#
# $Id: bleeding-dos.rules $
# Emerging Threats dos rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release. 
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2003-2008, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#from Nicholas Nachefski
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "ET DOS HTTP GET with newline appended"; flowbits:noalert; flow: to_server,established; content:"GET / HTTP/1.0|0a|"; offset: 0; depth: 15; flowbits:set,http.get; reference:cve,2004-0942; classtype: attempted-dos; sid: 2001635; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "ET DOS squ1rt Apache DoS"; flow: to_server,established; flowbits:isset,http.get; dsize: 1448; content:"|20202020|"; depth: 4; content:"|20202020|"; offset: 1436; depth: 4; reference:cve,2004-0942; classtype: attempted-dos; sid: 2001636; rev:5;)

#Submitted by Cody Hatch
alert udp any any -> $HOME_NET 514 (msg:"ET DOS Cisco 514 UDP flood DoS"; content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml; classtype: attempted-dos; sid: 2000010; rev:6;)

#Submitted by Cody Hatch
alert tcp any any -> $HOME_NET 23 (msg: "ET DOS Catalyst memory leak attack"; flow: to_server,established; content:"|41 41 41 0a|"; depth: 20; classtype: attempted-dos; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml; sid: 2000011; rev:6;)

#submitted by Cody Hatch
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "ET DOS Cisco Router HTTP DoS"; flow: to_server,established; uricontent:"/%%"; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype: attempted-dos; sid: 2000006; rev:9;)

#By Blake Hartstein at Demarc
alert udp any any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port"; content:"|02 01 00|"; distance:2; within:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; reference:cve,2004-0714; reference:bugtraq,10186; classtype:attempted-dos; sid:2002880; rev:4;)
alert udp any any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port"; content:"|02 01|"; distance:2; within:2; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; byte_test:1,>,159,9,relative; byte_test:1,<,167,9,relative; reference:cve,2004-0714; reference:bugtraq,10186; classtype:attempted-dos; sid:2002881; rev:4;)
alert udp any any -> $HOME_NET 162 (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port"; content:"|02 01 03|"; distance:2; within:3; byte_test:1,>,159,43,relative; byte_test:1,<,167,43,relative; reference:cve,2004-0714; reference:bugtraq,10186; classtype:attempted-dos; sid:2002882; rev:3;)
alert udp any !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port"; content:"|02 01 00|"; distance:2; within:3; byte_test:1,>,159,8,relative; byte_test:1,<,164,8,relative; reference:cve,2004-0714; reference:bugtraq,10186; classtype:attempted-dos; sid:2002926; rev:3;)
alert udp any !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port"; content:"|02 01|"; distance:2; within:2; byte_test:1,>,0,0,relative; byte_test:1,<,3,0,relative; byte_test:1,>,159,9,relative; byte_test:1,<,167,9,relative; reference:cve,2004-0714; reference:bugtraq,10186; classtype:attempted-dos; sid:2002927; rev:3;)
alert udp any !161 -> $HOME_NET 49152: (msg:"ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port"; content:"|02 01 03|"; distance:2; within:3; byte_test:1,>,159,43,relative; byte_test:1,<,167,43,relative; reference:cve,2004-0714; reference:bugtraq,10186; classtype:attempted-dos; sid:2002928; rev:3;)

#by Blake Hartstein of Demarc
alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"ET DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"|00 01 86 a5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00|"; distance:8; depth:4; content:"|00 00 00 00 00 00|"; distance:0; depth:6; reference:cve,2006-0900; reference:bugtraq,19017; classtype:attempted-dos; sid:2002853; rev:2;)

#Submitted by Joseph Gama, Tweaks by Owen Crowe
#Disabling by default. Very old, relatively high load considering the risk involved
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET DOS Internet Explorer Memory Corruption Bug"; flow: from_server,established; content:"<style>@\;/*"; nocase; reference:url,www.securiteam.com/windowsntfocus/5XP051FDFM.html; classtype: misc-activity; sid: 2001205; rev:9;)

#by Blake Hartstein of Demarc
alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"ET DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; distance:0; within:18; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; classtype:attempted-dos; sid:2002843; rev:3;)

