#
# $Id: bleeding-attack_response.rules $
#
# Emerging Threats attack response rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2003-2008, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access COM1"; flow: established; content:"/COM1/"; nocase; classtype: string-detect; sid: 2000499; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access COM2"; flow: established; content:"/COM2/"; nocase; classtype: string-detect; sid: 2000500; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access COM3"; flow: established; content:"/COM3/"; nocase; classtype: string-detect; sid: 2000501; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access COM4"; flow: established; content:"/COM4/"; nocase; classtype: string-detect; sid: 2000502; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access LPT1"; flow: established; content:"/LPT1/"; nocase; classtype: string-detect; sid: 2000503; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access LPT2"; flow: established; content:"/LPT2/"; nocase; classtype: string-detect; sid: 2000504; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access LPT3"; flow: established; content:"/LPT3/"; nocase; classtype: string-detect; sid: 2000505; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access LPT4"; flow: established; content:"/LPT4/"; nocase; classtype: string-detect; sid: 2000506; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access AUX"; flow: established; content:"/AUX/"; nocase; classtype: string-detect; sid: 2000507; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "ET ATTACK RESPONSE FTP inaccessible directory access NULL"; flow: established; content:"/NULL/"; nocase; classtype: string-detect; sid: 2000508; rev:6; )

#by Matt Jonkman
# seeing some worms/trojans use an ftp server with all banners stripped out
# on off ports to download payload after the initial compromise.
# Just stats codes, no welcome, etc. Very unique
# something like:
#220 
#USER a
#331 
#PASS a
#230 
#TYPE I
#200 
#PORT 10,2,32,214,4,9
#200 
#RETR msnnmaneger.exe
#150 
#226 
#QUIT
#221 

#removing a few to simplify
alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - user"; flow:established,from_server; dsize:>7; content:"USER "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:noalert; flowbits:set,ET.strippedftpuser; classtype:trojan-activity; sid:2007715; rev:3;)
alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass"; flowbits:isset,ET.strippedftpuser; flow:established,from_server; dsize:>7; content:"PASS "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:set,ET.strippedftppass; classtype:trojan-activity; sid:2007717; rev:4;)
alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr"; flowbits:isset,ET.strippedftppass; flow:established,from_server; dsize:>7; content:"RETR "; depth:5; offset:0; tag:session; classtype:trojan-activity; sid:2007723; rev:4;)


#Matt Jonkman, information from Stephen Gill at Cymru
alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd)"; flow:established,from_server; content:"220 StnyFtpd 0wns j0"; offset:0; nocase; classtype:trojan-activity; sid:2002809; rev:3;)
alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile)"; flow:established,from_server; content:"220 Reptile welcomes you"; offset:0; nocase; classtype:trojan-activity; sid:2002810; rev:3;)
alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server)"; flow:established,from_server; content:"220 Bot Server (Win32)"; offset:0; nocase; classtype:trojan-activity; sid:2002811; rev:3;)
alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.warftp.org; sid:2003464; rev:2;)
alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd)"; flow:established,from_server; content:"220 "; content:"--freeFTPd "; depth:40; distance:0; nocase; classtype:trojan-activity; reference:url,www.freeftp.com; sid:2003465; rev:2;)

#Matt Jonkman, off port ftp banners
alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd)"; flow:established,from_server; dsize:<18; content:"220 WinFtpd"; depth:11; offset:0; nocase; classtype:trojan-activity; tag:session; sid:2007725; rev:2;)
alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)"; flow:established,from_server; dsize:<30; content:"220 StnyFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; tag:session; sid:2007726; rev:2;)

