bin:$PATH && \ 22 | make test && \ 23 | coverage report && coverage xml 24 | - name: Upload coverage to Codecov 25 | uses: codecov/codecov-action@v3.1.4 26 | if: github.repository == 'iqtlabs/network-tools' 27 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | pytype_output/ 4 | .pytype 5 | *.py[cod] 6 | *$py.class 7 | 8 | # C extensions 9 | *.so 10 | 11 | # Editor files 12 | *~ 13 | 14 | # Distribution / packaging 15 | .Python 16 | env/ 17 | build/ 18 | develop-eggs/ 19 | dist/ 20 | downloads/ 21 | eggs/ 22 | .eggs/ 23 | lib/ 24 | lib64/ 25 | parts/ 26 | sdist/ 27 | var/ 28 | wheels/ 29 | *.egg-info/ 30 | .installed.cfg 31 | *.egg 32 | 33 | # PyInstaller 34 | # Usually these files are written by a python script from a template 35 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 36 | *.manifest 37 | *.spec 38 | 39 | # Installer logs 40 | pip-log.txt 41 | pip-delete-this-directory.txt 42 | 43 | # Unit test / coverage reports 44 | htmlcov/ 45 | .tox/ 46 | .coverage 47 | .coverage.* 48 | .cache 49 | nosetests.xml 50 | coverage.xml 51 | *,cover 52 | .hypothesis/ 53 | .pytest_cache/ 54 | 55 | # Translations 56 | *.mo 57 | *.pot 58 | 59 | # Django stuff: 60 | *.log 61 | local_settings.py 62 | 63 | # Flask stuff: 64 | instance/ 65 | .webassets-cache 66 | 67 | # Scrapy stuff: 68 | .scrapy 69 | 70 | # Sphinx documentation 71 | docs/_build/ 72 | 73 | # PyBuilder 74 | target/ 75 | 76 | # Jupyter Notebook 77 | .ipynb_checkpoints 78 | 79 | # pyenv 80 | .python-version 81 | 82 | # celery beat schedule file 83 | celerybeat-schedule 84 | 85 | # SageMath parsed files 86 | *.sage.py 87 | 88 | # dotenv 89 | .env 90 | 91 | # virtualenv 92 | .venv 93 | venv/ 94 | ENV/ 95 | 96 | # Spyder project settings 97 | .spyderproject 98 | 99 | # Rope project settings 100 | .ropeproject 101 | 102 | # vim temp files 103 | *.swp 104 | *.swo 105 | 106 | .mypy_cache 107 | 108 | # IntelliJ IDE files 109 | .idea/ 110 | *.bak 111 | 112 | *.DS_Store 113 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | # This file lists all individuals having contributed content to the repository. 2 | # If you're submitting a patch, please add your name here in alphabetical order as part of the patch. 3 | # 4 | # For a list of active project maintainers, see the MAINTAINERS file. 5 | # 6 | Charlie Lewis 7 | codeavenger07 8 | gb-hacktoberfest 9 | George Lewis 10 | Jacob Jangles 11 | Jeffrey Wang 12 | Sebastian Lugo 13 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to Network Tools 2 | 3 | Want to hack on network tools? Awesome! Here are instructions to get you 4 | started. They are probably not perfect, please let us know if anything 5 | feels wrong or incomplete. 6 | 7 | ## Contribution guidelines 8 | 9 | ### Pull requests are always welcome 10 | 11 | We are always thrilled to receive pull requests, and do our best to 12 | process them as fast as possible. Not sure if that typo is worth a pull 13 | request? Do it! We will appreciate it. 14 | 15 | If your pull request is not accepted on the first try, don't be 16 | discouraged! If there's a problem with the implementation, hopefully 17 | you received feedback on what to improve. 18 | 19 | We're trying very hard to keep Network Tools lean and focused. We don't want it 20 | to do everything for everybody. This means that we might decide against 21 | incorporating a new feature. However, there might be a way to implement 22 | that feature *on top of* Network Tools! 23 | 24 | ### Create issues... 25 | 26 | Any significant improvement should be documented as [a github 27 | issue](https://github.com/IQTLabs/network-tools/issues) before anybody 28 | starts working on it. 29 | 30 | ### ...but check for existing issues first! 31 | 32 | Please take a moment to check that an issue doesn't already exist 33 | documenting your bug report or improvement proposal. If it does, it 34 | never hurts to add a quick "+1" or "I have this problem too". This will 35 | help prioritize the most common problems and requests. 36 | 37 | ### Conventions 38 | 39 | Make sure you include relevant updates or additions to documentation and 40 | tests when creating or modifying features. 41 | 42 | Pull request descriptions should be as clear as possible and include a 43 | reference to all the issues that they address. 44 | 45 | Code review comments may be added to your pull request. Discuss, then make the 46 | suggested modifications and push additional commits to your feature branch. Be 47 | sure to post a comment after pushing. The new commits will show up in the pull 48 | request automatically, but the reviewers will not be notified unless you 49 | comment. 50 | 51 | Commits that fix or close an issue should include a reference like 52 | `Closes #XXX` or `Fixes #XXX`, which will automatically close the issue 53 | when merged. 54 | 55 | Add your name to the AUTHORS file, but make sure the list is sorted and 56 | your name and email address match your git configuration. The AUTHORS 57 | file is regenerated occasionally from the git commit history, so a 58 | mismatch may result in your changes being overwritten. 59 | 60 | ## Decision process 61 | 62 | ### How are decisions made? 63 | 64 | Short answer: with pull requests to the Network Tools repository. 65 | 66 | All decisions affecting Network Tools, big and small, follow the same 3 steps: 67 | 68 | * Step 1: Open a pull request. Anyone can do this. 69 | 70 | * Step 2: Discuss the pull request. Anyone can do this. 71 | 72 | * Step 3: Accept or refuse a pull request. A maintainer does this. 73 | 74 | ### How can I become a maintainer? 75 | 76 | * Step 1: Learn the code inside out 77 | * Step 2: Make yourself useful by contributing code, bugfixes, support etc. 78 | 79 | Don't forget: being a maintainer is a time investment. Make sure you will 80 | have time to make yourself available. You don't have to be a maintainer 81 | to make a difference on the project! 82 | 83 | ### What are a maintainer's responsibility? 84 | 85 | It is every maintainer's responsibility to: 86 | 87 | * 1) Deliver prompt feedback and decisions on pull requests. 88 | * 2) Be available to anyone with questions, bug reports, criticism etc. on Network Tools 89 | 90 | ### How is this process changed? 91 | 92 | Just like everything else: by making a pull request :) 93 | 94 | *Derivative work from [Docker](https://github.com/docker/docker/blob/master/CONTRIBUTING.md).* 95 | -------------------------------------------------------------------------------- /MAINTAINERS: -------------------------------------------------------------------------------- 1 | Charlie Lewis 2 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | test: 2 | RESULT_PATH=/dev/null PYTHONPATH=network_tap/ncontrol:network_tools_lib python3 -m pytest -l -s -v --cov=. --cov-report term-missing 3 | # TODO: complete pytype coverage for pcap_stats 4 | PYTHONPATH=network_tap/ncontrol:network_tools_lib pytype -k --exclude=pcap_stats . 5 | ./network_tap/ncapture/test_ncapture.sh 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # network-tools 2 | 3 | ![Build Status](https://github.com/IQTLabs/network-tools/workflows/test/badge.svg) 4 | [![codecov](https://codecov.io/gh/IQTLabs/network-tools/branch/main/graph/badge.svg)](https://codecov.io/gh/IQTLabs/network-tools) 5 | [![Docker Hub Downloads](https://img.shields.io/docker/pulls/iqtlabs/p0f.svg)](https://hub.docker.com/u/iqtlabs) 6 | 7 | This project is a place for network traffic related tools that run on various projects, such as [Poseidon](https://github.com/IQTLabs/poseidon) and [Packet Cafe](https://github.com/IQTLabs/packet_cafe). 8 | -------------------------------------------------------------------------------- /mercury/Dockerfile: -------------------------------------------------------------------------------- 1 | # TODO: requires python3.8 2 | FROM alpine:3.18 3 | LABEL maintainer="Charlie Lewis " 4 | 5 | ENV DEBIAN_FRONTEND noninteractive 6 | ENV PYTHONUNBUFFERED 1 7 | ENV PYTHONPATH=/app/network_tools_lib 8 | 9 | WORKDIR /app 10 | COPY mercury/requirements.txt /app/requirements.txt 11 | RUN apk add --update \ 12 | cargo \ 13 | gcc \ 14 | linux-headers \ 15 | libffi-dev \ 16 | libpcap-dev \ 17 | musl-dev \ 18 | openssl-dev \ 19 | python3 \ 20 | python3-dev \ 21 | py3-pip \ 22 | && pip3 install --no-cache-dir -r /app/requirements.txt \ 23 | && apk del \ 24 | cargo \ 25 | gcc \ 26 | libffi-dev \ 27 | openssl-dev \ 28 | python3-dev \ 29 | && rm -rf /var/cache/apk/* 30 | 31 | COPY mercury/ /app 32 | COPY network_tools_lib/ /app/network_tools_lib 33 | RUN python3 /app/app.py 34 | 35 | ENTRYPOINT ["python3", "/app/app.py"] 36 | CMD [""] 37 | -------------------------------------------------------------------------------- /mercury/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/mercury/__init__.py -------------------------------------------------------------------------------- /mercury/app.py: -------------------------------------------------------------------------------- 1 | import datetime 2 | import json 3 | import os 4 | import shutil 5 | import sys 6 | import tempfile 7 | 8 | import pika 9 | import network_tools_lib 10 | 11 | VERSION = network_tools_lib.get_version() 12 | 13 | 14 | def connect_rabbit(host='messenger', port=5672, queue='task_queue'): 15 | params = pika.ConnectionParameters(host=host, port=port) 16 | connection = pika.BlockingConnection(params) 17 | channel = connection.channel() 18 | channel.queue_declare(queue=queue, durable=True) 19 | return channel 20 | 21 | def send_rabbit_msg(msg, channel, exchange='', routing_key='task_queue'): 22 | channel.basic_publish(exchange=exchange, 23 | routing_key=routing_key, 24 | body=json.dumps(msg), 25 | properties=pika.BasicProperties(delivery_mode=2)) 26 | print(" [X] %s UTC %r %r" % (str(datetime.datetime.utcnow()), 27 | str(msg['id']), str(msg['file_path']))) 28 | 29 | def run_mercury(path): 30 | with tempfile.TemporaryDirectory() as tempdir: 31 | mercury = shutil.which('pmercury') 32 | mercury_output = os.path.join(tempdir, 'mercury_output.txt') 33 | args = [mercury, '-awxg', '-r', path, '-f', mercury_output] 34 | network_tools_lib.run_proc(args) 35 | with open(mercury_output, 'r') as f: 36 | return f.read() 37 | 38 | def parse_output(mercury_output): 39 | results = [] 40 | for mercury_line in mercury_output.splitlines(): 41 | results.append(json.loads(mercury_line)) 42 | return results 43 | 44 | def ispcap(pathfile): 45 | for ext in ('pcap', 'pcapng', 'dump', 'capture'): 46 | if pathfile.endswith(''.join(('.', ext))): 47 | return True 48 | return False 49 | 50 | def main(): 51 | if len(sys.argv) == 1: 52 | print('requires path') 53 | sys.exit(0) 54 | pcap_paths = [] 55 | path = sys.argv[1] 56 | if os.path.isdir(path): 57 | for root, _, files in os.walk(path): 58 | for pathfile in files: 59 | if ispcap(pathfile): 60 | pcap_paths.append(os.path.join(root, pathfile)) 61 | else: 62 | pcap_paths.append(path) 63 | 64 | for path in pcap_paths: 65 | mercury_output = run_mercury(path) 66 | results = parse_output(mercury_output) 67 | print(results) 68 | 69 | if os.environ.get('rabbit', '') == 'true': 70 | uid = os.environ.get('id', '') 71 | try: 72 | channel = connect_rabbit() 73 | if results: 74 | body = { 75 | 'id': uid, 'type': 'metadata', 'file_path': path, 'data': results, 'results': { 76 | 'tool': 'mercury', 'version': VERSION}} 77 | send_rabbit_msg(body, channel) 78 | if path == pcap_paths[-1]: 79 | body = { 80 | 'id': uid, 'type': 'metadata', 'file_path': path, 'data': '', 'results': { 81 | 'tool': 'mercury', 'version': VERSION}} 82 | send_rabbit_msg(body, channel) 83 | except Exception as e: 84 | print(str(e)) 85 | 86 | 87 | if __name__ == "__main__": # pragma: no cover 88 | main() 89 | -------------------------------------------------------------------------------- /mercury/requirements.txt: -------------------------------------------------------------------------------- 1 | cryptography==41.0.3 2 | pika==1.3.2 3 | pmercury==0.5.2.44 4 | -------------------------------------------------------------------------------- /mercury/test_app.py: -------------------------------------------------------------------------------- 1 | """ 2 | Test module for app.py 3 | 4 | Created on 7 January 2020 5 | @author: Charlie Lewis 6 | """ 7 | import os 8 | import sys 9 | 10 | from .app import VERSION 11 | from .app import parse_output 12 | from .app import ispcap 13 | from .app import main 14 | from .app import run_mercury 15 | 16 | 17 | TEST_LO_CAP = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'test_lo.pcap') 18 | 19 | 20 | def test_ispcap(): 21 | assert ispcap('afile.pcap') 22 | assert not ispcap('notapcap.txt') 23 | 24 | 25 | def test_version(): 26 | assert VERSION.startswith('0.') # nosec 27 | 28 | 29 | def test_parse_output(): 30 | mercury_output = run_mercury(TEST_LO_CAP) 31 | result = parse_output(mercury_output) 32 | #assert [{'src_ip': '127.0.0.1', 'dst_ip': '127.0.0.1', 'src_port': 46718, 'dst_port': 1025, 'protocol': 6, 'event_start': 1576897976.620999, 'event_end': 1576897976.620999, 'fingerprints': [{'event_start': 1576897976.620999, 'tcp': '(aaaa)(0204ffd7)(04)(08)(01)(030309)'}]}, {'src_ip': '0000:0000:0000:0000:0000:0000:0000:0001', 'dst_ip': '0000:0000:0000:0000:0000:0000:0000:0001', 'src_port': 36728, 'dst_port': 1025, 'protocol': 6, 'event_start': 1576897991.011601, 'event_end': 1576897991.011601, 'fingerprints': [{'event_start': 1576897991.011601, 'tcp': '(aaaa)(0204ffc4)(04)(08)(01)(030309)'}]}, {'src_ip': '0000:0000:0000:0000:0000:0000:0000:0001', 'dst_ip': '0000:0000:0000:0000:0000:0000:0000:0001', 'src_port': 36730, 'dst_port': 1025, 'protocol': 6, 'event_start': 1576897996.539537, 'event_end': 1576897996.539537, 'fingerprints': [{'event_start': 1576897996.539537, 'tcp': '(aaaa)(0204ffc4)(04)(08)(01)(030309)'}]}] == result 33 | 34 | 35 | def test_main(): 36 | if len(sys.argv) == 0: 37 | sys.argv = [os.devnull, TEST_LO_CAP] 38 | else: 39 | sys.argv[1] = TEST_LO_CAP 40 | main() 41 | -------------------------------------------------------------------------------- /mercury/test_lo.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/mercury/test_lo.pcap -------------------------------------------------------------------------------- /network_tap/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.18 2 | LABEL maintainer="Charlie Lewis " 3 | 4 | ENV PYTHONPATH=/network-tap/network_tools_lib 5 | ENV PYTHONUNBUFFERED 1 6 | 7 | COPY network_tap/ncontrol/requirements.txt requirements.txt 8 | COPY network_tap/healthcheck /healthcheck 9 | 10 | RUN apk add --update \ 11 | curl \ 12 | gcc \ 13 | g++ \ 14 | git \ 15 | libev-dev \ 16 | linux-headers \ 17 | musl-dev \ 18 | python3 \ 19 | python3-dev \ 20 | py3-pip \ 21 | && pip3 install --no-cache-dir -r requirements.txt \ 22 | && pip3 install --no-cache-dir -r /healthcheck/requirements.txt \ 23 | && apk del \ 24 | gcc \ 25 | g++ \ 26 | git \ 27 | linux-headers \ 28 | musl-dev \ 29 | python3-dev \ 30 | && rm -rf /var/cache/apk/* 31 | 32 | # healthcheck 33 | ENV FLASK_APP /healthcheck/hc.py 34 | HEALTHCHECK --interval=15s --timeout=15s \ 35 | CMD curl --silent --fail http://localhost:5000/healthcheck || exit 1 36 | 37 | COPY network_tap /network-tap 38 | COPY network_tools_lib /network-tap/network_tools_lib 39 | WORKDIR /network-tap 40 | 41 | EXPOSE 8080 42 | 43 | CMD (flask run > /dev/null 2>&1) & (python3 ncontrol/ncontrol.py) 44 | -------------------------------------------------------------------------------- /network_tap/README.md: -------------------------------------------------------------------------------- 1 | Once this tool is started, it can be interacted with through it's RESTful interface. To find the port it's exposed on, you can go into the shell and search for it using docker commands. 2 | 3 | Once you have the IP and port it's running on, you can make a POST request that looks like this: 4 | 5 | ``` 6 | http://192.168.99.100:32815/create 7 | ``` 8 | 9 | Along with a payload that looks like this: 10 | 11 | ``` 12 | {"nic":"eth1","id":"foo","interval":"300","filter":"","iters":"-1"} 13 | ``` 14 | for a continuously running filter, or like: 15 | ``` 16 | {"nic":"eth1","id":"foo","interval":"300","filter":"","iters":"1"} 17 | ``` 18 | for a filter to run `1` capture. 19 | 20 | In the payload, the `nic` will be the network controller you want to capture on, the `id` can be any unique value, the `interval` is the time in seconds to cut up the captures into for processing, the `filter` is for limiting what gets captured off the network controller, if it's an empty string as in this example, there is no filter applied, and the `iters` is for specifying the number of captures to make (if this is 0 or less then the collector will run until killed, otherwise it will make this many captures). 