#Submitted by Chris Norton
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET DOS MS04-030 Attempted DoS"; flow: to_server; flowbits:isnotset,tagged; content:"xmlns\:z"; content:"xml\:"; nocase; tag: host,10,packets,src; flowbits:set,tagged; reference:url,isc.sans.org/diary.php?date=2004-10-20; classtype: attempted-dos; sid: 2001362; rev:5;)

#From Erik Fichtner
# NOTE: If you can, put in a check on offset 20 through 23, as these
# are the source IP of the packet that is supposedly generating
# the traffic that caused the icmp unreach (EG: YOU.) example, if you
# have 192.168.0.0/24, you could put:
# byte_test: 1,=,192,20; byte_test:1,=,168,21; byte_test:1,=,0,22;
# or (even faster) content:"|C0A800|"; offset: 20; depth:23;
# You get the idea. This may well be unnecessary overkill. YMMV.
alert icmp any any -> $HOME_NET any (msg: "ET DOS -ISC- ICMP blind TCP reset DoS guessing attempt"; itype: 3; icode: 1<>5; byte_test:1,=,6,17;threshold: type threshold, track by_dst, count 30, seconds 300; reference:cve,can-2004-0790; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; classtype: attempted-dos; sid: 2001846; rev:10; )

# From Erik Fichtner:
# hit on pmtu frames with next-hop mtu not 0 (old RFC shortcut) and (added this so the sig wouldn't trigger missing reference:url, search errors)
# below a sane value, eg 576 bytes. Adjust to taste.
# true RFC791 min = 68, true end-to-end pmtu compatble min = 132.
# real world might even go as high as 1100 bytes min. YMMV.
#Updated to be 6 in the byte test as per Shane Castle
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "ET DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2,<,576,6;byte_test:2,!=,0,7; reference:cve,CAN-2004-1060; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; classtype: denial-of-service; sid: 2001882; rev:7;)

#Submitted by Chris Norton
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg: "ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flowbits:isnotset,tagged; flow: established,to_server; content:"|10 00 00 10 cc|"; offset: 0; depth: 5; tag: host,3,packets,src; flowbits:set,tagged; reference:bugtraq,11265; classtype: attempted-dos; sid: 2001366; rev:7;)

#By Blake Hartstein at Demarc
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET DOS NetrWkstaUserEnum Request with large Preferred Max Len"; flow:established,to_server; content:"|ff|SMB"; content:"|10 00 00 00|"; distance:0; content:"|02 00|"; distance:14; depth:2; byte_jump:4,12,relative,little,multiplier 2; content:"|00 00 00 00 00 00 00 00|"; distance:12; depth:8; byte_test:4,>,2,0,relative; reference:cve,2006-6723; classtype:attempted-dos; sid:2003236; rev:2;)

#Submitted by Johnathan Norman
alert tcp any any -> $HOME_NET 2702 (msg: "ET DOS Microsoft SMS dos attempt"; flow: to_server,established; content:"RCH0"; nocase; pcre:"/RCH0####RCHE.{130,}/smi"; reference:url,www.securityfocus.com/archive/1/368911/2004-07-12/2004-07-18/0; classtype: attempted-dos; sid: 2000496; rev:7;)

#Erik Fichtner
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "ET DOS Excessive SMTP MAIL-FROM DDoS"; flow: to_server, established; content:"MAIL FROM\:"; nocase; window: 0; id:0; threshold: type limit, track by_src, count 30, seconds 60; classtype: denial-of-service; sid: 2001795; rev:8;)

#By Blake Hartstein at Demarc
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET SMTP HELO Non-Displayable Characters MailEnable Denial of Service"; flow:established,to_server; content:"HELO "; nocase; depth:60; pcre:"/^[^\n]*[\x00-\x08\x0e-\x1f]/R"; reference:cve,2006-3277; reference:bugtraq,18630; classtype:attempted-dos; sid:2002998; rev:6;)

#
alert tcp any any -> $HOME_NET 443 (msg:"ET DOS SSL Bomb DoS Attempt"; flow:to_server,established; content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; within:1; distance:2; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2000016; rev:5;)