# # $Id: emerging-exploit.rules $ # Emerging Threats exploit rules. # # SID's are 2000000+ to avoid conflicts # # More information available at www.emergingthreats.net # # Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2010, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #Submitted by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; uricontent:".pdf|00|"; nocase; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2001217; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Adobe_Acrobat_BO; sid:2001217; rev:9;) #From Bdoctor alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg: "ET EXPLOIT Arkeia full remote access without password or authentication"; flow: from_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; classtype: attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2001742; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Arkeia; sid:2001742; rev:8;) #by Akash Mahajan alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 71 75 65 73 74|"; pcre:"/[0-9a-zA-Z]{50,}/R"; classtype:successful-dos; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Borland; sid:2007937; rev:3;) #by Blake Hartstein alert tcp $EXTERNAL_NET any -> $HOME_NET 5250 (msg: "ET EXPLOIT MISC Computer Associates Negative Content-Length Buffer Overflow"; flow:established,to_server; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,16354; reference:cve,2005-3653; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2002791; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2002791; rev:4;) #Blake Hartstein of Demarc #alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption"; flow:established,to_server; content:"|4e 3d 2c 1b|"; depth:4; isdataat:2891,relative; reference:cve,2007-0449; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2003369; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003369; rev:3;) #by Shirkdog alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 00 00 03|"; distance:8; within:4; content:"|00 00 00 08|"; distance:0; within:4; content:"|00 00 00 00|"; distance:0; within:4; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:8; within:32; classtype:attempted-dos; reference:url,www.milw0rm.com/exploits/3248; reference:url,doc.emergingthreats.net/bin/view/Main/2003370; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003370; rev:3;) #by Shirkdog alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow"; flow:established,to_server; content:"0000033000"; depth:10; isdataat:1000,relative; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/3244 ; reference:url,doc.emergingthreats.net/bin/view/Main/2003378; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003378; rev:3;) #Also by Shirkdog alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS"; flow:established,to_server; content:"|ff ff ff ff|"; offset:16; depth:4; classtype:attempted-dos; reference:url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded; reference:url,doc.emergingthreats.net/bin/view/Main/2003379; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003379; rev:3;) #another from Shirkdog alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 bf|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; within:8; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/3604; reference:url,doc.emergingthreats.net/bin/view/Main/2003518; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003518; rev:3;) #by shirkdog as well alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe caloggerd DoS"; flow:established,to_server; content:"|00 06 09 82|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; within:8; classtype:attempted-dos; reference:url,www.milw0rm.com/exploits/3939; reference:url,doc.emergingthreats.net/bin/view/Main/2003750; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003750; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 7e|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:0; within:8; classtype:attempted-dos; reference:url, www.milw0rm.com/exploits/3940; reference:url,doc.emergingthreats.net/bin/view/Main/2003751; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CA; sid:2003751; rev:3;) #by David Maciejak alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; uricontent:"filediff|3f|f="; nocase; pcre:"/filediff\?f=.+&v1=[\d.]+&v2=[\d.]+\;.+/Ui"; reference:bugtraq,10878; reference:cve,2004-1456; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2002697; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CVSTrac; sid:2002697; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2000048; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CVS_HEAP_Overflow; sid:2000048; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target BSD)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2000031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CVS_HEAP_Overflow; sid:2000031; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Solaris)"; flow: to_server,established; dsize: >512; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2000049; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_CVS_HEAP_Overflow; sid:2000049; rev:5;) #Submitted by Cody Hatch alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Cisco %u IDS evasion"; flow: to_server,established; uricontent:"%u002F"; classtype: attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2000012; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_%u_Evasion; sid:2000012; rev:9;) #Submitted by Cody Hatch alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "ET EXPLOIT Catalyst SSH protocol mismatch"; flow: to_server,established; content:"|61 25 61 25 61 25 61 25 61 25 61 25 61 25|"; reference:url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml; classtype: attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2000007; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_Catalyst_SSH_Protocol_Mismatch; sid:2000007; rev:7;) #Submitted by Cody Hatch alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Cisco IOS HTTP server DoS"; flow: to_server,established; uricontent:"/TEST?/"; classtype: attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2000013; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_HTTP_Server_DoS; sid:2000013; rev:9;) #Submitted by Cody Hatch alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Cisco IOS HTTP DoS"; flow: to_server,established; uricontent:"/error?