21 | -------------------------------------------------------------------------------- /network_tap/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/network_tap/__init__.py -------------------------------------------------------------------------------- /network_tap/healthcheck/hc.py: -------------------------------------------------------------------------------- 1 | from flask import Flask 2 | 3 | from healthcheck import EnvironmentDump 4 | from healthcheck import HealthCheck 5 | 6 | app = Flask(__name__) 7 | 8 | health = HealthCheck(app, '/healthcheck') 9 | envdump = EnvironmentDump(app, '/environment') 10 | 11 | 12 | def application_data(): 13 | return {'maintainer': 'Charlie Lewis', 14 | 'git_repo': 'https://github.com/IQTLabs/network-tools', 15 | 'app': 'network_tap'} 16 | 17 | 18 | envdump.add_section('application', application_data) 19 | -------------------------------------------------------------------------------- /network_tap/healthcheck/requirements.txt: -------------------------------------------------------------------------------- 1 | flask==2.3.2 2 | healthcheck==1.3.3 3 | -------------------------------------------------------------------------------- /network_tap/ncapture/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.18 as checkout 2 | LABEL maintainer="Charlie Lewis " 3 | 4 | RUN apk add --update git 5 | WORKDIR /src 6 | RUN git clone https://github.com/wanduow/wandio.git -b 4.2.3-1 \ 7 | && git clone https://github.com/LibtraceTeam/libtrace.git -b 4.0.16-1 \ 8 | && git clone https://github.com/wanduow/libwdcap.git -b 1.0.1-1 9 | 10 | FROM alpine:3.18 as builder 11 | COPY --from=checkout /src /src 12 | WORKDIR /src 13 | 14 | RUN apk add --update autoconf automake bison build-base flex gcc libtool libpcap-dev libpcap linux-headers openssl-dev musl-dev yaml-dev 15 | 16 | WORKDIR /src/wandio 17 | RUN ./bootstrap.sh && ./configure && make && make install 18 | WORKDIR /src/libtrace 19 | RUN ./bootstrap.sh && ./configure 20 | WORKDIR /src/libtrace/lib 21 | RUN make install 22 | WORKDIR /src/libtrace/libpacketdump 23 | RUN make install 24 | WORKDIR /src/libwdcap 25 | RUN ./bootstrap.sh && ./configure --disable-shared && make && make install 26 | WORKDIR /src/libwdcap/examples 27 | RUN g++ -fpermissive -o tracecapd tracecapd.c -L/usr/local/lib -Wl,-Bstatic -ltrace -lwdcap -lwandio -Wl,-Bdynamic -lpcap -lssl -lcrypto -lyaml && cp tracecapd /usr/local/bin 28 | 29 | FROM alpine:3.18 30 | 31 | WORKDIR /tmp 32 | VOLUME /tmp 33 | 34 | COPY network_tap/ncapture/ /tmp 35 | COPY network_tools_lib /tmp/network_tools_lib 36 | 37 | RUN apk add --update bash coreutils python3 py3-pip yaml openssl libpcap 38 | RUN pip3 install --no-cache-dir -r requirements.txt 39 | COPY --from=builder /usr/local/bin/tracecapd /usr/local/bin/tracecapd 40 | RUN ldd /usr/local/bin/tracecapd 41 | 42 | ENV PYTHONPATH=/tmp/network_tools_lib 43 | CMD ["/tmp/run.sh"] 44 | -------------------------------------------------------------------------------- /network_tap/ncapture/requirements.txt: -------------------------------------------------------------------------------- 1 | pika==1.3.2 2 | -------------------------------------------------------------------------------- /network_tap/ncapture/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | URI="$1" 4 | INTERVAL="$2" 5 | ID="$3" 6 | ITERS="$4" 7 | FILTER="$5" 8 | if [ -z "$6" ]; then 9 | OUT_PATH="/files/" 10 | else 11 | OUT_PATH="$6" 12 | fi 13 | 14 | # TODO: migrate above static args to getopt style. 15 | 16 | # check if filter has '' surrounding it 17 | if [[ "$FILTER" =~ ^\'.*\'$ ]]; then 18 | FILTER=${FILTER:1:${#FILTER}-2} 19 | fi 20 | 21 | # See https://github.com/wanduow/libwdcap for full flag documentation. 22 | # Set CryptoPAn IP anonymization (https://en.wikipedia.org/wiki/Crypto-PAn) with -a (default none). 23 | ANON="none" 24 | # Set checksum updating for anonymization. 25 | CSUM="check" 26 | # Set number of app payload size to keep in bytes. 27 | PAYS="4" 28 | # Set number of DNS payload size to keep in bytes 29 | DPAYS="12" 30 | 31 | 32 | while getopts "a:c:d:s:" arg; do 33 | case $arg in 34 | a) 35 | ANON=$OPTARG 36 | ;; 37 | c) 38 | CSUM=$OPTARG 39 | ;; 40 | d) 41 | DPAYS=$OPTARG 42 | ;; 43 | o) 44 | OUT_PATH=$OPTARG 45 | ;; 46 | s) 47 | PAYS=$OPTARG 48 | ;; 49 | esac 50 | done 51 | 52 | CAPTMP=$(mktemp -d) 53 | 54 | make_pcap_name() { 55 | local id=$1 56 | local dt=$(date '+%Y-%m-%d_%H_%M_%S') 57 | echo trace_${id}_${dt}.pcap 58 | } 59 | 60 | run_tracecapd() { 61 | local uri=$1 62 | local name=$2 63 | local interval=$3 64 | local filter=$4 65 | 66 | local dwconf=${CAPTMP}/dw.yaml 67 | local ppconf=${CAPTMP}/pp.yaml 68 | 69 | # default to interface URI if no prefix. 70 | # See https://wand.net.nz/trac/libtrace/wiki/SupportedTraceFormats. 71 | if [[ ! "$uri" =~ .+":".+ ]]; then 72 | uri="int:$uri" 73 | fi 74 | 75 | echo -e "format: pcapfile\nnamingscheme: ${name}\ncompressmethod: none\nrotationperiod: day\n" > $dwconf 76 | echo -e "anon: $ANON\nchecksum: $CSUM\npayload: $PAYS\ndnspayload: $DPAYS\n" > $ppconf 77 | timeout --preserve-status -k2 ${interval}s tracecapd -t 1 -c $dwconf -p $ppconf -s $uri -f "$filter" 78 | status=$? 79 | if [ $status != 0 ]; then 80 | python3 send_message.py -1; 81 | exit 1 82 | fi 83 | } 84 | 85 | run_capture() { 86 | local uri=$1 87 | local id=$2 88 | local interval=$3 89 | local filter=$4 90 | local out_path=$5 91 | 92 | local name=$(make_pcap_name $id) 93 | run_tracecapd $uri $name $interval #"$filter" 94 | mv $name $out_path; 95 | status=$? 96 | if [ $status != 0 ]; then 97 | python3 send_message.py -1; 98 | else 99 | python3 send_message.py $out_path/$name; 100 | fi 101 | } 102 | 103 | # if ITERS is non-negative then do the capture ITERS times 104 | if [ $ITERS -gt "0" ]; then 105 | COUNTER=0 106 | while [ $COUNTER -lt $ITERS ]; do 107 | run_capture $URI $ID $INTERVAL "$FILTER" $OUT_PATH 108 | let COUNTER=COUNTER+1; 109 | done 110 | else # else do the capture until killed 111 | while true 112 | do 113 | run_capture $URI $ID $INTERVAL "$FILTER" $OUT_PATH 114 | done 115 | fi 116 | -------------------------------------------------------------------------------- /network_tap/ncapture/send_message.py: -------------------------------------------------------------------------------- 1 | """ 2 | Sends message to RabbitMQ to notify capture is complete and written to a file 3 | 4 | Created on 27 November 2019 5 | @author: Charlie Lewis 6 | """ 7 | import argparse 8 | import datetime 9 | import json 10 | import os 11 | 12 | import pika 13 | import network_tools_lib 14 | 15 | VERSION = network_tools_lib.get_version() 16 | 17 | 18 | def connect_rabbit(host='messenger', port=5672, queue='task_queue'): 19 | params = pika.ConnectionParameters(host=host, port=port) 20 | connection = pika.BlockingConnection(params) 21 | channel = connection.channel() 22 | channel.queue_declare(queue=queue, durable=True) 23 | return channel 24 | 25 | 26 | def send_rabbit_msg(msg, channel, exchange='', routing_key='task_queue'): 27 | channel.basic_publish(exchange=exchange, 28 | routing_key=routing_key, 29 | body=json.dumps(msg), 30 | properties=pika.BasicProperties(delivery_mode=2,)) 31 | print(' [X] %s UTC %r %r' % (str(datetime.datetime.utcnow()), 32 | str(msg['id']), str(msg['file_path']))) 33 | 34 | 35 | def get_path(paths): 36 | path = None 37 | try: 38 | path = paths[0] 39 | except Exception as e: 40 | print('No path provided: {0}, quitting'.format(str(e))) 41 | return path 42 | 43 | 44 | def parse_args(parser): 45 | parser.add_argument('paths', nargs='*') 46 | parsed_args = parser.parse_args() 47 | return parsed_args 48 | 49 | 50 | if __name__ == '__main__': # pragma: no cover 51 | parsed_args = parse_args(argparse.ArgumentParser()) 52 | path = get_path(parsed_args.paths) 53 | uid = os.environ.get('id', '') 54 | external_host = os.environ.get('external_host', 'messenger') 55 | if os.environ.get('rabbit', False) == 'true': 56 | try: 57 | channel = connect_rabbit(host=external_host) 58 | body = {'id': uid, 'type': 'metadata', 'file_path': path, 59 | 'data': '', 'file_type': 'pcap_strip', 60 | 'results': {'tool': 'ncapture', 'version': VERSION}} 61 | send_rabbit_msg(body, channel) 62 | except Exception as e: 63 | print(str(e)) 64 | -------------------------------------------------------------------------------- /network_tap/ncapture/test_ncapture.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # smoke test for ncapture worker 4 | 5 | URI=lo 6 | IP=127.0.0.1 7 | SIZE=1000 8 | MAXCAPLEN=50 9 | 10 | sudo apt-get update && sudo apt-get install tcpdump tshark 11 | docker build -f network_tap/ncapture/Dockerfile . -t iqtlabs/ncapture || exit 1 12 | 13 | TMPDIR=$(mktemp -d) 14 | echo starting ncapture 15 | docker run --privileged --net=host --cap-add=NET_ADMIN -v $TMPDIR:/files -t iqtlabs/ncapture /tmp/run.sh $URI 15 test 1 "host $IP and icmp" "" -d 12 -s 4 -a none -c none -o /files/ || exit 1 & 16 | echo waiting for pcap 17 | PINGS=0 18 | while [ "$(find $TMPDIR -prune -empty)" ] ; do 19 | ((++PINGS)) 20 | # need sudo for low interval 21 | sudo ping -q -n -i 0.1 -s $SIZE -c 10 $IP > /dev/null 22 | echo -n .$PINGS 23 | if [ "$PINGS" -gt "60" ] ; then 24 | echo timed out waiting for pcap 25 | exit 1 26 | fi 27 | done 28 | echo .got pcap 29 | tcpdump -n -r $TMPDIR/*pcap greater $SIZE > $TMPDIR/greater.txt || exit 1 30 | if [ ! -s $TMPDIR/greater.txt ] ; then 31 | echo "FAIL: no packets with original size $SIZE" 32 | exit 1 33 | fi 34 | capinfos -l $TMPDIR/*cap 35 | CAPLEN=$(capinfos -l $TMPDIR/*cap|grep -oE 'Packet size limit:\s+inferred: [0-9]+ bytes'|grep -oE '[0-9]+') 36 | echo caplen: $CAPLEN 37 | if [ "$CAPLEN" == "" ] ; then 38 | echo "FAIL: capture length not limited" 39 | exit 1 40 | fi 41 | if [ "$CAPLEN" -gt "$MAXCAPLEN" ] ; then 42 | echo "FAIL: capture length $CAPLEN over limit (payload not stripped?)" 43 | exit 1 44 | fi 45 | echo ok 46 | 47 | rm -rf $TMPDIR 48 | -------------------------------------------------------------------------------- /network_tap/ncontrol/ncontrol.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import bjoern 3 | import falcon 4 | from falcon_cors import CORS 5 | 6 | import routes 7 | 8 | def make_api(): 9 | cors = CORS(allow_all_origins=True) 10 | api = falcon.App(middleware=[cors.middleware]) 11 | r = routes.routes() 12 | for route in r: 13 | api.add_route(route, r[route]) 14 | return api 15 | 16 | 17 | if __name__ == "__main__": 18 | bjoern.run(make_api(), "0.0.0.0", 8080) # nosec 19 | -------------------------------------------------------------------------------- /network_tap/ncontrol/requirements.txt: -------------------------------------------------------------------------------- 1 | bjoern==3.2.2 2 | docker==6.1.3 3 | falcon==3.1.1 4 | falcon-cors==1.1.7 5 | -------------------------------------------------------------------------------- /network_tap/ncontrol/routes.py: -------------------------------------------------------------------------------- 1 | def routes(): 2 | import paths 3 | p = endpoints() 4 | create_r = paths.CreateR() 5 | delete_r = paths.DeleteR() 6 | info_r = paths.InfoR() 7 | list_r = paths.ListR() 8 | start_r = paths.StartR() 9 | stop_r = paths.StopR() 10 | funcs = [create_r, 11 | delete_r, 12 | info_r, 13 | list_r, 14 | start_r, 15 | stop_r] 16 | return dict(list(zip(p, funcs))) 17 | 18 | 19 | def endpoints(): 20 | return ['/create', 21 | '/delete', 22 | '/info', 23 | '/list', 24 | '/start', 25 | '/stop'] 26 | -------------------------------------------------------------------------------- /network_tap/ncontrol/test_ncontrol.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import docker 3 | import falcon 4 | import pytest 5 | from falcon import testing 6 | 7 | from ncontrol import make_api 8 | 9 | 10 | @pytest.fixture 11 | def client(): 12 | return testing.TestClient(make_api()) 13 | 14 | 15 | def test_create_r(client): 16 | """ tests the restful endpoint: create """ 17 | # test create 18 | payload = {'id': 'foo', 'interval': '60', 'filter': '', 'nic': 'eth1'} 19 | r = client.simulate_post('/create', json=payload) 20 | assert r.status == '200 OK' 21 | r = client.simulate_post('/create', json={'id': 'foo', 22 | 'interval': '60', 23 | 'iters': '1', 24 | 'filter': '', 25 | 'nic': 'eth1'}) 26 | assert r.status == '200 OK' 27 | r = client.simulate_post('/create', json={}) 28 | assert r.status == '200 OK' 29 | r = client.simulate_post('/create', json={'nic': 'eth1'}) 30 | assert r.status == '200 OK' 31 | r = client.simulate_post('/create', json={'nic': 'eth1', 'id': 'foo'}) 32 | assert r.status == '200 OK' 33 | r = client.simulate_post( 34 | '/create', json={'nic': 'eth1', 'id': 'foo', 'interval': '61'}) 35 | assert r.status == '200 OK' 36 | r = client.simulate_post('/create', json={'id': 'foo', 37 | 'interval': '60', 38 | 'filter': '', 39 | 'metadata': '{"foo": "bar"}', 40 | 'iters': '1', 41 | 'nic': 'eth1'}) 42 | assert r.status == '200 OK' 43 | 44 | 45 | def test_info_r(client): 46 | """ tests the restful endpoint: info """ 47 | # test info 48 | r = client.simulate_get('/info') 49 | assert r.status == '200 OK' 50 | 51 | 52 | def test_list_r(client): 53 | """ tests the restful endpoint: list """ 54 | # test list 55 | r = client.simulate_get('/list') 56 | assert r.status == '200 OK' 57 | 58 | 59 | def test_stop_r(client): 60 | """ tests the restful endpoint: stop """ 61 | # create some container and start it 62 | d = docker.from_env() 63 | d.images.pull('alpine') 64 | test_cont = d.containers.create('alpine') 65 | 66 | # test stop 67 | r = client.simulate_post('/stop', json={}) 68 | assert r.status == '200 OK' 69 | r = client.simulate_post('/stop', json={'id': test_cont.attrs['Id']}) 70 | assert r.status == '200 OK' 71 | r = client.simulate_post('/stop', json={'id': []}) 72 | assert r.status == '200 OK' 73 | 74 | 75 | def test_start_r(client): 76 | """ tests the restful endpoint: start """ 77 | # create some container 78 | d = docker.from_env() 79 | d.images.pull('alpine') 80 | test_cont = d.containers.create('alpine') 81 | 82 | # test start 83 | r = client.simulate_post('/start', json={}) 84 | assert r.status == '200 OK' 85 | r = client.simulate_post('/start', json={'id': test_cont.attrs['Id']}) 86 | assert r.status == '200 OK' 87 | r = client.simulate_post('/start', json={'id': []}) 88 | assert r.status == '200 OK' 89 | 90 | 91 | def test_delete_r(client): 92 | """ tests the restful endpoint: delete """ 93 | # create some container and start it 94 | d = docker.from_env() 95 | d.images.pull('alpine') 96 | test_cont = d.containers.create('alpine') 97 | 98 | # test delete 99 | r = client.simulate_post('/delete', json={}) 100 | assert r.status == '200 OK' 101 | r = client.simulate_post('/delete', json={'id': test_cont.attrs['Id']}) 102 | assert r.status == '200 OK' 103 | r = client.simulate_post('/delete', json={'id': []}) 104 | assert r.status == '200 OK' 105 | -------------------------------------------------------------------------------- /network_tools_lib/VERSION: -------------------------------------------------------------------------------- 1 | 0.11.33 2 | -------------------------------------------------------------------------------- /network_tools_lib/network_tools_lib.py: -------------------------------------------------------------------------------- 1 | import os 2 | import subprocess 3 | 4 | 5 | def mod_path(filename, file_for_dir=None): 6 | if file_for_dir is None: 7 | file_for_dir = __file__ 8 | return os.path.join(os.path.dirname(os.path.realpath(file_for_dir)), filename) 9 | 10 | 11 | def get_version(): 12 | ver_path = os.path.join(mod_path('VERSION', __file__)) 13 | with open(ver_path, 'r') as f: 14 | return f.read().strip() 15 | 16 | 17 | def run_proc(args, output=subprocess.DEVNULL): 18 | with subprocess.Popen(args, stdout=output) as proc: 19 | proc_output = proc.communicate() 20 | return proc_output 21 | -------------------------------------------------------------------------------- /p0f/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM iqtlabs/rbqwrapper:v0.11.33 2 | LABEL maintainer="Charlie Lewis " 3 | 4 | ENV DEBIAN_FRONTEND noninteractive 5 | ENV PYTHONUNBUFFERED 1 6 | ENV PYTHONPATH=/app/network_tools_lib 7 | 8 | # Install packages 9 | # hadolint ignore=DL3008 10 | RUN apt-get update && \ 11 | apt-get install -y --no-install-recommends gcc libxml2-dev libxslt-dev python3-dev tshark p0f zlib1g-dev && \ 12 | rm -rf /var/cache/* && \ 13 | rm -rf /root/.cache/* 14 | 15 | WORKDIR /app 16 | COPY p0f/ /app 17 | COPY network_tools_lib /app/network_tools_lib 18 | RUN pip3 install --no-cache-dir -r requirements.txt 19 | 20 | ENTRYPOINT ["/rbqwrapper.py", "python3", "/app/app.py"] 21 | -------------------------------------------------------------------------------- /p0f/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/p0f/__init__.py -------------------------------------------------------------------------------- /p0f/requirements.txt: -------------------------------------------------------------------------------- 1 | pyshark==0.6 2 | pytest==7.3.1 3 | -------------------------------------------------------------------------------- /p0f/test_app.py: -------------------------------------------------------------------------------- 1 | """ 2 | Test module for app.py 3 | 4 | Created on 20 December 2018 5 | @author: Charlie Lewis 6 | """ 7 | import os 8 | import shutil 9 | import sys 10 | 11 | from .app import VERSION 12 | from .app import parse_output 13 | from .app import ispcap 14 | from .app import main 15 | from .app import run_tshark 16 | from .app import run_p0f 17 | from .app import build_result_json 18 | import network_tools_lib 19 | 20 | 21 | TEST_LO_CAP = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'test_lo.cap') 22 | 23 | 24 | def test_runproc(): 25 | # returned filehandles both none as process has exited. 26 | assert network_tools_lib.run_proc([shutil.which('ls')]) == (None, None) 27 | 28 | 29 | def test_ispcap(): 30 | assert ispcap('afile.pcap') # nosec 31 | assert not ispcap('notapcap.txt') # nosec 32 | 33 | 34 | def test_version(): 35 | assert VERSION.startswith('0.') # nosec 36 | 37 | 38 | def test_result_json(): 39 | assert build_result_json([TEST_LO_CAP]) == [{ 40 | 'data': { # nosec 41 | 'p0f_output_size': 1702, 42 | 'pcap_packets': 18, 43 | 'file_path': TEST_LO_CAP, 44 | 'ipv4_addresses': {'127.0.0.1': {'full_os': 'Linux 2.2.x-3.x', 'mac': '00:00:00:00:00:00', 'raw_mtu': '65535', 'short_os': 'Linux'}}, 45 | 'ipv6_addresses': {'::1': {'mac': '00:00:00:00:00:00', 'raw_mtu': '65536'}}}, 46 | 'file_path': TEST_LO_CAP, 47 | 'id': '', 48 | 'results': {'tool': 'p0f', 'version': VERSION}, 49 | 'tool': 'p0f', 'type': 'metadata', 'version': VERSION}, { 50 | 'data': '', 51 | 'file_path': TEST_LO_CAP, 52 | 'id': '', 53 | 'results': {'tool': 'p0f', 'version': VERSION}, 54 | 'tool': 'p0f', 55 | 'type': 'metadata'}] 56 | 57 | 58 | def test_main(): 59 | if len(sys.argv) == 0: 60 | sys.argv = [os.devnull, TEST_LO_CAP] 61 | else: 62 | sys.argv[1] = TEST_LO_CAP 63 | main() 64 | -------------------------------------------------------------------------------- /p0f/test_lo.cap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/p0f/test_lo.cap -------------------------------------------------------------------------------- /p0f/tsharkwrapper.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # tshark does not respect -s when reading from a capture, so provide 3 | # a wrapper to cut down the capture to IP/header only, which also 4 | # protects tshark's parser. 