#Submitted by Joel Esler
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; sid: 2000345; rev:6;)
alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg: "ET ATTACK RESPONSE IRC - Name response on non-std port"; flow: to_client,established; dsize: <128; content:"\:"; offset: 0; depth: 1; content:" 302 "; content:"=+"; content:"@"; tag: session,300,seconds; classtype: trojan-activity; sid: 2000346; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - Private message on non-std port"; flow: to_server,established; dsize: <128; content:"PRIVMSG "; nocase; offset: 0; depth: 8; tag: session,300,seconds; classtype: trojan-activity; sid: 2000347; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - Channel JOIN on non-std port"; flow: to_server,established; dsize: <64; content:"JOIN "; nocase; offset: 0; depth: 5; tag: session,300,seconds; pcre:"/&|#|\+|!/R"; classtype: trojan-activity; sid: 2000348; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port"; flow: to_server,established; content:"PRIVMSG "; nocase; offset: 0; depth: 8; content:" \:.DCC SEND"; nocase; tag: session,300,seconds; classtype: policy-violation; sid: 2000349; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - DCC chat request on non-std port"; flow: to_server,established; content:"PRIVMSG "; nocase; offset: 0; depth: 8; content:" \:.DCC CHAT chat"; nocase; tag: session,300,seconds; classtype: policy-violation; sid: 2000350; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - channel join on non-std port"; flow: to_server,established; content:"JOIN \: #"; nocase; offset: 0; depth: 8; tag: session,300,seconds; classtype: policy-violation; sid: 2000351; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "ET ATTACK RESPONSE IRC - dns request on non-std port"; flow: to_server,established; content:"USERHOST "; nocase; offset: 0; depth: 9; tag: session,300,seconds; classtype: policy-violation; sid: 2000352; rev:6;)
#Erik Fichtner
alert tcp $HOME_NET any -> any 6667 (msg: "ET ATTACK RESPONSE Likely Botnet Activity"; flowbits:isset,is_proto_irc; flow:to_server,established; content:"PRIVMSG"; nocase; tag: session,50,packets; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; classtype: string-detect; sid: 2001620; rev:5;)

#By Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE Outbound PHP Connection"; flow: established,to_server; content:"From\: anon@anon.com"; nocase; offset: 0; depth: 19; content:"User-Agent\: PHP"; nocase; classtype: web-application-activity; sid: 2001628; rev:4;)

#by Cees Elzinga
#note: most effective with a deep flow depth, or 0
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE r57 phpshell footer detected"; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003535; rev:2;) 
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK RESPONSE r57 phpshell source being uploaded"; content:"/*  (c)oded by 1dt.w0lf"; content:"/*  RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003536; rev:3;)

#by Ryan Macdonald of R-fx networks (www.rfxn.com)
#those commented out are more prone to false positives. They'll be more reliable in a web-only environment
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE x2300 phpshell detected"; flow:established,from_server; content:"x2300 Locus7Shell"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007651; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE c99shell phpshell detected"; flow:established,from_server; content:"c99shell"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007652; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE RFI Scanner detected"; flow:established,from_server; content:"RFI Scanner"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007653; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE C99 Modified phpshell detected"; flow:established,from_server; content:"C99 Modified"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007654; rev:2;)
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE lila.jpg phpshell detected"; flow:established,from_server; content:"CMD PHP"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007655; rev:2;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE ALBANIA id.php detected"; flow:established,from_server; content:"UNITED ALBANIANS aka ALBOSS PARADISE"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007656; rev:2;)
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007657; rev:2;)

#by Adam Ellison
# Detects the old style weak and crackable windows auth in use. By default this should not be in 
#  active use, but can be forced by hostile parties by a number of methods
alert tcp $HOME_NET 139 -> any any (msg:"ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected"; flow:from_server; content:"|ff 53 4d 42|"; content:"|00 11 22 33 44 55 66 77 88|"; classtype:policy-violation; sid:2006417; rev:5;)

#By Erik Fichtner
alert tcp $HOME_NET any -> 213.219.122.11/32 $HTTP_PORTS (msg: "ET ATTACK RESPONSE Zone-H.org defacement notification"; flow: established,to_server; content:"notify_"; nocase; pcre:"/notify_(defacer|domain|hackmode|reason)=/i"; classtype: trojan-activity; sid: 2001616; rev:7;)

#by Matt Jonkman
alert tcp $HOME_NET $HTTP_PORTS -> any any (msg: "ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; content:"root\:x\:0\:0\:root\:/root\:/"; nocase; classtype:misc-activity; sid: 2002034; rev:5;)
alert tcp $HOME_NET $HTTP_PORTS -> any any (msg: "ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style)"; flow:established,from_server; content:"root\:*\:0\:0\:"; nocase; content:"\:/root\:/bin"; nocase; classtype:misc-activity; sid: 2003071; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style)"; flow:established,from_server; content:"root\:x\:0\:0\:root\:/root\:/"; nocase; classtype:misc-activity; sid: 2003149; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style)"; flow:established,from_server; content:"root\:*\:0\:0\:"; nocase; content:"\:/root\:/bin"; nocase; classtype:misc-activity; sid: 2003150; rev:2;)