/"; nocase; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; classtype: attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2000009; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_IOS_HTTP_DOS; sid:2000009; rev:10;) #by Shirkdog alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Cisco-MARS/JBoss jmx-console POST"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/jmx-console/HtmlAdaptor"; nocase; flowbits:set,cmars.jboss; reference:bugtraq,19071; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2003064; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_Mars; sid:2003064; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Cisco-MARS/JBoss Remote Command Execution"; flowbits:isset,cmars.jboss; flow:to_server,established; content:"action=invokeOp"; nocase; content:"jboss.script"; nocase; content:"Runtime|2e|getRuntime|25|28|25|29|2e|exec|25|28"; nocase; reference:bugtraq,19071; classtype: attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2003065; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_Mars; sid:2003065; rev:4;) #Submitted by Cody Hatch alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Telnet Buffer Overflow"; flow: to_server,established; content:"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|"; threshold: type limit, track by_src, count 1, seconds 120; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype: attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2000005; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Cisco_Telnet_Buffer_Overflow; sid:2000005; rev:7;) #by Dale Peterson of digitalbond.com alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"ET EXPLOIT CitectSCADA ODBC Overflowflow Attempt"; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; classtype:attempted-user; reference:url,doc.emergingthreats.net/bin/view/Main/2008542; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Citect_SCADA; sid:2008542; rev:6;) #by Blake Hartstein at Demarc alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT UPnP DLink M-Search Overflow Attempt"; content:"M-SEARCH "; depth:9; nocase; isdataat:500,relative; pcre:"/M-SEARCH\s+[^\n]{500}/i"; reference:url,www.eeye.com/html/research/advisories/AD20060714.html; classtype:attempted-user; reference:url,doc.emergingthreats.net/bin/view/Main/2003039; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Dlink; sid:2003039; rev:4;) #By Mark Tombaugh #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires\:"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; classtype:misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2002315; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Elm; sid:2002315; rev:5;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires\:"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; classtype:misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2002316; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Elm; sid:2002316; rev:6;) #by Akash Mahajan alert udp $EXTERNAL_NET any -> $HOME_NET 427 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - udp"; content:"language"; content:"|65 7a 69 70 3a 2f 2f 62 6c 61 2f 62 6c 61 3f 53 4e 3d 62 6c 61 3f 50 4e 3d 62 6c 61 3f 55 4e 3d 62 6c 61|"; classtype:successful-dos; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0767; reference:url,doc.emergingthreats.net/bin/view/Main/2007876; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_ExtremeZ-IP; sid:2007876; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"|12 06 41 46 50 33 2e 31|"; pcre:"/[a-zA-Z0-9]{5,}/i"; classtype:successful-dos; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; reference:url,doc.emergingthreats.net/bin/view/Main/2007877; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_ExtremeZ-IP; sid:2007877; rev:3;) #by Kevin Ross #disabling for falses... #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP CWD command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"CWD"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010731; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010731; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP SITE command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"SITE"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010732; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010732; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP RMDIR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RMDIR"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010733; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010733; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP MKDIR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"MKDIR"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010734; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010734; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP PWD command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"PWD"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010735; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010735; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP RETR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RETR"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010736; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010736; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP NLST command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"NLST"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010737; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010737; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP RNTO command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RNTO"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010738; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010738; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP RNFR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"RNFR"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010739; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010739; rev:2;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP STOR command attempt without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:!"USER"; depth:4; content:"STOR"; nocase; classtype:attempted-recon; reference:url,www.nsftools.com/tips/RawFTP.htm; reference:url,doc.emergingthreats.net/2010740; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_FTP; sid:2010740; rev:2;) #by Anonymous Researchers(tm) #Intended to catch common shellcode encoding in exploit scripts coming to clients in web sessions #high load. use these if you need them! #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible UTF-8 encoded Shellcode Detected"; flow:from_server,established; pcre:"/(%U([0-9a-f]{2})){6}/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Generic_Shellcode; sid:2003173; rev:5;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible UTF-16 encoded Shellcode Detected"; flow:from_server,established; pcre:"/(%U([0-9a-f]{4})){6}/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003174; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Generic_Shellcode; sid:2003174; rev:5;) #by rich rumble #GsecDump rule alert tcp any any -> $HOME_NET 139:445 (msg:"ET EXPLOIT GsecDump executed"; flow:to_server,established; content:"|67 00 73 00 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-gsecdump.html;classtype:suspicious-filename-detect; reference:url,doc.emergingthreats.net/2010783; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Gsecdump; sid:2010783; rev:2;) #by Veerendra # 10/11/2008 GuildFTPd CWD and LIST Command Heap Overflow Attack. alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1"; flow:established; content:"cwd"; depth:4; nocase; dsize:>74; pcre:"/(\/\.){70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008776; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_GuidFTP; sid:2008776; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2"; flow:established; content:"list"; depth:5; nocase; dsize:>74; pcre:"/[\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008777; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_GuidFTP; sid:2008777; rev:3;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT GuppY error.php Arbitrary Remote Code Execution"; flow: to_server,established; uricontent:"/error.php?"; nocase; uricontent:"err="; nocase; uricontent:"_SERVER[REMOTE_ADDR]="; nocase; reference:bugtraq,15609; classtype: web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2002703; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Guppy; sid:2002703; rev:4;) #by David Maciejak alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT GuppY error.php POST Arbitrary Remote Code Execution"; flow: to_server,established; content:"POST "; depth:5; nocase; uricontent:"/error.php?"; nocase; uricontent:"err="; nocase; pcre:"/Cookie\:\ +REMOTE_ADDR=/i"; reference:bugtraq,15609; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2003332; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Guppy; sid:2003332; rev:4;) #by mike cox alert tcp $EXTERNAL_NET any -> $HOME_NET 1530 (msg:"ET EXPLOIT HP Open View Data Protector Buffer Overflow Attempt"; flow:established,to_server; content:"|B6 29 8C 23 FF FF FF|"; pcre:"/\xB6\x29\x8C\x23\xFF\xFF\xFF[\xF8-\xFF]/"; classtype:attempted-admin; reference:url,dvlabs.tippingpoint.com/advisory/TPTI-09-15; reference:url,doc.emergingthreats.net/2010546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_HP; reference:cve,2007-2281; sid:2010546; rev:3;) #by kevin ross alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView Network Node Manager OvJavaLocale Cookie Value Buffer Overflow Attempt"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/OvCgi/webappmon.exe"; nocase; uricontent:"ins=nowait"; nocase; uricontent:"cache="; nocase; content:"|0d 0a|Cookie|3A| "; nocase; content:"OvJavaLocale="; nocase; within:15; isdataat:1000,relative; content:!"|0A|"; within:1000; classtype:web-application-attack; reference:url,www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow; reference:cve,2010-2709; reference:url,doc.emergingthreats.net/2011328; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_HP; sid:2011328; rev:2;) #by Blake Hartstein of Demarc alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP USER login flowbit"; flow:established,to_server; content:"USER "; nocase; depth:5; flowbits:set,ET.ftp.user.login; flowbits:noalert; classtype:not-suspicious; reference:url,doc.emergingthreats.net/bin/view/Main/2002850; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_HP-UX; sid:2002850; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET FTP HP-UX LIST command without login"; flow:established,to_server; flowbits:isnotset,ET.ftp.user.login; content:"LIST "; nocase; depth:5; reference:cve,2005-3296; reference:bugtraq,15138; classtype:attempted-recon; reference:url,doc.emergingthreats.net/bin/view/Main/2002851; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_HP-UX; sid:2002851; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"ET EXPLOIT HP-UX Printer LPD Command Insertion"; flow:established,to_server; content:"|02|msf28|30|"; depth:7; content:"|60|"; distance:0; within:20; reference:cve,2005-3277; reference:bugtraq,15136; classtype:attempted-user; reference:url,doc.emergingthreats.net/bin/view/Main/2002852; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_HP-UX; sid:2002852; rev:5;) # By Frank Knobbe #disabled by default as the ftp preproc will catch this now #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command"; flow:established,to_server; content:"SITE "; nocase; content:!"|0d 0a|"; within:150; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009828; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP; reference:cve,2009-3023; sid:2009828; rev:5;) # By evilghost #disabled by default as the ftp preproc will catch this now #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit"; flow:established,to_server; content:"NLST "; nocase; content:"|2a 2f 2e 2e 2f|"; classtype:attempted-admin; reference:url,www.milw0rm.com/exploits/9541; reference:url,doc.emergingthreats.net/2009860; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IISFTP; reference:cve,2009-3023; sid:2009860; rev:5;) #Submitted by Joseph Gama alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: !M; fragoffset: >0; classtype: bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2001022; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Invalid_TCP_Fragments; sid:2001022; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - ACK reset"; fragbits: M; flags: !A,12; classtype: bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2001023; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Invalid_TCP_Fragments; sid:2001023; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - illegal flags"; fragbits: M; flags: *FSR,12; classtype: bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2001024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Invalid_TCP_Fragments; sid:2001024; rev:5;) #by David Maciejak alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/cgi-bin/jammail.pl?"; nocase; pcre:"/(mail=\|.