5 | # bash-ism to retrieve last item in arg list (called by pyshark, is the pcap name) 6 | pcap="${@: -1}" 7 | if [[ ! -f "$pcap" ]] ; then 8 | echo last arg must exist and be input pcap. 9 | exit 1 10 | fi 11 | # bash-ism to drop last arg (pcap name) 12 | set -- "${@:1:$#-1}" 13 | # pass remaining pyshark args to tshark, which will end with "-r -". 14 | editcap -F pcap $pcap -s 128 - | tshark $* \- 15 | -------------------------------------------------------------------------------- /pcap_stats/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.11-slim 2 | LABEL maintainer="Charlie Lewis " 3 | 4 | ENV DEBIAN_FRONTEND noninteractive 5 | ENV PYTHONUNBUFFERED 1 6 | ENV PYTHONPATH=/app/network_tools_lib 7 | 8 | WORKDIR /app 9 | RUN apt-get update && \ 10 | apt-get install -y \ 11 | python3-enchant tshark whois && \ 12 | rm -rf /root/* 13 | 14 | COPY pcap_stats/requirements.txt /app/requirements.txt 15 | COPY network_tools_lib /app/network_tools_lib 16 | COPY pcap_stats/nmap-mac-prefixes.txt /app/nmap-mac-prefixes.txt 17 | COPY pcap_stats/asn.sh /app/asn.sh 18 | COPY pcap_stats/pcap_stats.py /app/pcap_stats.py 19 | RUN pip3 install -r /app/requirements.txt 20 | RUN python3 /app/pcap_stats.py 21 | 22 | ENTRYPOINT ["python3", "/app/pcap_stats.py"] 23 | CMD [""] 24 | -------------------------------------------------------------------------------- /pcap_stats/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/pcap_stats/__init__.py -------------------------------------------------------------------------------- /pcap_stats/asn.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | WhoisIP(){ 4 | echo -e "[AS$found_asn] $found_asname" 5 | } 6 | 7 | LookupASNAndRouteFromIP(){ 8 | found_route="" 9 | found_asn="" 10 | found_asname="" 11 | output=$(whois -h whois.cymru.com " -f -p $1" | sed -e 's/\ *|\ */|/g') 12 | found_asn=$(echo $output | awk -F'[|]' {'print $1'}) 13 | found_asname=$(echo $output | awk -F'[|]' {'print $4'}) 14 | found_route=$(echo $output | awk -F'[|]' {'print $3'}) 15 | } 16 | 17 | ResolveHostnameToIPList(){ 18 | ip=$(host $1 | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') 19 | echo -e "$ip\n" 20 | } 21 | 22 | input=$(echo $1 | sed -e 's/\/.*//g' | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') 23 | if [ -z "$input" ]; then 24 | # Input is not an IPv4 Address. Check if it is a number (ASN) 25 | asn=$(echo $1 | sed -e 's/[a|A][s|S]//g' | grep -E "^[0-9]*$") 26 | if [ -z "$asn" ]; then 27 | # Input is not an ASN either. Consider it a hostname and try to resolve it. 28 | ip=$(ResolveHostnameToIPList $1) 29 | if [ -z "$ip" ]; then 30 | echo -e "[ASNA] NA" 31 | exit 32 | fi 33 | numips=$(echo "$ip" | wc -l) 34 | [[ $numips = 1 ]] && s="" || s="es" 35 | for singleip in $ip; do 36 | LookupASNAndRouteFromIP $singleip 37 | WhoisIP $singleip 38 | done 39 | exit 40 | else 41 | echo -e "[ASNA] NA" 42 | exit 43 | fi 44 | else 45 | # Input is an IPv4 46 | LookupASNAndRouteFromIP $input 47 | if [ -z "$found_asname" ] && [ -z "$found_route" ]; then 48 | echo -e "[ASNA] NA" 49 | exit 50 | fi 51 | WhoisIP $input 52 | exit 53 | fi 54 | -------------------------------------------------------------------------------- /pcap_stats/requirements.txt: -------------------------------------------------------------------------------- 1 | pika==1.3.2 2 | pyenchant==3.2.2 3 | scapy==2.5.0 4 | -------------------------------------------------------------------------------- /pcap_stats/test_pcap_stats.py: -------------------------------------------------------------------------------- 1 | """ 2 | Test module for tcprewrite.py 3 | 4 | Created on 20 December 2018 5 | @author: Charlie Lewis 6 | """ 7 | import sys 8 | 9 | from .pcap_stats import condense_conversations 10 | from .pcap_stats import get_ether_vendor 11 | from .pcap_stats import get_path 12 | from .pcap_stats import run_capinfos 13 | from .pcap_stats import run_tshark 14 | 15 | 16 | def test_get_path(): 17 | get_path() 18 | sys.argv = [] 19 | get_path() 20 | 21 | 22 | def test_run_tool(): 23 | with open('/tmp/test', 'w') as f: 24 | f.write("") 25 | run_capinfos('/tmp/test') 26 | run_tshark('/tmp/test') 27 | with open('/tmp/test', 'w') as f: 28 | f.write("This is an invalid test") 29 | run_capinfos('/tmp/test') 30 | run_tshark('/tmp/test') 31 | 32 | 33 | def test_get_ether_vendor(): 34 | get_ether_vendor('00:00:00') 35 | 36 | 37 | def test_condense_conversations(): 38 | results = {'tshark': {'tcp': [{'Source': '0.0.0.0:12', 'Destination': '1.2.3.4:42'}]}} 39 | conv_type = 'tcp' 40 | prot_ip_map = condense_conversations(results, conv_type) 41 | -------------------------------------------------------------------------------- /pcap_to_node_pcap/.dockerignore: -------------------------------------------------------------------------------- 1 | Dockerfile 2 | -------------------------------------------------------------------------------- /pcap_to_node_pcap/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:bullseye-slim AS pcapsplitter 2 | 3 | LABEL maintainer = "Charlie Lewis " 4 | 5 | ENV DEBIAN_FRONTEND noninteractive 6 | ENV PYTHONUNBUFFERED 1 7 | 8 | WORKDIR /app 9 | # hadolint ignore=DL3008 10 | RUN apt-get update && apt-get install -y --no-install-recommends bash git libpcap-dev make gcc g++ \ 11 | && apt-get clean && rm -rf /var/lib/apt/lists/* 12 | RUN GIT_SSL_NO_VERIFY=true git clone https://github.com/seladb/PcapPlusPlus.git /PcapPlusPlus -b v21.05 13 | WORKDIR /PcapPlusPlus 14 | RUN /bin/bash ./configure-linux.sh --default 15 | WORKDIR /PcapPlusPlus/Examples/PcapSplitter 16 | RUN make 17 | 18 | FROM debian:bullseye-slim 19 | 20 | ENV PYTHONPATH=/app/network_tools_lib 21 | 22 | WORKDIR /app 23 | 24 | # hadolint ignore=DL3008 25 | RUN apt-get update && apt-get install -y --no-install-recommends python3 python3-dev python3-pip libpcap0.8 tshark \ 26 | && apt-get clean && rm -rf /var/lib/apt/lists/* 27 | COPY pcap_to_node_pcap/requirements.txt /app/requirements.txt 28 | COPY pcap_to_node_pcap/pcap_to_node_pcap.py /app/pcap_to_node_pcap.py 29 | COPY network_tools_lib /app/network_tools_lib 30 | RUN pip3 install -r /app/requirements.txt 31 | COPY --from=pcapsplitter /PcapPlusPlus/Examples/PcapSplitter/Bin/PcapSplitter /PcapSplitter 32 | 33 | RUN python3 /app/pcap_to_node_pcap.py 34 | 35 | ENTRYPOINT ["python3", "/app/pcap_to_node_pcap.py"] 36 | CMD [""] 37 | -------------------------------------------------------------------------------- /pcap_to_node_pcap/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/pcap_to_node_pcap/__init__.py -------------------------------------------------------------------------------- /pcap_to_node_pcap/requirements.txt: -------------------------------------------------------------------------------- 1 | pika==1.3.2 2 | -------------------------------------------------------------------------------- /pcap_to_node_pcap/test_lo.cap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/pcap_to_node_pcap/test_lo.cap -------------------------------------------------------------------------------- /pcap_to_node_pcap/test_pcap_to_node_pcap.py: -------------------------------------------------------------------------------- 1 | """ 2 | Test module for pcap_to_node_pcap.py 3 | 4 | Created on 20 December 2018 5 | @author: Charlie Lewis 6 | """ 7 | import argparse 8 | import os 9 | import shutil 10 | import tempfile 11 | 12 | from .pcap_to_node_pcap import get_path, ipaddress_fields, run_tool, parse_pcap_json_to_layers, pcap_name_with_layers, parse_args, proto_annotate_pcaps 13 | 14 | 15 | def test_proto_annotate_pcaps(): 16 | with tempfile.TemporaryDirectory() as tmpdir: 17 | shutil.copy(os.path.join(os.path.dirname(__file__), 'test_lo.cap'), tmpdir) 18 | proto_annotate_pcaps(tmpdir) 19 | 20 | 21 | def test_parse_pcap_json(): 22 | test_pcap_json = [{ 23 | "_source": { 24 | "layers": { 25 | "frame": {}, 26 | "eth": {"eth.type": "0x00000800"}, 27 | "ip": { 28 | "ip.src": "192.168.254.254", 29 | "ip.addr": "192.168.254.254", 30 | "ip.src_host": "192.168.254.254", 31 | "ip.dst": "192.168.254.4", 32 | "ip.dst_host": "192.168.254.4", 33 | "ip.host": "192.168.254.4", 34 | }, 35 | "tcp": { 36 | "tcp.srcport": "42628", 37 | "tcp.dstport": "9100", 38 | } 39 | } 40 | } 41 | }] 42 | layers = parse_pcap_json_to_layers(test_pcap_json) 43 | assert layers == ['192-168-254-254', '192-168-254-4', 'frame', 'eth', 'ip', 'tcp', 'port-9100'] 44 | 45 | 46 | def test_ipaddress_fields(): 47 | ipas = ipaddress_fields({'field': '192.168.1.1'}) 48 | assert ipas == {'192-168-1-1'} 49 | 50 | 51 | def test_pcap_name_with_layers(): 52 | pcap_suffix = '.pcap' 53 | pcap_basename = 'trace_3cf8009a09d9684250ffa77d6f7752aee61463a8_2019-11-07_04_11_19-server-ip-74-125-68-189' 54 | pcap_filename = pcap_basename + pcap_suffix 55 | new_name = pcap_name_with_layers(pcap_filename, ['a', 'b', 'c'], pcap_suffix) 56 | assert new_name == pcap_basename + '-a-b-c' + pcap_suffix 57 | 58 | 59 | def test_parse_args(): 60 | args = parse_args(argparse.ArgumentParser('')) 61 | assert args.protoannotate 62 | 63 | 64 | def test_get_path(): 65 | get_path([]) 66 | get_path(['xxx']) 67 | 68 | 69 | def test_run_tool(): 70 | with open('/tmp/test', 'w') as f: 71 | f.write("This is an invalid test") 72 | for annotate in (True, False): 73 | run_tool('/tmp/test', annotate) 74 | with open('/tmp/test', 'w') as f: 75 | for _ in range(100): 76 | f.write("This is an invalid test") 77 | for annotate in (True, False): 78 | run_tool('/tmp/test', annotate) 79 | -------------------------------------------------------------------------------- /rbqwrapper/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.11-slim 2 | LABEL maintainer="Charlie Lewis " 3 | 4 | ENV PYTHONUNBUFFERED 1 5 | 6 | COPY rbqwrapper/requirements.txt requirements.txt 7 | RUN apt-get update && apt-get install -y python3-dev 8 | RUN pip3 install -r requirements.txt 9 | 10 | COPY rbqwrapper/rbqwrapper.py /rbqwrapper.py 11 | -------------------------------------------------------------------------------- /rbqwrapper/requirements.txt: -------------------------------------------------------------------------------- 1 | pika==1.3.2 2 | -------------------------------------------------------------------------------- /rbqwrapper/test_rbqwrapper.py: -------------------------------------------------------------------------------- 1 | from rbqwrapper import RbqWrapper, main 2 | 3 | 4 | def test_init(): 5 | RbqWrapper() 6 | 7 | def test_null(): 8 | main([]) 9 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": [ 3 | "config:base", 4 | "docker:enableMajor" 5 | ], 6 | "ignorePaths": [] 7 | } 8 | -------------------------------------------------------------------------------- /replay_pcap/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | LABEL maintainer="Jeff Wang " 3 | 4 | RUN apt-get -y update && apt-get install -y --no-install-recommends \ 5 | tcpreplay \ 6 | sudo \ 7 | && apt-get clean \ 8 | && rm -rf /var/lib/apt/lists/* 9 | COPY replay_pcap/replay.sh /app/replay.sh 10 | 11 | ENTRYPOINT ["/app/replay.sh"] 12 | CMD [""] 13 | -------------------------------------------------------------------------------- /replay_pcap/replay.sh: -------------------------------------------------------------------------------- 1 | #! /bin/bash 2 | 3 | sudo tcpreplay -i $1 $2 4 | -------------------------------------------------------------------------------- /snort/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM debian:bullseye-slim 2 | LABEL maintainer="Charlie Lewis " 3 | 4 | ENV DAQ_VERSION 2.0.7 5 | ENV SNORT_VERSION 2.9.18 6 | ENV PYTHONPATH=/app/network_tools_lib 7 | 8 | RUN mkdir -p /var/log/snort && \ 9 | mkdir -p /usr/local/lib/snort_dynamicrules && \ 10 | mkdir -p /etc/snort 11 | RUN apt-get update && \ 12 | apt-get install -y \ 13 | autoconf \ 14 | curl \ 15 | python3 \ 16 | python3-pip \ 17 | build-essential \ 18 | bison \ 19 | flex \ 20 | libpcap-dev \ 21 | libpcre3-dev \ 22 | libdumbnet-dev \ 23 | libtool \ 24 | zlib1g-dev \ 25 | libxtables-dev \ 26 | libnetfilter-queue1 \ 27 | tcpdump \ 28 | unzip && \ 29 | apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* 30 | COPY snort/downloadhelper.sh /opt/downloadhelper.sh 31 | # hadolint ignore=DL3010 32 | COPY snort/*.tar.gz /opt/ 33 | WORKDIR /opt 34 | RUN /opt/downloadhelper.sh https://www.snort.org/downloads/snort/daq-${DAQ_VERSION}.tar.gz daq-${DAQ_VERSION}.tar.gz && tar zxvf daq-${DAQ_VERSION}.tar.gz && mv daq-${DAQ_VERSION} daq && rm daq-${DAQ_VERSION}.tar.gz 35 | WORKDIR /opt/daq 36 | RUN autoreconf -f -i && ./configure && make && make install 37 | WORKDIR /opt 38 | RUN /opt/downloadhelper.sh https://www.snort.org/downloads/snort/snort-${SNORT_VERSION}.tar.gz snort-${SNORT_VERSION}.tar.gz && tar zxvf snort-${SNORT_VERSION}.tar.gz && mv snort-${SNORT_VERSION} snort && rm snort-${SNORT_VERSION}.tar.gz 39 | WORKDIR /opt/snort 40 | RUN ./configure --disable-open-appid && make && make install 41 | 42 | RUN ldconfig 43 | RUN touch /var/log/snort/alert 44 | 45 | WORKDIR /app 46 | COPY /snort/requirements.txt /app/requirements.txt 47 | COPY network_tools_lib /app/network_tools_lib 48 | COPY /snort/snortrules-snapshot-29150/ /etc/snort/ 49 | COPY snort/snort.py /app/snort.py 50 | RUN pip3 install -r /app/requirements.txt 51 | 52 | RUN python3 /app/snort.py 53 | 54 | ENTRYPOINT ["python3", "/app/snort.py"] 55 | CMD [""] 56 | -------------------------------------------------------------------------------- /snort/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/__init__.py -------------------------------------------------------------------------------- /snort/daq-2.0.7.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/daq-2.0.7.tar.gz -------------------------------------------------------------------------------- /snort/downloadhelper.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # snort.org downloads can fail for multiple reasons; 500s, redirect loops, etc. 4 | # this helper retries downloads verbosely and verifies what was downloaded, 5 | # is a valid tgz. 6 | 7 | url=$1 8 | tarfile=$2 9 | retries=5 10 | if [[ "$url" == "" || "$tarfile" == "" ]] ; then 11 | echo need URL and tarfile 12 | exit 1 13 | fi 14 | 15 | if [[ -f "$tarfile" ]] ; then 16 | echo $tarfile exists, skipping download 17 | exit 0 18 | fi 19 | 20 | i=0 21 | while [ $i -lt $retries ]; do 22 | i=$((i+1)) 23 | rm -f $outfile 24 | # TODO: workaround curl segfault in getaddrinfo() handling redirect under qemu 25 | finalurl=$(curl -Ls -w %{url_effective} -o /dev/null $url) 26 | echo final URL: $finalurl 27 | # TODO: snort binary serving does not work with TLS 1.3 28 | curl -v "$finalurl" --tlsv1.2 --tls-max 1.2 --output $tarfile --trace - 29 | tar ztvf $tarfile 30 | tarstatus=$? 31 | if [[ -f "$tarfile" && $tarstatus -eq 0 ]] ; then 32 | echo downloaded $url to $tarfile to $tarfile. 33 | exit 0 34 | break 35 | fi 36 | echo retrying.... 37 | sleep 60 38 | done 39 | 40 | echo failed to download $tarfile. 41 | exit 1 42 | -------------------------------------------------------------------------------- /snort/requirements.txt: -------------------------------------------------------------------------------- 1 | pika==1.3.2 2 | -------------------------------------------------------------------------------- /snort/snort-2.9.18.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snort-2.9.18.tar.gz -------------------------------------------------------------------------------- /snort/snort.py: -------------------------------------------------------------------------------- 1 | """ 2 | Plugin that takes pcap files and runs them through snort 3 | 4 | Created on 6 November 2019 5 | @author: Charlie Lewis 6 | """ 7 | 8 | import datetime 9 | import json 10 | import os 11 | import shlex 12 | import subprocess 13 | import sys 14 | 15 | import pika 16 | import network_tools_lib 17 | 18 | VERSION = network_tools_lib.get_version() 19 | 20 | 21 | def connect_rabbit(host='messenger', port=5672, queue='task_queue'): 22 | params = pika.ConnectionParameters(host=host, port=port) 23 | connection = pika.BlockingConnection(params) 24 | channel = connection.channel() 25 | channel.queue_declare(queue=queue, durable=True) 26 | return channel 27 | 28 | def send_rabbit_msg(msg, channel, exchange='', routing_key='task_queue'): 29 | channel.basic_publish(exchange=exchange, 30 | routing_key=routing_key, 31 | body=json.dumps(msg), 32 | properties=pika.BasicProperties( 33 | delivery_mode=2, 34 | )) 35 | print(" [X] %s UTC %r %r" % (str(datetime.datetime.utcnow()), 36 | str(msg['id']), str(msg['file_path']))) 37 | return 38 | 39 | def get_path(): 40 | path = None 41 | try: 42 | path = sys.argv[1] 43 | except Exception as e: 44 | print("No path provided: {0}, quitting".format(str(e))) 45 | return path 46 | 47 | def parse_snort(output): 48 | lines = output.split('\n') 49 | keep_lines = False 50 | good_lines = [] 51 | for line in lines: 52 | if line.startswith('Commencing packet processing'): 53 | keep_lines = True 54 | continue 55 | if keep_lines: 56 | good_lines.append(line) 57 | 58 | groups = {} 59 | i = 0 60 | title = None 61 | # remove last two lines for 'snort exiting' 62 | while i < len(good_lines)-2: 63 | if good_lines[i].startswith('==='): 64 | if (good_lines[i+1].startswith('===') or 65 | good_lines[i+1].startswith('Snort exiting') or 66 | good_lines[i+1].startswith('Run time for packet') or 67 | good_lines[i+1].startswith('Memory usage summary') or 68 | good_lines[i+1].startswith('Packet I/O Totals')): 69 | i += 1 70 | continue 71 | title = good_lines[i+1].strip() 72 | groups[title] = [] 73 | i += 2 74 | continue 75 | if title: 76 | groups[title].append(good_lines[i]) 77 | i += 1 78 | 79 | return groups 80 | 81 | def parse_alerts(alerts): 82 | alerts = alerts.split('\n\n') 83 | return {'Alerts': alerts} 84 | 85 | def run_tool(path): 86 | output = '' 87 | alerts = '' 88 | try: 89 | output = subprocess.check_output(shlex.split("snort -c /etc/snort/etc/snort.conf -r " + 90 | path), stderr=subprocess.STDOUT).decode("utf-8") 91 | alerts = subprocess.check_output(shlex.split("cat /var/log/snort/alert")).decode("utf-8") 92 | except Exception as e: 93 | print(str(e)) 94 | 95 | output = parse_snort(output) 96 | alerts = parse_alerts(alerts) 97 | print(output) 98 | print(alerts) 99 | return output, alerts 100 | 101 | if __name__ == '__main__': # pragma: no cover 102 | path = get_path() 103 | uid = '' 104 | if 'id' in os.environ: 105 | uid = os.environ['id'] 106 | 107 | if path: 108 | results, alerts = run_tool(path) 109 | if 'rabbit' in os.environ and os.environ['rabbit'] == 'true': 110 | try: 111 | channel = connect_rabbit() 112 | body = {'id': uid, 'type': 'metadata', 'file_path': path, 'data': results, 'results': {'tool': 'snort', 'version': VERSION}} 113 | send_rabbit_msg(body, channel) 114 | body = {'id': uid, 'type': 'metadata', 'file_path': path, 'data': alerts, 'results': {'tool': 'snort', 'version': VERSION}} 115 | send_rabbit_msg(body, channel) 116 | body = {'id': uid, 'type': 'metadata', 'file_path': path, 'data': '', 'results': {'tool': 'snort', 'version': VERSION}} 117 | send_rabbit_msg(body, channel) 118 | except Exception as e: 119 | print(str(e)) 120 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/etc/classification.config: -------------------------------------------------------------------------------- 1 | # $Id: classification.config,v 1.1000.2.59 2017-03-29 23:30:35 vrtbuild Exp $ 2 | # The following includes information for prioritizing rules 3 | # 4 | # Each classification includes a shortname, a description, and a default 5 | # priority for that classification. 