#
# $Id: emerging.rules $
# Emerging Threats rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to threats@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#  Copyright (c) 2003-2008, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#by many very smart people
# This may be a high load sig. Take time and seriously consider 
# that your dns_servers var is set as narrowly as possible
alert udp any 53 -> $DNS_SERVERS any (msg:"ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; sid:2008446; rev:8;)

#this will catch large numbers of nxdomain replies, a sign that someone may be trying to poison you
#alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; sid:2008470; rev:2;)
#by Greg Martin at Econet
alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; within: 8; threshold: type both, track by_src,count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; sid:2008447; rev:4;)
alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; within: 8; threshold: type both, track by_src, count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; sid:2008475; rev:1;)

#by Chandan at secpod.com
# 01/08/2008 E-Ticket
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"CURRENT_EVENTS Fake Airline E-ticket Email Inbound"; flow:established,to_server; content:"|0d 0a|Subject\: E-Ticket #"; pcre:"/eTicket.*\.zip/i"; classtype:trojan-activity; reference:url,www.us-cert.gov/current/archive/2008/07/31/archive.html#airline_e_ticket_email_attack; reference:url,www.sophos.com/security/blog/2008/07/1604.html; sid:2008486; rev:1;)

#by Philipp Bescht
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (1)"; flow:established,to_server; uricontent:"/cd/cd.php?id="; nocase; uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008382; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (2)"; flow:established,to_server; uricontent:"/cd/un2.php?id="; nocase; uricontent:"&ver=nz"; nocase; classtype:trojan-activity; sid:2008383; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gicia.info Related Trojan Checkin (3)"; flow:established,to_server; uricontent:"/cd/un.php?id="; nocase; uricontent:"&ver=ig"; nocase; classtype:trojan-activity; sid:2008384; rev:2;)

#by Philipp Bescht
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Trojan-Downloader.Win32.Homles.br (/17PHolmes.cmt)"; flow:established,to_server; uricontent:"/17PHolmes.cmt"; classtype:trojan-activity; sid:2008394; rev:1;)

#by Daniel Clemens
alert ip $HOME_NET any -> [85.131.154.44,85.131.154.45] any (msg:"ET CURRENT_EVENTS Communication with known iamleet.be Botnet CnC Server"; threshold:type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2008286; rev:1;)

#by Chandan at Secpod
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1)"; flow:to_client,established; content:"clsid"; nocase; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; classtype:web-application-attack; sid:2008407; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2)"; flow:to_client,established; content:"clsid"; nocase; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; classtype:web-application-attack; sid:2008408; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3)"; flow:to_client,established; content:"clsid"; nocase; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; classtype:web-application-attack; sid:2008409; rev:1;)

#by matt jonkman, re http://www.incidents.org/diary.html?storyid=4405
#  Mass File Injection attacks
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD)"; flow:established,from_server; content:"HaCKeD By BeLa & BodyguarD"; content:".js"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008206; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD)"; flow:established,to_server; content:"HaCKeD By BeLa & BodyguarD"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008207; rev:1;)

#by Michael Sconzo of ERCOT
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) -- Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type\: "; nocase; content:" image/jpeg"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\:\s+image\/jpeg/im"; pcre:"/<iframe.*?src.*?>.*?</iframe>/im"; classtype:web-application-attack; sid:2008313; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Iframe in Purported Image Download (gif) -- Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type\: "; nocase; content:" image/gif"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\:\s+image\/gif/im"; pcre:"/<iframe.*?src.*?>.*?</iframe>/im"; classtype:web-application-attack; sid:2008314; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Iframe in Purported Image Download (png) -- Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type\: "; nocase; content:" image/png"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\:\s+image\/png/im"; pcre:"/<iframe.*?src.*?>.*?</iframe>/im"; classtype:web-application-attack; sid:2008315; rev:1;)

#Greg Martin
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; sid:2008373; rev:1;)

#by Jack Pepper
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js)"; flow:established,from_server; content:"<script src=http\://"; nocase; content:"/ngg.js>"; within:50; classtype:trojan-activity; sid:2008387; rev:2;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js)"; flow:established,from_server; content:"<script src=http\://"; nocase; content:"/b.js>"; within:50; classtype:trojan-activity; sid:2008388; rev:2;)

#by jeremy at sudosecure
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (postcard.exe)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/postcard.exe"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/146; reference:url,www.us-cert.gov/current/index.html#new_storm_worm_varient_spreading; reference:url,www.us-cert.gov/current/archive/2008/07/29/archive.html#new_storm_worm_activity_spreading; reference:url,www.sophos.com/security/blog/2008/07/1599.html; sid:2008077; rev:16;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (bof)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/load.php|3F|bof"; nocase; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/119; sid:2008235; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/67; sid:2008193; rev:1;)

#by Victor Julien
# Just testing to see if it works well. lots of bad stuff use this uri and an IP
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious Download (drv32.data)"; flow:established,to_server; content:"GET "; offset:0; depth:4; uricontent:"/drv32.data"; content:"|0d 0a|Host|3a|"; classtype:trojan-activity; sid:2008014; rev:2;)

#by Pedro Marinho, re 58816f781154bda381fdcb1e3fab7bdd
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unnamed - kuaiche.com related"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/config/fgun_install_"; content:"|0d 0a|User-Agent\: NSI SDL/1.2 (Mozilla)|0d 0a|"; classtype:trojan-activity; sid:2008359; rev:2;)

#different trojan, by marcus at unsober
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Keylogger checkin"; flow:established; content:"GET"; depth:4; uricontent:"?mail="; uricontent:"subject=Keylogger"; uricontent:"&body="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1)"; nocase; classtype:trojan-activity; sid:2008368; rev:1;)


#Another unknown, needs a name. Sig by Pedro Marinho
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Unknown Initial Checkin"; flow:established,to_server; dsize:<5; content:"id="; depth:3; flowbits:noalert; flowbits:set,ET.unknid; classtype:trojan-activity; sid:2008496; rev:1;) 
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Unknown Checkin"; flowbits:isset,ET.unknid; flow:established,to_server; dsize:100<>200; content:"&idate="; content:"&os="; content:"&wmid="; content:"&msg="; classtype:trojan-activity; sid:2008497; rev:1;)