6 | # 7 | # This allows alerts to be classified and prioritized. You can specify 8 | # what priority each classification has. Any rule can override the default 9 | # priority for that rule. 10 | # 11 | # Here are a few example rules: 12 | # 13 | # alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; 14 | # dsize: > 128; classtype:attempted-admin; priority:10; 15 | # 16 | # alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \ 17 | # content:"expn root"; nocase; classtype:attempted-recon;) 18 | # 19 | # The first rule will set its type to "attempted-admin" and override 20 | # the default priority for that type to 10. 21 | # 22 | # The second rule set its type to "attempted-recon" and set its 23 | # priority to the default for that type. 24 | # 25 | 26 | # 27 | # config classification:shortname,short description,priority 28 | # 29 | 30 | config classification: not-suspicious,Not Suspicious Traffic,3 31 | config classification: unknown,Unknown Traffic,3 32 | config classification: bad-unknown,Potentially Bad Traffic, 2 33 | config classification: attempted-recon,Attempted Information Leak,2 34 | config classification: successful-recon-limited,Information Leak,2 35 | config classification: successful-recon-largescale,Large Scale Information Leak,2 36 | config classification: attempted-dos,Attempted Denial of Service,2 37 | config classification: successful-dos,Denial of Service,2 38 | config classification: attempted-user,Attempted User Privilege Gain,1 39 | config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 40 | config classification: successful-user,Successful User Privilege Gain,1 41 | config classification: attempted-admin,Attempted Administrator Privilege Gain,1 42 | config classification: successful-admin,Successful Administrator Privilege Gain,1 43 | 44 | 45 | # NEW CLASSIFICATIONS 46 | config classification: rpc-portmap-decode,Decode of an RPC Query,2 47 | config classification: shellcode-detect,Executable Code was Detected,1 48 | config classification: string-detect,A Suspicious String was Detected,3 49 | config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2 50 | config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2 51 | config classification: system-call-detect,A System Call was Detected,2 52 | config classification: tcp-connection,A TCP Connection was Detected,4 53 | config classification: trojan-activity,A Network Trojan was Detected, 1 54 | config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2 55 | config classification: network-scan,Detection of a Network Scan,3 56 | config classification: denial-of-service,Detection of a Denial of Service Attack,2 57 | config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2 58 | config classification: protocol-command-decode,Generic Protocol Command Decode,3 59 | config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2 60 | config classification: web-application-attack,Web Application Attack,1 61 | config classification: misc-activity,Misc activity,3 62 | config classification: misc-attack,Misc Attack,2 63 | config classification: icmp-event,Generic ICMP event,3 64 | config classification: inappropriate-content,Inappropriate Content was Detected,1 65 | config classification: policy-violation,Potential Corporate Privacy Violation,1 66 | config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2 67 | config classification: sdf,Sensitive Data was Transmitted Across the Network,2 68 | config classification: file-format,Known malicious file or file based exploit,1 69 | config classification: malware-cnc,Known malware command and control traffic,1 70 | config classification: client-side-exploit,Known client side exploit attempt,1 71 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/etc/reference.config: -------------------------------------------------------------------------------- 1 | # $Id: reference.config,v 1.991.2.59 2017-03-29 23:30:35 vrtbuild Exp $ 2 | # The following defines URLs for the references found in the rules 3 | # 4 | # config reference: system URL 5 | 6 | config reference: bugtraq http://www.securityfocus.com/bid/ 7 | config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name= 8 | config reference: arachNIDS http://www.whitehats.com/info/IDS 9 | config reference: osvdb http://osvdb.org/show/osvdb/ 10 | 11 | # Note, this one needs a suffix as well.... lets add that in a bit. 12 | config reference: McAfee http://vil.nai.com/vil/content/v_ 13 | config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id= 14 | config reference: url http:// 15 | config reference: msb http://technet.microsoft.com/en-us/security/bulletin/ 16 | 17 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/etc/threshold.conf: -------------------------------------------------------------------------------- 1 | # Configure Thresholding and Suppression 2 | # ====================================== 3 | # 4 | # The threshold command is deprecated. Use detection_filter for thresholds 5 | # within a rule and event_filter for standalone threshold configurations. 6 | # Please see README.filters for more information on filters. 7 | # 8 | # Thresholding: 9 | # 10 | # This feature is used to reduce the number of logged alerts for noisy rules. 11 | # This can be tuned to significantly reduce false alarms, and it can also be 12 | # used to write a newer breed of rules. Thresholding commands limit the number 13 | # of times a particular event is logged during a specified time interval. 14 | # 15 | # There are 3 types of event_filters: 16 | # 17 | # 1) Limit 18 | # Alert on the 1st M events during the time interval, then ignore 19 | # events for the rest of the time interval. 20 | # 21 | # 2) Threshold 22 | # Alert every M times we see this event during the time interval. 23 | # 24 | # 3) Both 25 | # Alert once per time interval after seeing M occurrences of the 26 | # event, then ignore any additional events during the time interval. 27 | # 28 | # Threshold commands are formatted as: 29 | # 30 | # event_filter gen_id gen-id, sig_id sig-id, \ 31 | # type limit|threshold|both, track by_src|by_dst, \ 32 | # count n , seconds m 33 | # 34 | # Limit to logging 1 event per 60 seconds: 35 | # 36 | # event_filter gen_id 1, sig_id 1851, type limit, \ 37 | # track by_src, count 1, seconds 60 38 | # 39 | # Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering 40 | # each rule (rules are gen_id 1): 41 | # 42 | # event_filter gen_id 1, sig_id 0, type limit, track by_src, count 1, seconds 60 43 | # 44 | # Global Threshold - Limit to logging 1 event per 60 seconds per IP triggering 45 | # any alert for any event generator: 46 | # 47 | # event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60 48 | # 49 | # Suppression: 50 | # 51 | # Suppression commands are standalone commands that reference generators and 52 | # sids and IP addresses via a CIDR block (or IP list). This allows a rule to be 53 | # completely suppressed, or suppressed when the causitive traffic is going to 54 | # or comming from a specific IP or group of IP addresses. 55 | # 56 | # Suppress this event completely: 57 | # 58 | # suppress gen_id 1, sig_id 1852 59 | # 60 | # Suppress this event from this IP: 61 | # 62 | # suppress gen_id 1, sig_id 1852, track by_src, ip 10.1.1.54 63 | # 64 | # Suppress this event to this CIDR block: 65 | # 66 | # suppress gen_id 1, sig_id 1852, track by_dst, ip 10.1.1.0/24 67 | # 68 | 69 | # Global event filter to limit events from a unique src to 1 in 60 seconds 70 | # Disabled by default turn on if you want this functionality 71 | # 72 | 73 | # event_filter gen_id 0, sig_id 0, type limit, track by_src, count 1, seconds 60 74 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/preproc_rules/sensitive-data.rules: -------------------------------------------------------------------------------- 1 | alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Credit Card Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,credit_card; classtype:sdf; sid:2; gid:138; rev:1;) 2 | alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (with dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:2,us_social; classtype:sdf; sid:3; gid:138; rev:1;) 3 | #alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Social Security Numbers (w/out dashes)"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,us_social_nodashes; classtype:sdf; sid:4; gid:138; rev:1;) 4 | alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA Email Addresses"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,email; classtype:sdf; sid:5; gid:138; rev:1;) 5 | alert tcp $HOME_NET any -> $EXTERNAL_NET [80,20,25,143,110] (msg:"SENSITIVE-DATA U.S. Phone Numbers"; metadata:service http, service smtp, service ftp-data, service imap, service pop3; sd_pattern:20,(\d{3}) ?\d{3}-\d{4}; classtype:sdf; sid:6; gid:138; rev:1;) 6 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/attack-responses.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------------ 19 | # ATTACK-RESPONSES RULES 20 | #------------------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/backdoor.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #---------------- 19 | # BACKDOOR RULES 20 | #---------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/bad-traffic.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------- 19 | # BAD-TRAFFIC RULES 20 | #------------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/blacklist.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------- 19 | # BLACKLIST RULES 20 | #----------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/botnet-cnc.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------ 19 | # BOTNET-CNC RULES 20 | #------------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/chat.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # CHAT RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/ddos.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # DDOS RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/dns.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------- 19 | # DNS RULES 20 | #----------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/dos.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------- 19 | # DOS RULES 20 | #----------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/experimental.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #-------------------- 19 | # EXPERIMENTAL RULES 20 | #-------------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/exploit.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------- 19 | # EXPLOIT RULES 20 | #--------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/finger.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #-------------- 19 | # FINGER RULES 20 | #-------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/ftp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------- 19 | # FTP RULES 20 | #----------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/icmp-info.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------- 19 | # ICMP-INFO RULES 20 | #----------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/icmp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # ICMP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/imap.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # IMAP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/info.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # INFO RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/local.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------- 19 | # LOCAL RULES 20 | #------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/misc.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # MISC RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/multimedia.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------ 19 | # MULTIMEDIA RULES 20 | #------------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/mysql.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------- 19 | # MYSQL RULES 20 | #------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/nntp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # NNTP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/oracle.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #-------------- 19 | # ORACLE RULES 20 | #-------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/other-ids.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------- 19 | # OTHER-IDS RULES 20 | #----------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/p2p.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------- 19 | # P2P RULES 20 | #----------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/phishing-spam.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------------- 19 | # PHISHING-SPAM RULES 20 | #--------------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/policy-multimedia.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------------- 19 | # POLICY-MULTIMEDIA RULES 20 | #------------------------- 21 | 22 | # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-MULTIMEDIA Apple Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; fast_pattern:only; metadata:ruleset community, service http; classtype:policy-violation; sid:1436; rev:12;) 23 | # alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"POLICY-MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5; metadata:ruleset community; classtype:misc-activity; sid:1428; rev:8;) 24 | # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-MULTIMEDIA Youtube video player file request"; flow:to_server,established; content:"/get_video?video_id"; fast_pattern; nocase; http_uri; content:"youtube.com"; nocase; metadata:policy max-detect-ips drop, service http; classtype:policy-violation; sid:12436; rev:10;) 25 | # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA Shoutcast playlist redirection"; flow:to_client,established; content:"Content-type|3A|"; nocase; http_header; content:"audio/x-scpls"; within:50; fast_pattern; nocase; http_header; metadata:ruleset community, service http; classtype:policy-violation; sid:1439; rev:17;) 26 | # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA Icecast playlist redirection"; flow:to_client,established; content:"Content-type|3A|"; nocase; http_header; content:"audio/x-mpegurl"; within:50; fast_pattern; nocase; http_header; metadata:ruleset community, service http; classtype:policy-violation; sid:1440; rev:17;) 27 | # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-MULTIMEDIA Google video player request"; flow:to_server,established; content:"/googleplayer.swf"; nocase; http_uri; metadata:policy max-detect-ips drop, service http; classtype:policy-violation; sid:12437; rev:10;) 28 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY-MULTIMEDIA vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; metadata:ruleset community; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:7;) 29 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/policy.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #-------------- 19 | # POLICY RULES 20 | #-------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/pop2.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # POP2 RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/pop3.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # POP3 RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/protocol-finger.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------------- 19 | # PROTOCOL-FINGER RULES 20 | #----------------------- 21 | 22 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; metadata:ruleset community; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:3151; rev:8;) 23 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER version query"; flow:to_server,established; content:"version"; metadata:ruleset community; classtype:attempted-recon; sid:1541; rev:9;) 24 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER . query"; flow:to_server,established; content:"."; metadata:ruleset community; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:14;) 25 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER 0 query"; flow:to_server,established; content:"0"; metadata:ruleset community; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:14;) 26 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cybercop query"; flow:to_server,established; content:"|0A| "; depth:10; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:16;) 27 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER redirection attempt"; flow:to_server,established; content:"@"; metadata:ruleset community; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:15;) 28 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER bomb attempt"; flow:to_server,established; content:"@@"; metadata:ruleset community; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:14;) 29 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; metadata:ruleset community; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:14;) 30 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; metadata:ruleset community; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:15;) 31 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER null request"; flow:to_server,established; content:"|00|"; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:324; rev:12;) 32 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER root query"; flow:to_server,established; content:"root"; metadata:ruleset community; classtype:attempted-recon; sid:323; rev:11;) 33 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER search query"; flow:to_server,established; content:"search"; metadata:ruleset community; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:16;) 34 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; metadata:ruleset community; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:10;) 35 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; metadata:ruleset community; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:15;) 36 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/rpc.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------- 19 | # RPC RULES 20 | #----------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/rservices.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------- 19 | # RSERVICES RULES 20 | #----------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/scada.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------- 19 | # SCADA RULES 20 | #------------- 21 | 22 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 2537 (msg:"SCADA Schneider Electric Accutech http request overflow attempt"; flow:to_server,established; content:"GET /"; depth:5; isdataat:128,relative; content:!" HTTP/1.1"; within:128; reference:bugtraq,57651; reference:cve,2013-0658; classtype:attempted-admin; sid:39941; rev:1;) 23 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/scan.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # SCAN RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/shellcode.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------------- 19 | # SHELLCODE RULES 20 | #----------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/smtp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # SMTP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/snmp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # SNMP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/specific-threats.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------------ 19 | # SPECIFIC-THREATS RULES 20 | #------------------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/spyware-put.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------- 19 | # SPYWARE-PUT RULES 20 | #------------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/telnet.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #-------------- 19 | # TELNET RULES 20 | #-------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/tftp.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # TFTP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/virus.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------- 19 | # VIRUS RULES 20 | #------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/voip.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------ 19 | # VOIP RULES 20 | #------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/web-activex.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------- 19 | # WEB-ACTIVEX RULES 20 | #------------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/web-attacks.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------- 19 | # WEB-ATTACKS RULES 20 | #------------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/web-cgi.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------- 19 | # WEB-CGI RULES 20 | #--------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/web-client.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #------------------ 19 | # WEB-CLIENT RULES 20 | #------------------ 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/web-coldfusion.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #---------------------- 19 | # WEB-COLDFUSION RULES 20 | #---------------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/web-frontpage.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------------- 19 | # WEB-FRONTPAGE RULES 20 | #--------------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/web-iis.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------- 19 | # WEB-IIS RULES 20 | #--------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/web-misc.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #---------------- 19 | # WEB-MISC RULES 20 | #---------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/web-php.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #--------------- 19 | # WEB-PHP RULES 20 | #--------------- 21 | 22 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/rules/x11.rules: -------------------------------------------------------------------------------- 1 | # Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved. 2 | # 3 | # This file contains (i) proprietary rules that were created, tested and certified by 4 | # Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT 5 | # Certified Rules License Agreement (v 2.0), and (ii) rules that were created by 6 | # Sourcefire and other third parties (the "GPL Rules") that are distributed under the 7 | # GNU General Public License (GPL), v2. 8 | # 9 | # The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created 10 | # by Sourcefire and other third parties. The GPL Rules created by Sourcefire are 11 | # owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by 12 | # their respective creators. Please see http://www.snort.org/snort/snort-team/ for a 13 | # list of third party owners and their respective copyrights. 14 | # 15 | # In order to determine what rules are VRT Certified Rules or GPL Rules, please refer 16 | # to the VRT Certified Rules License Agreement (v2.0). 17 | # 18 | #----------- 19 | # X11 RULES 20 | #----------- 21 | 22 | # alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"X11 xdmcp query"; flow:to_server; content:"|00 01 00 03 00 01 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:517; rev:7;) 23 | # alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"X11 xdmcp info query"; flow:to_server; content:"|00 01 00 02 00 01 00|"; fast_pattern:only; metadata:ruleset community; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:6;) 24 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:1225; rev:11;) 25 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:unknown; sid:1226; rev:14;) 26 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/browser-chrome.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt"; sid:49442; gid:3; rev:1; classtype:attempted-user; reference:url,www.talosintelligence.com/reports/TALOS-2019-0791/; metadata: engine shared, soid 3|49442, service ftp-data, service http, service imap, service pop3, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop;) 3 | alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-CHROME TRUFFLEHUNTER TALOS-2019-0791 attack attempt"; sid:49443; gid:3; rev:1; classtype:attempted-user; reference:url,www.talosintelligence.com/reports/TALOS-2019-0791/; metadata: engine shared, soid 3|49443, service smtp, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop;) 4 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/browser-ie.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE SFVRT-1021 attack attempt"; sid:38671; gid:3; rev:1; classtype:attempted-user; metadata: engine shared, soid 3|38671, service ftp-data, service http, service imap, service pop3, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop;) 3 | alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BROWSER-IE SFVRT-1021 attack attempt"; sid:38672; gid:3; rev:1; classtype:attempted-user; metadata: engine shared, soid 3|38672, service smtp, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop;) 4 | alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE TRUFFLEHUNTER TALOS-2018-0734 attack attempt"; sid:48459; gid:3; rev:1; classtype:attempted-user; reference:url,www.talosintelligence.com/reports/TALOS-2018-0734/; metadata: engine shared, soid 3|48459, service ftp-data, service http, service imap, service pop3, policy max-detect-ips drop, policy security-ips drop;) 5 | alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE TRUFFLEHUNTER TALOS-2018-0734 attack attempt"; sid:48460; gid:3; rev:1; classtype:attempted-user; reference:url,www.talosintelligence.com/reports/TALOS-2018-0734/; metadata: engine shared, soid 3|48460, service smtp, policy max-detect-ips drop, policy security-ips drop;) 6 | alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE TRUFFLEHUNTER SFVRT-1039 attack attempt"; sid:48691; gid:3; rev:1; classtype:attempted-recon; metadata: engine shared, soid 3|48691, service ftp-data, service http, service imap, service pop3, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop;) 7 | alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE TRUFFLEHUNTER SFVRT-1039 attack attempt"; sid:48692; gid:3; rev:1; classtype:attempted-recon; metadata: engine shared, soid 3|48692, service smtp, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop;) 8 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer EMF polyline overflow attempt"; sid:15300; gid:3; rev:9; classtype:attempted-user; flowbits:isset,file.emf; reference:cve,2009-0081; reference:url,technet.microsoft.com/en-us/security/bulletin/ms09-006; metadata: engine shared, soid 3|15300, service http;) 9 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/browser-webkit.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt"; sid:52048; gid:3; rev:1; classtype:attempted-user; reference:url,www.talosintelligence.com/reports/TALOS-2019-0943/; metadata: engine shared, soid 3|52048, service ftp-data, service http, service imap, service pop3, policy max-detect-ips drop, policy security-ips drop;) 3 | alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0943 attack attempt"; sid:52049; gid:3; rev:1; classtype:attempted-user; reference:url,www.talosintelligence.com/reports/TALOS-2019-0943/; metadata: engine shared, soid 3|52049, service smtp, policy max-detect-ips drop, policy security-ips drop;) 4 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/exploit-kit.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Flash exploit file download"; sid:38244; gid:3; rev:1; classtype:trojan-activity; flowbits:isset,file.cws|file.swf; metadata: engine shared, soid 3|38244, service ftp-data, service http, service imap, service pop3, policy balanced-ips drop, policy security-ips drop;) 3 | alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Flash exploit file download"; sid:38245; gid:3; rev:1; classtype:trojan-activity; flowbits:isset,file.cws|file.swf; metadata: engine shared, soid 3|38245, service ftp-data, service http, service imap, service pop3, policy balanced-ips drop, policy security-ips drop;) 4 | alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Angler exploit kit Flash exploit file download attempt"; sid:38285; gid:3; rev:1; classtype:attempted-user; flowbits:isset,file.swf; metadata: engine shared, soid 3|38285, service ftp-data, service http, service imap, service pop3, policy balanced-ips drop, policy security-ips drop;) 5 | alert udp $HOME_NET any -> any 53 (msg:"EXPLOIT-KIT g01 exploit kit dns request - doesntexist.com"; sid:26213; gid:3; rev:3; classtype:trojan-activity; reference:url,gist.github.com/jedisct1/5149014; metadata: engine shared, soid 3|26213, service dns;) 6 | alert udp $HOME_NET any -> any 53 (msg:"EXPLOIT-KIT g01 exploit kit dns request - dnsalias.com"; sid:26214; gid:3; rev:3; classtype:trojan-activity; reference:url,gist.github.com/jedisct1/5149014; metadata: engine shared, soid 3|26214, service dns;) 7 | alert udp $HOME_NET any -> any 53 (msg:"EXPLOIT-KIT g01 exploit kit dns request - dynalias.com"; sid:26215; gid:3; rev:3; classtype:trojan-activity; reference:url,gist.github.com/jedisct1/5149014; metadata: engine shared, soid 3|26215, service dns;) 8 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT malicious script detected via RBF classifier"; sid:39775; gid:3; rev:6; classtype:attempted-user; metadata: engine shared, soid 3|39775, service http, policy max-detect-ips drop;) 9 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/file-flash.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player remote code execution attempt"; sid:38758; gid:3; rev:1; classtype:attempted-user; flowbits:isset,file.swf; metadata: engine shared, soid 3|38758, service ftp-data, service http, service imap, service pop3, policy balanced-ips drop, policy security-ips drop;) 3 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player multimedia file DefineSceneAndFrameLabelData code execution attempt"; sid:17647; gid:3; rev:8; classtype:attempted-user; flowbits:isset,file.swf; reference:bugtraq,28695; reference:cve,2007-0071; reference:url,www.adobe.com/support/security/bulletins/apsb08-11.html; metadata: engine shared, soid 3|17647, service http, policy security-ips drop, policy max-detect-ips drop;) 4 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-FLASH known malicious flash actionscript decryption routine"; sid:30901; gid:3; rev:3; classtype:attempted-user; reference:cve,2014-1776; reference:url,technet.microsoft.com/en-us/security/bulletin/MS14-021; metadata: engine shared, soid 3|30901, service http, policy max-detect-ips drop, policy security-ips drop;) 5 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/file-java.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"FILE-JAVA Sun JDK image parsing library ICC buffer overflow attempt"; sid:15328; gid:3; rev:6; classtype:attempted-user; reference:url,scary.beasts.org/security/CESA-2006-004.html; reference:cve,2007-2788; reference:bugtraq,24004; metadata: engine shared, soid 3|15328, policy max-detect-ips drop;) 3 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/indicator-shellcode.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Shikata Ga Nai x86 polymorphic shellcode decoder detected"; sid:17775; gid:3; rev:6; classtype:shellcode-detect; metadata: engine shared, soid 3|17775, policy max-detect-ips drop;) 3 | alert udp any any -> $HOME_NET [500,4500] (msg:"INDICATOR-SHELLCODE Cisco ASA alloc_ch connection string"; sid:45597; gid:3; rev:2; classtype:shellcode-detect; reference:cve,2018-0101; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1; metadata: engine shared, soid 3|45597, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop;) 4 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/malware-other.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER known phishing x-mailer attempt"; sid:38745; gid:3; rev:1; classtype:trojan-activity; metadata: engine shared, soid 3|38745, service smtp, policy balanced-ips drop, policy security-ips drop;) 3 | alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE-OTHER Conficker A/B DNS traffic detected"; sid:15449; gid:3; rev:6; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/; reference:url,mtc.sri.com/Conficker/addendumC/index.html; reference:url,www.microsoft.com/protect/computer/viruses/worms/conficker.mspx; metadata: engine shared, soid 3|15449, service dns;) 4 | alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"MALWARE-OTHER Conficker C/D DNS traffic detected"; sid:15450; gid:3; rev:9; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/; reference:url,mtc.sri.com/Conficker/addendumC/index.html; reference:url,www.microsoft.com/protect/computer/viruses/worms/conficker.mspx; metadata: engine shared, soid 3|15450, service dns;) 5 | alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt"; sid:30881; gid:3; rev:4; classtype:attempted-recon; metadata: engine shared, soid 3|30881, service dns;) 6 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/netbios.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS Cisco WebEx WebExService.exe remote code execution attempt"; sid:49293; gid:3; rev:1; classtype:attempted-admin; reference:cve,2019-1674; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinj; metadata: engine shared, soid 3|49293, service netbios-ssn, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop;) 3 | alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"NETBIOS DCERPC NCACN-IP-TCP spoolss NetShareEnumAll response overflow attempt"; sid:20275; gid:3; rev:7; classtype:attempted-admin; flowbits:isset,dce.net_share_enum_all.request; flowbits:unset,dce.net_share_enum_all.request; reference:bugtraq,35206; reference:cve,2009-0228; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-022; metadata: engine shared, soid 3|20275, policy max-detect-ips drop;) 4 | alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB server srvnet.sys driver race condition attempt"; sid:16396; gid:3; rev:5; classtype:attempted-dos; reference:cve,2010-0021; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; metadata: engine shared, soid 3|16396, service netbios-ssn;) 5 | alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB client TRANS response ring0 remote code execution attempt"; sid:16532; gid:3; rev:6; classtype:attempted-admin; reference:cve,2010-0476; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; metadata: engine shared, soid 3|16532, service netbios-ssn, policy max-detect-ips drop;) 6 | alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"NETBIOS SMB client TRANS response ring0 remote code execution attempt"; sid:16531; gid:3; rev:11; classtype:attempted-admin; reference:cve,2010-0270; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-020; reference:cve,2011-0660; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-019; reference:cve,2004-0949; metadata: engine shared, soid 3|16531, service netbios-ssn, policy max-detect-ips drop;) 7 | alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS Samba SMB1 chain_reply function memory corruption attempt"; sid:16728; gid:3; rev:4; classtype:attempted-admin; reference:bugtraq,40884; reference:cve,2010-2063; metadata: engine shared, soid 3|16728, service netbios-ssn, policy security-ips drop, policy max-detect-ips drop;) 8 | alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"NETBIOS SMB Trans2 FIND_FIRST2 response file name length overflow attempt"; sid:24973; gid:3; rev:9; classtype:attempted-admin; flowbits:isset,smb.trans2.fileinfo; flowbits:unset,smb.trans2.fileinfo; reference:cve,2012-4774; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-081; metadata: engine shared, soid 3|24973, service netbios-ssn, policy security-ips drop, policy max-detect-ips drop;) 9 | alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"NETBIOS MS-RAP NetServerEnum2 read access violation attempt"; sid:23847; gid:3; rev:3; classtype:attempted-admin; reference:cve,2012-1850; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-054; metadata: engine shared, soid 3|23847, service netbios-ssn;) 10 | alert tcp any any -> any any (msg:"NETBIOS SMB write_andx overflow attempt"; sid:10161; gid:3; rev:9; classtype:attempted-admin; reference:cve,2006-5276; reference:cve,2008-4114; metadata: engine shared, soid 3|10161, service netbios-ssn, policy max-detect-ips drop;) 11 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/os-linux.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux kernel SCTP INIT null pointer dereference attempt"; sid:38346; gid:3; rev:2; classtype:attempted-dos; reference:cve,2014-7841; metadata: engine shared, soid 3|38346, policy max-detect-ips drop;) 3 | alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"OS-LINUX linux kernel snmp nat netfilter memory corruption attempt"; sid:13773; gid:3; rev:8; classtype:attempted-dos; reference:bugtraq,18081; reference:cve,2006-2444; reference:url,kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.18; reference:cve,2008-1673; reference:url,kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.5; metadata: engine shared, soid 3|13773, service snmp, policy max-detect-ips drop;) 4 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/policy-social.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"POLICY-SOCIAL GnuPG Message Packet Length overflow attempt"; sid:17697; gid:3; rev:5; classtype:attempted-user; reference:cve,2006-3746; reference:url,secunia.com/advisories/21297/; metadata: engine shared, soid 3|17697, service smtp, policy security-ips drop, policy max-detect-ips drop;) 3 | alert tcp $EXTERNAL_NET [1863,3128,80,8080] -> $HOME_NET any (msg:"POLICY-SOCIAL Pidgin MSN MSNP2P message integer overflow attempt"; sid:14263; gid:3; rev:8; classtype:attempted-user; reference:bugtraq,29956; reference:cve,2008-2927; reference:cve,2009-1376; reference:cve,2009-2694; metadata: engine shared, soid 3|14263, service http, policy balanced-ips drop, policy security-ips drop, policy max-detect-ips drop;) 4 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/browser-chrome.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/browser-chrome.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/browser-ie.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/browser-ie.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/browser-other.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/browser-other.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/browser-webkit.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/browser-webkit.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/exploit-kit.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/exploit-kit.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-executable.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-executable.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-flash.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-flash.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-image.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-image.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-java.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-java.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-multimedia.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-multimedia.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-office.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-office.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-other.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-other.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-pdf.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/file-pdf.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/indicator-shellcode.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/indicator-shellcode.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/malware-cnc.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/malware-cnc.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/malware-other.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/malware-other.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/netbios.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/netbios.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/os-linux.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/os-linux.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/os-other.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/os-other.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/os-windows.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/os-windows.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/policy-other.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/policy-other.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/policy-social.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/policy-social.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-dns.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-dns.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-nntp.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-nntp.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-other.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-other.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-scada.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-scada.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-snmp.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-snmp.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-tftp.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-tftp.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-voip.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/protocol-voip.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/pua-p2p.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/pua-p2p.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-apache.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-apache.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-iis.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-iis.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-mail.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-mail.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-mysql.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-mysql.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-oracle.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-oracle.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-other.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-other.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-webapp.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/snort/snortrules-snapshot-29150/so_rules/precompiled/Debian-9/x86-64/2.9.15.0/server-webapp.so -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/protocol-nntp.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"PROTOCOL-NNTP XHDR buffer overflow attempt"; sid:12636; gid:3; rev:6; classtype:attempted-user; reference:url,technet.microsoft.com/en-us/security/bulletin/ms07-056; reference:cve,2007-3897; metadata: engine shared, soid 3|12636, policy max-detect-ips drop;) 3 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/protocol-tftp.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt"; sid:35336; gid:3; rev:1; classtype:attempted-dos; reference:cve,2015-0681; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-a-20150722-tftp; metadata: engine shared, soid 3|35336, service tftp;) 3 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt"; sid:35337; gid:3; rev:1; classtype:attempted-dos; reference:cve,2015-0681; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-a-20150722-tftp; metadata: engine shared, soid 3|35337, service tftp;) 4 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt"; sid:35338; gid:3; rev:1; classtype:attempted-dos; reference:cve,2015-0681; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-a-20150722-tftp; metadata: engine shared, soid 3|35338, service tftp;) 5 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt"; sid:35339; gid:3; rev:1; classtype:attempted-dos; reference:cve,2015-0681; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-a-20150722-tftp; metadata: engine shared, soid 3|35339, service tftp;) 6 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt"; sid:35340; gid:3; rev:1; classtype:attempted-dos; reference:cve,2015-0681; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-a-20150722-tftp; metadata: engine shared, soid 3|35340, service tftp;) 7 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt"; sid:35341; gid:3; rev:1; classtype:attempted-dos; reference:cve,2015-0681; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-a-20150722-tftp; metadata: engine shared, soid 3|35341, service tftp;) 8 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt"; sid:35342; gid:3; rev:1; classtype:attempted-dos; reference:cve,2015-0681; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-a-20150722-tftp; metadata: engine shared, soid 3|35342, service tftp;) 9 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Cisco IOS TFTP server denial of service attempt"; sid:35343; gid:3; rev:1; classtype:attempted-dos; reference:cve,2015-0681; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-a-20150722-tftp; metadata: engine shared, soid 3|35343, service tftp;) 10 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Read Request directory traversal attempt"; sid:49241; gid:3; rev:2; classtype:attempted-recon; reference:cve,2019-1681; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190220-ncs; metadata: engine shared, soid 3|49241, service tftp, policy max-detect-ips drop, policy security-ips drop;) 11 | alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP TRUFFLEHUNTER TALOS-2019-0851 attack attempt"; sid:50747; gid:3; rev:1; classtype:attempted-recon; reference:url,www.talosintelligence.com/reports/TALOS-2019-0851/; metadata: engine shared, soid 3|50747, service tftp, policy max-detect-ips drop, policy security-ips drop;) 12 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/pua-p2p.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp any any -> any any (msg:"PUA-P2P WinNY connection attempt"; sid:7019; gid:3; rev:7; classtype:policy-violation; reference:url,en.wikipedia.org/wiki/Winny; metadata: engine shared, soid 3|7019;) 3 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/server-apache.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache HTTP server auth_ldap logging function format string vulnerability"; sid:13308; gid:3; rev:12; classtype:attempted-user; reference:cve,2006-0150; reference:bugtraq,16177; metadata: engine shared, soid 3|13308, service http, policy security-ips drop, policy max-detect-ips drop;) 3 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/server-iis.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS Microsoft ASP.NET viewstate DoS attempt"; sid:15959; gid:3; rev:5; classtype:attempted-dos; reference:cve,2005-1665; reference:url,osvdb.org/show/osvdb/16195; metadata: engine shared, soid 3|15959, service http, policy balanced-ips drop, policy security-ips drop, policy max-detect-ips drop;) 3 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/server-mail.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SERVER-MAIL BDAT buffer overflow attempt"; sid:13718; gid:3; rev:6; classtype:attempted-admin; reference:bugtraq,4204; reference:cve,2002-0055; reference:url,technet.microsoft.com/en-us/security/bulletin/ms02-012; metadata: engine shared, soid 3|13718, policy security-ips drop, policy max-detect-ips drop, service smtp;) 3 | alert tcp any any -> $HOME_NET 25 (msg:"SERVER-MAIL Microsoft Exchange Server MIME base64 decoding code execution attempt"; sid:12028; gid:3; rev:8; classtype:attempted-admin; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026; reference:cve,2007-0213; reference:bugtraq,23809; metadata: engine shared, soid 3|12028, service smtp, policy max-detect-ips drop;) 4 | alert tcp $EXTERNAL_NET any <> $HOME_NET 25 (msg:"SERVER-MAIL Microsoft Exchange MODPROPS memory corruption attempt"; sid:15329; gid:3; rev:4; classtype:attempted-admin; reference:bugtraq,17908; reference:cve,2006-0027; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-019; metadata: engine shared, soid 3|15329, service smtp, policy balanced-ips drop, policy security-ips drop;) 5 | alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL IBM Domino BMP parsing integer overflow attempt"; sid:42438; gid:3; rev:2; classtype:attempted-admin; reference:bugtraq,74597; reference:cve,2015-1902; reference:url,osvdb.org/show/osvdb/122079; metadata: engine shared, soid 3|42438, service smtp, policy balanced-ips drop, policy security-ips drop;) 6 | alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SERVER-MAIL Exchange compressed RTF remote code execution attempt"; sid:15301; gid:3; rev:5; classtype:attempted-admin; reference:cve,2009-0098; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-003; metadata: engine shared, soid 3|15301, service smtp, policy max-detect-ips drop;) 7 | alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SERVER-MAIL MailEnable NTLM Authentication buffer overflow attempt"; sid:17693; gid:3; rev:6; classtype:attempted-admin; reference:url,secunia.com/advisories/22179/; reference:bugtraq,20290; reference:cve,2006-5177; reference:cve,2006-5176; metadata: engine shared, soid 3|17693, service smtp, policy security-ips alert, policy max-detect-ips drop;) 8 | alert tcp any any -> $HOME_NET 143 (msg:"SERVER-MAIL Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt"; sid:13921; gid:3; rev:7; classtype:attempted-admin; reference:url,secunia.com/advisories/24596; reference:bugtraq,23058; reference:cve,2007-1578; metadata: engine shared, soid 3|13921, service imap, policy max-detect-ips drop;) 9 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/server-mysql.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"SERVER-MYSQL MySQL COM_TABLE_DUMP Function Stack Overflow attempt"; sid:11619; gid:3; rev:7; classtype:attempted-admin; reference:cve,2006-1518; reference:bugtraq,17780; reference:url,www.wisec.it/vulns.php?page=8; reference:cve,2006-1516; reference:cve,2006-1517; metadata: engine shared, soid 3|11619, service mysql, policy max-detect-ips drop;) 3 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/server-oracle.rules: -------------------------------------------------------------------------------- 1 | # Autogenerated skeleton rules file. Do NOT edit by hand 2 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-ORACLE Oracle Reports Server information disclosure attempt"; sid:24595; gid:3; rev:2; classtype:attempted-recon; reference:cve,2012-3152; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html; metadata: engine shared, soid 3|24595, service http, policy security-ips drop;) 3 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-ORACLE Oracle Reports Servlet information disclosure attempt"; sid:24596; gid:3; rev:2; classtype:attempted-recon; reference:cve,2012-3153; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html; metadata: engine shared, soid 3|24596, service http, policy security-ips drop;) 4 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-ORACLE Oracle Reports Servlet information disclosure attempt"; sid:24597; gid:3; rev:2; classtype:attempted-recon; reference:cve,2012-3153; reference:url,www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html; metadata: engine shared, soid 3|24597, service http, policy security-ips drop;) 5 | alert tcp $EXTERNAL_NET any <> $HOME_NET 389 (msg:"SERVER-ORACLE Oracle Internet Directory pre-auth ldap denial of service attempt"; sid:15149; gid:3; rev:6; classtype:attempted-dos; reference:bugtraq,30177; reference:cve,2008-2595; reference:url,www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html; metadata: engine shared, soid 3|15149, service ldap, policy max-detect-ips drop;) 6 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/src/README: -------------------------------------------------------------------------------- 1 | Overview 2 | -------- 3 | Due to contract terms with some 3rd party research organizations, 4 | a number of VRT certified rules will only be delivered as binaries. 5 | 6 | This applies only to shared object (SO) rules. Non-shared object rules 7 | WILL NOT be affected. Additionally, because of this change and to better 8 | serve the Snort community the VRT will pre-compile the "SO" rules so 9 | they are easier to use on the various platforms utilized by the snort 10 | community and the VRT subscribers. 11 | 12 | Directory Structure 13 | ------------------- 14 | The structure of the "so_rules" directory inside the rule is as follows: 15 | 16 | so_rules/ 17 | src/ 18 | precompiled/ 19 | / 20 | / 21 | 22 | 23 | Where: 24 | is one of the following values: 25 | a. FreeBSD 8.1 26 | b. FreeBSD 7.3 27 | c. OpenBSD 4.8 28 | d. Debian 6.0 29 | e. Debian 5.0 30 | f. Fedora Core 14 31 | g. Fedora Core 12 32 | h. RHEL 6.0 33 | i. RHEL 5.5 34 | j. Ubuntu 12.4 35 | k. Ubuntu 10.4 36 | l. CentOS 5.4 37 | m. CentOS 4.8 38 | n. OpenSUSE 12.1 39 | o. OpenSUSE 11.4 40 | p. Slackware 13.1 41 | 42 | is one of the following values: 43 | a. i386 (EXCEPT for Slackware 13.1) 44 | b. x86-64 (EXCEPT for CentOS 4.8) 45 | 46 | is one of the following values 47 | a. 2.9.1.2 48 | b. 2.9.2.3 49 | c. 2.9.3.0 50 | d. 2.9.3.1 51 | 52 | If your platform/distribution is not currently listed above this does 53 | not mean these shared objects won't work on your platform. Numerous 54 | Linux distributions share common libc versions and it is possible that 55 | one of the above distributions and platforms will work on your system. 56 | If none of the above combinations work on your platform, please send a 57 | note to the snort-sigs mailing list so we can determine the need for 58 | additional platforms and distributions to be added to the list of 59 | supported platforms. 60 | 61 | WARNING 62 | ------- 63 | Sourcefire VRT rule packs often utilize enhancements made to Snort. 64 | Operators should upgrade to the latest revision or patch level for Snort 65 | to ensure these enhancements are available before using these rules. 66 | 67 | USE 68 | --- 69 | To use the shared object rules, the rule stub files must be generated. 70 | To do this, follow these instructions: 71 | 72 | 1. Make sure the dynamic preprocessor and dynamic engine paths are 73 | defined in snort.conf, for example: 74 | 75 | dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor 76 | dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so 77 | 78 | 2. Make sure the path to the location of the shared object rules is 79 | also defined in snort.conf, for example: 80 | 81 | dynamicdetection directory /usr/local/lib/snort_dynamicrule 82 | 83 | 3. Dump the stub rules by issuing the command: 84 | 85 | snort -c /usr/local/etc/snort/snort.conf --dump-dynamic-rules=/usr/local/etc/snort/so_rules 86 | 87 | 4. Use a variable to define the path to the stub rules, for example: 88 | 89 | var SO_RULE_PATH /usr/local/etc/snort/so_rules 90 | 91 | 5. Include the generated stub rule files in snort.conf in the same way 92 | the regular rules are included, for example: 93 | 94 | include $SO_RULE_PATH/netbios.rules 95 | 96 | 6. Test the installation by issuing the command: 97 | 98 | snort -c /usr/local/etc/snort/snort.conf -T 99 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/src/_meta.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "sf_snort_plugin_api.h" 4 | #include "sf_dynamic_meta.h" 5 | #include "_meta.h" 6 | 7 | extern Rule *rules[]; 8 | 9 | #if REQ_ENGINE_LIB_MAJOR < 2 10 | DETECTION_LINKAGE int InitializeDetection() 11 | { 12 | return RegisterRules(rules); 13 | } 14 | #else 15 | DETECTION_LINKAGE int InitializeDetection(struct _SnortConfig *sc) 16 | { 17 | return RegisterRules(sc, rules); 18 | } 19 | #endif 20 | 21 | DETECTION_LINKAGE int DumpSkeletonRules() 22 | { 23 | return DumpRules(DETECTION_LIB_NAME, rules); 24 | } 25 | 26 | DETECTION_LINKAGE int LibVersion(DynamicPluginMeta *dpm) 27 | { 28 | dpm->type = TYPE_DETECTION; 29 | dpm->major = DETECTION_LIB_MAJOR; 30 | dpm->minor = DETECTION_LIB_MINOR; 31 | dpm->build = DETECTION_LIB_BUILD; 32 | strncpy(dpm->uniqueName, DETECTION_LIB_NAME, MAX_NAME_LEN); 33 | return 0; 34 | } 35 | 36 | DETECTION_LINKAGE int EngineVersion(DynamicPluginMeta *dpm) 37 | { 38 | 39 | dpm->type = TYPE_ENGINE; 40 | dpm->major = REQ_ENGINE_LIB_MAJOR; 41 | dpm->minor = REQ_ENGINE_LIB_MINOR; 42 | dpm->build = 0; 43 | strncpy(dpm->uniqueName, REQ_ENGINE_LIB_NAME, MAX_NAME_LEN); 44 | return 0; 45 | } 46 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/src/_meta.h: -------------------------------------------------------------------------------- 1 | #ifndef SFSNORT_DYNAMIC_DETECTION_LIB_H_ 2 | #define SFSNORT_DYNAMIC_DETECTION_LIB_H_ 3 | 4 | #define DETECTION_LIB_MAJOR 1 5 | #define DETECTION_LIB_MINOR 0 6 | #define DETECTION_LIB_BUILD 1 7 | 8 | /* Required version and name of the engine */ 9 | #ifndef REQ_ENGINE_LIB_MAJOR 10 | #define REQ_ENGINE_LIB_MAJOR 1 11 | #endif 12 | #ifndef REQ_ENGINE_LIB_MINOR 13 | #define REQ_ENGINE_LIB_MINOR 6 14 | #endif 15 | #define REQ_ENGINE_LIB_NAME "SF_SNORT_DETECTION_ENGINE" 16 | 17 | 18 | #ifdef WIN32 19 | #ifdef SF_SNORT_DETECTION_DLL 20 | #define DETECTION_LINKAGE __declspec(dllexport) 21 | #else 22 | #define DETECTION_LINKAGE __declspec(dllimport) 23 | #endif 24 | #else /* WIN32 */ 25 | #define DETECTION_LINKAGE 26 | #endif /* WIN32 */ 27 | 28 | #endif /* SFSNORT_DYNAMIC_DETECTION_LIB_H_ */ 29 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/src/category-build.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl -w 2 | use strict; 3 | use warnings; 4 | use Fatal qw/:void open opendir/; 5 | 6 | foreach my $category (@ARGV) { 7 | $category =~ s/\.c$//; 8 | 9 | my $exports = get_exports($category); 10 | build_category($category, $exports); 11 | } 12 | 13 | sub build_category { 14 | my ($category, $exports) = @_; 15 | my %consolidated_requires; 16 | 17 | open(FILE, '>', $category . '.c'); 18 | 19 | # Get the list of all requires needed for this shared object 20 | foreach my $file (sort keys %{$exports}) { 21 | foreach my $required (sort keys %{$exports->{$file}{requires}}) { 22 | 23 | # skip dupes 24 | next if(defined($consolidated_requires{$required})); 25 | $consolidated_requires{$required}++; 26 | 27 | print FILE "//REQUIRES:$required\n"; 28 | } 29 | } 30 | 31 | # Standard includes 32 | foreach my $file ('sf_snort_plugin_api.h') { 33 | print FILE "#include \"$file\"\n"; 34 | } 35 | 36 | # Dump function declarations 37 | foreach my $file (sort keys %{$exports}) { 38 | foreach my $rule (sort keys %{ $exports->{$file}{funcs} }) { 39 | print FILE "extern Rule $rule;\n"; 40 | } 41 | } 42 | 43 | # Dump rule structure pointers 44 | print FILE "Rule *rules[] = {\n"; 45 | 46 | foreach my $file (sort keys %{$exports}) { 47 | foreach my $rule (sort keys %{ $exports->{$file}{funcs} }) { 48 | print FILE " &$rule,\n"; 49 | } 50 | } 51 | print FILE " NULL\n};\n"; 52 | close FILE; 53 | } 54 | 55 | sub get_exports { 56 | my ($category) = @_; 57 | my %exports; 58 | 59 | opendir(DIR, '.'); 60 | foreach my $file (grep { /^$category\_.*\.c$/ } readdir(DIR)) { 61 | my $code = strip_comments(slurp($file)); 62 | 63 | # Extract required utility modules 64 | # Find lines that include so-util headers like #include "so-util_base64-decode.h" 65 | while ($code =~ s/^\s*#include\s+"so-util_([-a-zA-Z0-9]+)\.h//sm) { 66 | my $required = $1; 67 | $exports{$file}{requires}{$required}++; 68 | } 69 | 70 | # Extract function names 71 | while ($code =~ s/^\s*Rule\s+(\w+)\s*=\s*\{//sm) { 72 | my $func = $1; 73 | $exports{$file}{funcs}{$func}++; 74 | } 75 | } 76 | closedir DIR; 77 | return \%exports; 78 | } 79 | 80 | sub slurp { 81 | my ($file) = @_; 82 | open(FILE, '<', $file); 83 | local $/; 84 | return ; 85 | } 86 | 87 | # XXX - should be more robust... 88 | sub strip_comments { 89 | my ($code) = @_; 90 | $code =~ s{ 91 | /\* # Match the opening delimiter. 92 | .*? # Match a minimal number of characters. 93 | \*/ # Match the closing delimiter. 94 | }{}gsx; 95 | return $code; 96 | } 97 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/src/so-util.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Utility functions shared by custom rules 3 | * 4 | * Copyright (C) 2007 Sourcefire, Inc. All Rights Reserved 5 | * 6 | * Writen by Patrick Mullen 7 | * Monica Sojeong Hong 8 | * 9 | * This file may contain proprietary rules that were created, tested and 10 | * certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as 11 | * rules that were created by Sourcefire and other third parties and 12 | * distributed under the GNU General Public License (the "GPL Rules"). The 13 | * VRT Certified Rules contained in this file are the property of 14 | * Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. 15 | * The GPL Rules created by Sourcefire, Inc. are the property of 16 | * Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights 17 | * Reserved. All other GPL Rules are owned and copyrighted by their 18 | * respective owners (please see www.snort.org/contributors for a list of 19 | * owners and their respective copyrights). In order to determine what 20 | * rules are VRT Certified Rules or GPL Rules, please refer to the VRT 21 | * Certified Rules License Agreement. 22 | */ 23 | 24 | 25 | #ifndef SO_UTIL_H 26 | #define SO_UTIL_H 27 | 28 | #include "sf_snort_plugin_api.h" 29 | #include "sf_snort_packet.h" 30 | 31 | /* 32 | * Support functions to read little-endian or big-endian binary data 33 | */ 34 | 35 | u_int64_t read_big_64(const u_int8_t *p); 36 | u_int32_t read_big_32(const u_int8_t *p); 37 | u_int16_t read_big_16(const u_int8_t *p); 38 | u_int64_t read_little_64(const u_int8_t *p); 39 | u_int32_t read_little_32(const u_int8_t *p); 40 | u_int16_t read_little_16(const u_int8_t *p); 41 | 42 | // Macros that convert the above functions to auto-incrementing versions 43 | #define read_big_64_inc(p) read_big_64(p); p += 8 44 | #define read_big_32_inc(p) read_big_32(p); p += 4 45 | #define read_big_16_inc(p) read_big_16(p); p += 2 46 | #define read_little_64_inc(p) read_little_64(p); p += 8 47 | #define read_little_32_inc(p) read_little_32(p); p += 4 48 | #define read_little_16_inc(p) read_little_16(p); p += 2 49 | 50 | #endif /* SO_UTIL_H */ 51 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/src/so-util_base.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Support functions to read little-endian or big-endian binary data 3 | * 4 | * Copyright (C) 2007 Sourcefire, Inc. All Rights Reserved 5 | * 6 | * Writen by Monica Sojeong Hong 7 | * 8 | * This file may contain proprietary rules that were created, tested and 9 | * certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as 10 | * rules that were created by Sourcefire and other third parties and 11 | * distributed under the GNU General Public License (the "GPL Rules"). The 12 | * VRT Certified Rules contained in this file are the property of 13 | * Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. 14 | * The GPL Rules created by Sourcefire, Inc. are the property of 15 | * Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights 16 | * Reserved. All other GPL Rules are owned and copyrighted by their 17 | * respective owners (please see www.snort.org/contributors for a list of 18 | * owners and their respective copyrights). In order to determine what 19 | * rules are VRT Certified Rules or GPL Rules, please refer to the VRT 20 | * Certified Rules License Agreement. 21 | */ 22 | 23 | #include "so-util.h" 24 | 25 | uint64_t read_big_64(const uint8_t *p) 26 | { 27 | uint64_t ret = 0; 28 | 29 | ret = ((uint64_t)*p++) << 56; 30 | ret |= ((uint64_t)*p++) << 48; 31 | ret |= ((uint64_t)*p++) << 40; 32 | ret |= ((uint64_t)*p++) << 32; 33 | ret |= ((uint64_t)*p++) << 24; 34 | ret |= *p++ << 16; 35 | ret |= *p++ << 8; 36 | ret |= *p; 37 | 38 | return(ret); 39 | } 40 | 41 | uint32_t read_big_32(const uint8_t *p) 42 | { 43 | uint32_t ret = 0; 44 | 45 | ret = *p++ << 24; 46 | ret |= *p++ << 16; 47 | ret |= *p++ << 8; 48 | ret |= *p; 49 | 50 | return(ret); 51 | } 52 | 53 | uint16_t read_big_16(const uint8_t *p) 54 | { 55 | return (*p << 8) | *(p+1); 56 | } 57 | 58 | uint64_t read_little_64(const uint8_t *p) 59 | { 60 | uint64_t ret = 0; 61 | 62 | ret = *p++; 63 | ret |= *p++ << 8; 64 | ret |= *p++ << 16; 65 | ret |= ((uint64_t)*p++) << 24; 66 | ret |= ((uint64_t)*p++) << 32; 67 | ret |= ((uint64_t)*p++) << 40; 68 | ret |= ((uint64_t)*p++) << 48; 69 | ret |= ((uint64_t)*p) << 56; 70 | 71 | return(ret); 72 | } 73 | 74 | uint32_t read_little_32(const uint8_t *p) 75 | { 76 | uint32_t ret = 0; 77 | 78 | ret = *p++; 79 | ret |= *p++ << 8; 80 | ret |= *p++ << 16; 81 | ret |= *p << 24; 82 | 83 | return(ret); 84 | } 85 | 86 | uint16_t read_little_16(const uint8_t *p) 87 | { 88 | return (*(p+1) << 8) | *p; 89 | } 90 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/src/so-util_base64-decode.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Utility functions shared by custom rules 3 | * 4 | * Copyright (C) 2007 Sourcefire, Inc. All Rights Reserved 5 | * 6 | * Writen by Patrick Mullen 7 | * Monica Sojeong Hong 8 | * 9 | * This file may contain proprietary rules that were created, tested and 10 | * certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as 11 | * rules that were created by Sourcefire and other third parties and 12 | * distributed under the GNU General Public License (the "GPL Rules"). The 13 | * VRT Certified Rules contained in this file are the property of 14 | * Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. 15 | * The GPL Rules created by Sourcefire, Inc. are the property of 16 | * Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights 17 | * Reserved. All other GPL Rules are owned and copyrighted by their 18 | * respective owners (please see www.snort.org/contributors for a list of 19 | * owners and their respective copyrights). In order to determine what 20 | * rules are VRT Certified Rules or GPL Rules, please refer to the VRT 21 | * Certified Rules License Agreement. 22 | */ 23 | 24 | 25 | #ifndef SO_UTIL_BASE64_DECODE_H 26 | #define SO_UTIL_BASE64_DECODE_H 27 | 28 | #include "sf_snort_plugin_api.h" 29 | #include "sf_snort_packet.h" 30 | 31 | /* 32 | * Base64 Decoding Routines 33 | */ 34 | 35 | int unfold_header(const u_int8_t*, u_int32_t, u_int8_t*, u_int32_t, u_int32_t*); 36 | int base64decode(const u_int8_t*, u_int32_t, u_int8_t*, u_int32_t, u_int32_t*); 37 | 38 | #endif /* SO_UTIL_BASE64_DECODE_H */ 39 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/src/so-util_ber.h: -------------------------------------------------------------------------------- 1 | /* 2 | * BER support functions 3 | * 4 | * Copyright (C) 2007 Sourcefire, Inc. All Rights Reserved 5 | * 6 | * Written by Patrick Mullen 7 | * 8 | * This file may contain proprietary rules that were created, tested and 9 | * certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as 10 | * rules that were created by Sourcefire and other third parties and 11 | * distributed under the GNU General Public License (the "GPL Rules"). The 12 | * VRT Certified Rules contained in this file are the property of 13 | * Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. 14 | * The GPL Rules created by Sourcefire, Inc. are the property of 15 | * Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights 16 | * Reserved. All other GPL Rules are owned and copyrighted by their 17 | * respective owners (please see www.snort.org/contributors for a list of 18 | * owners and their respective copyrights). In order to determine what 19 | * rules are VRT Certified Rules or GPL Rules, please refer to the VRT 20 | * Certified Rules License Agreement. 21 | */ 22 | 23 | #ifndef SO_UTIL_BER_H 24 | #define SO_UTIL_BER_H 25 | 26 | #include "sf_snort_plugin_api.h" 27 | #include "sf_snort_packet.h" 28 | 29 | 30 | typedef struct { 31 | u_int32_t type; // Type of element 32 | u_int32_t specified_total_len; // Len of type byte + size field + data_len from packet 33 | u_int32_t total_len; // The actual number of bytes available for the entire element 34 | u_int32_t data_len; // Size specified in size field of element 35 | struct { 36 | const u_int8_t *data_ptr; // Pointer to the element's data 37 | u_int32_t int_val; // If int type, value of element after ber_extract_int() is called 38 | } data; 39 | } BER_ELEMENT; 40 | 41 | int ber_get_size(SFSnortPacket *, const u_int8_t *, u_int32_t *, u_int32_t *); 42 | int ber_get_int(const u_int8_t *, u_int32_t, u_int32_t *); 43 | int ber_get_element(SFSnortPacket *, const u_int8_t *, BER_ELEMENT *); 44 | int ber_extract_int_val(BER_ELEMENT *); 45 | int ber_skip_element(SFSnortPacket *, const u_int8_t **, u_int32_t); 46 | int ber_point_to_data(SFSnortPacket *, const u_int8_t **, u_int32_t); 47 | int ber_extract_int(SFSnortPacket *, const u_int8_t **, BER_ELEMENT *); 48 | 49 | #define BER_SUCCESS 0 50 | #define BER_FAIL -1 // Complete failure 51 | #define BER_PARTIAL_DATA -2 // Data may not be useful 52 | 53 | #ifndef BER_MACROS 54 | #define BER_MACROS 55 | #define BER_DATA(type) if(ber_point_to_data(sp, &cursor_normal, type) != BER_SUCCESS) return RULE_NOMATCH 56 | #define BER_SKIP(type) if(ber_skip_element(sp, &cursor_normal, type) != BER_SUCCESS) return RULE_NOMATCH 57 | #define BER_EXTRACT_INT(BE) if(ber_extract_int(sp, &cursor_normal, &BE) != BER_SUCCESS) return RULE_NOMATCH 58 | #endif 59 | 60 | #endif /* SO_UTIL_BER_H */ 61 | 62 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/src/so-util_dns.c: -------------------------------------------------------------------------------- 1 | /* 2 | * DNS support functions 3 | * 4 | * Copyright (C) 2013 Sourcefire, Inc. All Rights Reserved 5 | * 6 | * Written by Patrick Mullen 7 | * 8 | * This file may contain proprietary rules that were created, tested and 9 | * certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as 10 | * rules that were created by Sourcefire and other third parties and 11 | * distributed under the GNU General Public License (the "GPL Rules"). The 12 | * VRT Certified Rules contained in this file are the property of 13 | * Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. 14 | * The GPL Rules created by Sourcefire, Inc. are the property of 15 | * Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights 16 | * Reserved. All other GPL Rules are owned and copyrighted by their 17 | * respective owners (please see www.snort.org/contributors for a list of 18 | * owners and their respective copyrights). In order to determine what 19 | * rules are VRT Certified Rules or GPL Rules, please refer to the VRT 20 | * Certified Rules License Agreement. 21 | */ 22 | 23 | #include "sf_snort_plugin_api.h" 24 | #include "sf_snort_packet.h" 25 | 26 | #include "so-util_dns.h" 27 | 28 | //#define DEBUG 29 | #ifdef DEBUG 30 | #define DEBUG_SO(code) code 31 | #else 32 | #define DEBUG_SO(code) 33 | #endif 34 | 35 | /* dns_skip_name 36 | 37 | Given pointers to a cursor and the end of the payload, will process a dns name 38 | for the sole purpose of skipping over it. This means it doesn't actually follow 39 | name compression; it just jumps to the end of it all and modifies the cursor to 40 | point to the byte after the dns name. 41 | */ 42 | int dns_skip_name(const uint8_t **cursor_in, const uint8_t *end_of_payload) { 43 | const uint8_t *cursor_raw = *cursor_in; 44 | 45 | while(cursor_raw < end_of_payload && *cursor_raw != 0 && !((*cursor_raw & 0xc0) == 0xc0)) 46 | cursor_raw += *cursor_raw + 1; 47 | 48 | if(cursor_raw >= end_of_payload) 49 | return(DNS_FAIL); 50 | 51 | // two bytes for pointer or null byte 52 | cursor_raw += ((*cursor_raw & 0xc0) == 0xc0) ? 2 : 1; 53 | 54 | *cursor_in = cursor_raw; 55 | return(DNS_SUCCESS); 56 | } 57 | 58 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/src/so-util_dns.h: -------------------------------------------------------------------------------- 1 | /* 2 | * DNS support functions 3 | * 4 | * Copyright (C) 2013 Sourcefire, Inc. All Rights Reserved 5 | * 6 | * Written by Patrick Mullen 7 | * 8 | * This file may contain proprietary rules that were created, tested and 9 | * certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as 10 | * rules that were created by Sourcefire and other third parties and 11 | * distributed under the GNU General Public License (the "GPL Rules"). The 12 | * VRT Certified Rules contained in this file are the property of 13 | * Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved. 14 | * The GPL Rules created by Sourcefire, Inc. are the property of 15 | * Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights 16 | * Reserved. All other GPL Rules are owned and copyrighted by their 17 | * respective owners (please see www.snort.org/contributors for a list of 18 | * owners and their respective copyrights). In order to determine what 19 | * rules are VRT Certified Rules or GPL Rules, please refer to the VRT 20 | * Certified Rules License Agreement. 21 | */ 22 | 23 | #ifndef SO_UTIL_DNS_H 24 | #define SO_UTIL_DNS_H 25 | 26 | #include "sf_snort_plugin_api.h" 27 | #include "sf_snort_packet.h" 28 | 29 | #define DNS_SUCCESS 1 30 | #define DNS_FAIL -1 31 | 32 | int dns_skip_name(const u_int8_t **, const u_int8_t *); 33 | 34 | #endif /* SO_UTIL_DNS_H */ 35 | 36 | -------------------------------------------------------------------------------- /snort/snortrules-snapshot-29150/so_rules/src/test.conf: -------------------------------------------------------------------------------- 1 | # include deleted.rules 2 | include browser-chrome.rules 3 | include browser-ie.rules 4 | include browser-other.rules 5 | include browser-webkit.rules 6 | include exploit-kit.rules 7 | include file-executable.rules 8 | include file-flash.rules 9 | include file-image.rules 10 | include file-java.rules 11 | include file-multimedia.rules 12 | include file-office.rules 13 | include file-other.rules 14 | include file-pdf.rules 15 | include indicator-shellcode.rules 16 | include malware-cnc.rules 17 | include malware-other.rules 18 | include netbios.rules 19 | include os-linux.rules 20 | include os-other.rules 21 | include os-windows.rules 22 | include policy-other.rules 23 | include policy-social.rules 24 | include protocol-dns.rules 25 | include protocol-nntp.rules 26 | include protocol-other.rules 27 | include protocol-scada.rules 28 | include protocol-snmp.rules 29 | include protocol-tftp.rules 30 | include protocol-voip.rules 31 | include pua-p2p.rules 32 | include server-apache.rules 33 | include server-iis.rules 34 | include server-mail.rules 35 | include server-mysql.rules 36 | include server-oracle.rules 37 | include server-other.rules 38 | include server-webapp.rules 39 | -------------------------------------------------------------------------------- /snort/test_snort.py: -------------------------------------------------------------------------------- 1 | """ 2 | Test module for snort.py 3 | 4 | Created on 6 November 2019 5 | @author: Charlie Lewis 6 | """ 7 | import sys 8 | 9 | from .snort import get_path 10 | from .snort import run_tool 11 | 12 | 13 | def test_get_path(): 14 | get_path() 15 | 16 | 17 | def test_run_tool(): 18 | with open('/tmp/test', 'w') as f: 19 | f.write("This is an invalid test") 20 | run_tool('/tmp/test') 21 | with open('/tmp/test', 'w') as f: 22 | for _ in range(100): 23 | f.write("This is an invalid test") 24 | run_tool('/tmp/test') 25 | -------------------------------------------------------------------------------- /tcpdump_hex_parser/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.18 2 | LABEL maintainer="Charlie Lewis " 3 | 4 | RUN apk add --update \ 5 | python3 \ 6 | tcpdump \ 7 | && rm -rf /var/cache/apk/* 8 | 9 | WORKDIR /app 10 | COPY tcpdump_hex_parser/tcpdump_hex_parser.py /app/tcpdump_hex_parser.py 11 | RUN python3 /app/tcpdump_hex_parser.py 12 | 13 | ENTRYPOINT ["python3", "/app/tcpdump_hex_parser.py"] 14 | CMD [""] 15 | -------------------------------------------------------------------------------- /tcpdump_hex_parser/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/tcpdump_hex_parser/__init__.py -------------------------------------------------------------------------------- /tcpdump_hex_parser/tcpdump_hex_parser.py: -------------------------------------------------------------------------------- 1 | """ 2 | Tcpdump hex parser plugin 3 | 4 | Created on 13 June 2016 5 | @author: Charlie Lewis, David Grossman 6 | """ 7 | 8 | import subprocess 9 | import sys 10 | 11 | def get_path(): 12 | path = None 13 | try: 14 | path = sys.argv[1] 15 | except Exception as e: 16 | print("no path provided: {0}, quitting.".format(str(e))) 17 | return path 18 | 19 | def parse_header(line): 20 | """Parse output of tcpdump of pcap file, extract: 21 | time 22 | date 23 | ethernet_type 24 | protocol 25 | source ip 26 | source port (if it exists) 27 | destination ip 28 | destination port (if it exists) 29 | length of the data 30 | """ 31 | ret_dict = {} 32 | h = line.split() 33 | date = h[0] 34 | time = h[1] 35 | ret_dict['raw_header'] = line 36 | ret_dict['date'] = date 37 | ret_dict['time'] = time 38 | src_a = h[3].split(".", 3) 39 | if "." in src_a[-1]: 40 | port_a = src_a[-1].split('.') 41 | ret_dict['src_port'] = port_a[-1] 42 | ret_dict['src_ip'] = ".".join(h[3].split('.')[:-1]) 43 | else: 44 | ret_dict['src_ip'] = h[3] 45 | dest_a = h[5].split(".", 3) 46 | if "." in dest_a[-1]: 47 | port_a = dest_a[-1].split('.') 48 | ret_dict['dest_port'] = port_a[-1].split(":")[0] 49 | ret_dict['dest_ip'] = ".".join(h[5].split('.')[:-1]) 50 | else: 51 | ret_dict['dest_ip'] = h[5].split(":")[0] 52 | ret_dict['protocol'] = h[6] 53 | ret_dict['ethernet_type'] = h[2] 54 | try: 55 | ret_dict['length'] = int(h[-1]) 56 | except Exception as e: 57 | print("failed to get length because: {0}, setting it to 0".format(str(e))) 58 | ret_dict['length'] = 0 59 | if h[2] == 'IP': 60 | #do something meaningful 61 | pass 62 | else: 63 | pass 64 | #do something else 65 | ret_dict['tool'] = "tcpdump_hex_parser" 66 | return ret_dict 67 | 68 | 69 | def parse_data(line, length): 70 | """Parse hex data from tcpdump of pcap file""" 71 | ret_str = '' 72 | _, d = line.split(':', 1) 73 | ret_str = d.strip().replace(' ', '') 74 | if length != 0: 75 | ret_str = ret_str[:-(2*length)] 76 | return ret_str 77 | 78 | def return_packet(line_source): 79 | """Create a packet dictionary 80 | 'tool' field -> tcpdump hex parser (i.e., this tool) 81 | 'data' field -> ascii hex values of the packet header and data 82 | 'time' field -> time of packet capture 83 | 'date' field -> date of packet capture 84 | 'ethernet_type' field -> type of ethernet of packet capture 85 | 'protocol' field -> protocol of packet capture 86 | 'src_ip' field -> source ip address of packet capture 87 | 'src_port' field -> source port of packet capture 88 | 'dest_ip' field -> destination ip address of packet capture 89 | 'dest_port' field -> destination port of packet capture 90 | 'length' field -> length of data in packet capture 91 | 'raw_header' field -> raw storage of the tcpdump header""" 92 | ret_data = '' 93 | ret_header = {} 94 | ret_dict = {} 95 | for line in line_source: 96 | line_strip = line.decode('utf-8').strip() 97 | is_header = not line_strip.startswith('0x') 98 | if is_header: 99 | #parse header 100 | ret_header = parse_header(line_strip) 101 | if not ret_data: 102 | #no data read, just update the header 103 | ret_dict.update(ret_header) 104 | else: 105 | #put the data into the structure and yeild 106 | ret_dict['data'] = ret_data 107 | ret_data='' 108 | yield ret_dict 109 | else: 110 | #concatenate the data 111 | data = parse_data(line_strip, int(ret_header.get('length', 0))) 112 | ret_data = ret_data + data 113 | 114 | def run_tool(path): 115 | """Tool entry point""" 116 | with subprocess.Popen('tcpdump -nn -tttt -xx -r '+path, shell=True, stdout=subprocess.PIPE) as proc: 117 | for packet in return_packet(proc.stdout): 118 | print(str(packet)) 119 | 120 | if __name__ == '__main__': 121 | path = get_path() 122 | if path: 123 | run_tool(path) 124 | -------------------------------------------------------------------------------- /tcpdump_hex_parser/test_tcpdump_hex_parser.py: -------------------------------------------------------------------------------- 1 | """ 2 | Test module for tcpdump_hex_parser.py 3 | 4 | Created on 13 June 2016 5 | @author: Charlie Lewis 6 | """ 7 | 8 | import pytest 9 | import re 10 | import sys 11 | 12 | from .tcpdump_hex_parser import get_path 13 | from .tcpdump_hex_parser import parse_header 14 | from .tcpdump_hex_parser import parse_data 15 | from .tcpdump_hex_parser import return_packet 16 | from .tcpdump_hex_parser import run_tool 17 | 18 | def test_get_path(): 19 | get_path() 20 | sys.argv = [] 21 | get_path() 22 | 23 | def test_run_tool(): 24 | with open('/tmp/test', 'w') as f: 25 | f.write("this is a test file") 26 | run_tool('/tmp/test') 27 | 28 | def test_parse_header(): 29 | ret_dict = parse_header("2015-05-20 12:41:45.812393 IP 0.0.0.0 > 0.0.0.0: ESP(spi=0xb1ced15c,seq=0x30), length 184") 30 | assert isinstance(ret_dict, dict) 31 | assert ret_dict['date'] == "2015-05-20" 32 | assert ret_dict['time'] == "12:41:45.812393" 33 | assert ret_dict['raw_header'] == "2015-05-20 12:41:45.812393 IP 0.0.0.0 > 0.0.0.0: ESP(spi=0xb1ced15c,seq=0x30), length 184" 34 | assert ret_dict['ethernet_type'] == "IP" 35 | assert ret_dict['src_ip'] == "0.0.0.0" 36 | assert ret_dict['dest_ip'] == "0.0.0.0" 37 | assert ret_dict['protocol'] == "ESP(spi=0xb1ced15c,seq=0x30)," 38 | assert ret_dict['length'] == 184 39 | 40 | ret_dict = parse_header("2015-05-20 12:41:45.812393 IP 0.0.0.0.80 > 0.0.0.0.80: ESP(spi=0xb1ced15c,seq=0x30), length 184") 41 | assert ret_dict['src_ip'] == "0.0.0.0" 42 | assert ret_dict['dest_ip'] == "0.0.0.0" 43 | assert ret_dict['src_port'] == "80" 44 | assert ret_dict['dest_port'] == "80" 45 | 46 | ret_dict = parse_header("2015-05-20 12:41:45.812393 IP 0.0.0.0.80 > 0.0.0.0.80: ESP(spi=0xb1ced15c,seq=0x30)") 47 | assert ret_dict['src_ip'] == "0.0.0.0" 48 | assert ret_dict['dest_ip'] == "0.0.0.0" 49 | assert ret_dict['src_port'] == "80" 50 | assert ret_dict['dest_port'] == "80" 51 | assert ret_dict['length'] == 0 52 | 53 | def test_parse_data(): 54 | ret_str = parse_data("\t0x0080: e04b 2935 564f 91db 5344 5460 9189 33d0", 0) 55 | assert isinstance(ret_str, str) 56 | hex_pattern = re.compile(r'[0-9a-fA-F]+') 57 | m = re.search(hex_pattern, ret_str) 58 | assert m 59 | 60 | def test_return_packet(): 61 | lines = [] 62 | lines.append("2015-05-20 12:41:45.812393 IP 0.0.0.0 > 0.0.0.0: ESP(spi=0xb1ced15c,seq=0x30), length 0") 63 | lines.append("\t0x0080: e04b 2935 564f 91db 5344 5460 9189 33d0") 64 | lines.append("2015-05-20 12:41:45.812393 IP 0.0.0.0 > 0.0.0.0: ESP(spi=0xb1ced15c,seq=0x30), length 0") 65 | lines.append("\t0x0080: e04b 2935 564f 91db 5344 5460 9189 33d0") 66 | packets = return_packet([line.encode('utf-8') for line in lines]) 67 | for packet in packets: 68 | assert isinstance(packet, dict) 69 | assert packet['data'] == "e04b2935564f91db53445460918933d0" 70 | assert packet['raw_header'] == "2015-05-20 12:41:45.812393 IP 0.0.0.0 > 0.0.0.0: ESP(spi=0xb1ced15c,seq=0x30), length 0" 71 | assert packet['date'] == "2015-05-20" 72 | assert packet['time'] == "12:41:45.812393" 73 | -------------------------------------------------------------------------------- /tcprewrite_dot1q/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.18 2 | LABEL maintainer="Charlie Lewis " 3 | 4 | ENV DEBIAN_FRONTEND noninteractive 5 | ENV PYTHONUNBUFFERED 1 6 | ENV PYTHONPATH=/app/network_tools_lib 7 | 8 | RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories 9 | 10 | WORKDIR /app 11 | COPY tcprewrite_dot1q/requirements.txt /app/requirements.txt 12 | COPY tcprewrite_dot1q/en10mb.c /app/en10mb.c 13 | 14 | # Install packages 15 | RUN apk update && \ 16 | apk -U upgrade && \ 17 | apk add build-base libtool automake curl autoconf git python3 py3-pip tcpreplay libpcap libpcap-dev && \ 18 | rm -rf /root/* && \ 19 | rm -rf /var/cache/apk/* 20 | 21 | RUN pip3 install -r /app/requirements.txt 22 | COPY tcprewrite_dot1q/tcprewrite.py /app/tcprewrite.py 23 | COPY network_tools_lib /app/network_tools_lib 24 | 25 | RUN curl -Ls https://github.com/appneta/tcpreplay/releases/download/v4.3.4/tcpreplay-4.3.4.tar.gz | tar zxvf - 26 | RUN cp /app/en10mb.c tcpreplay-4.3.4/src/tcpedit/plugins/dlt_en10mb/en10mb.c 27 | WORKDIR /app/tcpreplay-4.3.4 28 | RUN if ! ./configure; then cat config.log; exit 1; fi && \ 29 | make && \ 30 | make install 31 | WORKDIR /app 32 | RUN python3 /app/tcprewrite.py 33 | 34 | ENTRYPOINT ["python3", "/app/tcprewrite.py"] 35 | CMD [""] 36 | -------------------------------------------------------------------------------- /tcprewrite_dot1q/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/faucetsdn/network-tools/384991bd5f3cc6244aadb6de9cfb90fd5986d42b/tcprewrite_dot1q/__init__.py -------------------------------------------------------------------------------- /tcprewrite_dot1q/requirements.txt: -------------------------------------------------------------------------------- 1 | pika==1.3.2 2 | -------------------------------------------------------------------------------- /tcprewrite_dot1q/tcprewrite.py: -------------------------------------------------------------------------------- 1 | """ 2 | Plugin that takes pcap files and rewrites them without .1Q VLAN tags 3 | 4 | Created on 17 May 2018 5 | @author: Charlie Lewis 6 | """ 7 | 8 | import datetime 9 | import json 10 | import os 11 | import shlex 12 | import subprocess 13 | import sys 14 | 15 | import pika 16 | import network_tools_lib 17 | 18 | VERSION = network_tools_lib.get_version() 19 | 20 | 21 | def connect_rabbit(host='messenger', port=5672, queue='task_queue'): 22 | params = pika.ConnectionParameters(host=host, port=port) 23 | connection = pika.BlockingConnection(params) 24 | channel = connection.channel() 25 | channel.queue_declare(queue=queue, durable=True) 26 | return channel 27 | 28 | def send_rabbit_msg(msg, channel, exchange='', routing_key='task_queue'): 29 | channel.basic_publish(exchange=exchange, 30 | routing_key=routing_key, 31 | body=json.dumps(msg), 32 | properties=pika.BasicProperties( 33 | delivery_mode=2, 34 | )) 35 | print(" [X] %s UTC %r %r" % (str(datetime.datetime.utcnow()), 36 | str(msg['id']), str(msg['file_path']))) 37 | return 38 | 39 | def get_path(): 40 | path = None 41 | try: 42 | path = sys.argv[1] 43 | except Exception as e: 44 | print("No path provided: {0}, quitting".format(str(e))) 45 | return path 46 | 47 | def run_tool(path): 48 | if os.path.getsize(path) == 0: 49 | print("pcap file empty, not rewriting") 50 | return 51 | 52 | # need to make directories to store results from tcprewrite 53 | base_dir, file_name = path.rsplit('/', 1) 54 | timestamp = "" 55 | try: 56 | timestamp = '-'.join(str(datetime.datetime.now()).split(' ')) + '-UTC' 57 | timestamp = timestamp.replace(':', '_') 58 | except Exception as e: # pragma: no cover 59 | print("couldn't create output directory with unique timestamp") 60 | # make directory for tool name recognition of piping to other tools 61 | output_dir = os.path.join(base_dir, 'tcprewrite-dot1q' + '-' + timestamp) 62 | try: 63 | os.mkdir(output_dir) 64 | except OSError: # pragma: no cover 65 | print("couldn't make directories for output of this tool") 66 | try: 67 | subprocess.check_call(shlex.split("tcprewrite --enet-vlan=del --infile=" + path + 68 | " --outfile=" + output_dir + '/' + file_name)) 69 | except Exception as e: 70 | print(str(e)) 71 | return output_dir + '/' + file_name 72 | 73 | if __name__ == '__main__': # pragma: no cover 74 | path = get_path() 75 | if path: 76 | result_path = run_tool(path) 77 | uid = '' 78 | if 'id' in os.environ: 79 | uid = os.environ['id'] 80 | if 'rabbit' in os.environ and os.environ['rabbit'] == 'true': 81 | try: 82 | channel = connect_rabbit() 83 | body = {'id': uid, 'type': 'metadata', 'file_path': result_path, 'data': '', 'results': {'tool': 'pcap-dot1q', 'version': VERSION}} 84 | send_rabbit_msg(body, channel) 85 | except Exception as e: 86 | print(str(e)) 87 | -------------------------------------------------------------------------------- /tcprewrite_dot1q/test_tcprewrite.py: -------------------------------------------------------------------------------- 1 | """ 2 | Test module for tcprewrite.py 3 | 4 | Created on 20 December 2018 5 | @author: Charlie Lewis 6 | """ 7 | import sys 8 | 9 | from .tcprewrite import get_path 10 | from .tcprewrite import run_tool 11 | 12 | 13 | def test_get_path(): 14 | get_path() 15 | sys.argv = [] 16 | get_path() 17 | 18 | 19 | def test_run_tool(): 20 | with open('/tmp/test', 'w') as f: 21 | f.write("") 22 | run_tool('/tmp/test') 23 | with open('/tmp/test', 'w') as f: 24 | f.write("This is an invalid test") 25 | run_tool('/tmp/test') 26 | --------------------------------------------------------------------------------