+\|)/"; reference:bugtraq,13937; classtype: web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001990; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Jammail; sid:2001990; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k)"; flow: to_server,established; content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LSASRV_DLL_RPC_Exploit_win2k; reference:cve,2003-0533; sid:2000046; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP)"; flow: to_server,established; content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LSASRV_DLL_RPC_Exploit_winXP; reference:cve,2003-0533; sid:2000033; rev:9;) #Submitted by Joseph Gama alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Possible NULL-pointer crash in png_handle_iCCP"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,0,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001190; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LibPNG; sid:2001190; rev:10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Width exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001191; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LibPNG; sid:2001191; rev:10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Height exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,12,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001192; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LibPNG; sid:2001192; rev:10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance: 0; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001195; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LibPNG; sid:2001195; rev:9;) #Submitted by Joe Stewart alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libpng tRNS overflow attempt"; flow: established,to_client; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big; reference:cve,CAN-2004-0597; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2001058; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_LibPNG; sid:2001058; rev:8;) #by Blake Hartstein alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WRT54g Authentication Bypass Attempt"; flow:established,to_server; uricontent:"/Security.tri"; nocase; content:"SecurityMode=0"; nocase; classtype:attempted-admin; reference:url,secunia.com/advisories/21372/; reference:url,doc.emergingthreats.net/bin/view/Main/2003072; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Linksys; sid:2003072; rev:4;) #by evilghost alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Linksys WAP54G debug.cgi Shell Access as Gemtek"; flow:established,to_server; content:"|0d 0a|Authorization\: Basic R2VtdGVrOmdlbXRla3N3ZA==|0d 0a|"; uricontent:"/debug.cgi"; classtype:attempted-admin; reference:url,seclists.org/fulldisclosure/2010/Jun/176; reference:url,doc.emergingthreats.net/2011669; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Linksys; sid:2011669; rev:3;) # From Syke@mantissecurity.net ##alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg:"ET EXPLOIT mIRC <=6.12 DCC Buffer Overflow"; flow: to_client, established; content:"DCC SEND "; nocase; isdataat: 100, relative; reference:bugtraq,8880; classtype: attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2000329; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MIRC_Overflow; sid:2000329; rev:8;) #Joe Stewart alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "ET EXPLOIT MS04-007 Kill-Bill ASN1 exploit attempt"; flow: established,to_server; content:"CCCC|20f0fd7f|SVWf"; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring/; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; reference:cve,CAN-2003-0818; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2001944; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-007; sid:2001944; rev:6;) #Submitted by Chris Norton and Woofz #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; classtype: shellcode-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2001369; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032; sid:2001369; rev:7;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype: shellcode-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2001363; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032; sid:2001363; rev:7;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt"; flow: established; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 4F 44 21|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype: shellcode-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2001364; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032; sid:2001364; rev:7;) #From Erik Fichtner #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; byte_test:4, >, 256, 60, little;classtype: misc-activity; reference:url,www.sygate.com/alerts/SSR20041013-0001.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001374; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS04-032; sid:2001374; rev:8;) #By Erik Fichtner alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little;classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001668; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-002_ANI_Stack_Overflow; sid:2001668; rev:6;) #by Chris Ries of Vigilant Minds alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"ET EXPLOIT ms05-011 exploit"; flow:from_server,established; content:"|00|"; depth:1; content:"|FF|SMB|32|"; depth:9; offset:4; content: "|ff ff ff ff 00 00 00 00 ff|"; offset: 132; depth: 141; classtype:attempted-admin; reference:bugtraq,12484; reference:url,www.frsirt.com/exploits/20050623.mssmb_poc.c.php; reference:url,doc.emergingthreats.net/bin/view/Main/2002064; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-011; sid:2002064; rev:7;) #These should be dropped. Disabling till we hear if anyone wants to keep them #Erik Fichtner #alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001848; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-021; sid:2001848; rev:7;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 691 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (2)"; flow: to_server,established; content:"X-LSA-2"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001849; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-021; sid:2001849; rev:7;) #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; flow: to_server, established; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; threshold: type limit, track by_src, count 1, seconds 60; flowbits:set,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001873; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-021; sid:2001873; rev:9;) # since this could be variable length chunks, we can't tell if we had # enough data to blow the server up or not, so we have to read the # chicken bones to see if it looks like exchange sh!t the bed or not. #alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"ET EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags: R; flowbits:isset,msxlsa; flowbits: unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001874; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-021; sid:2001874; rev:8;) #pass tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"ET EXPLOIT MS Exchange chunks accepted"; flowbits:isset,msxlsa; flow: from_server,established; content:"200 DONE"; nocase; flowbits:unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001875; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-021; sid:2001875; rev:9;) #alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"ET EXPLOIT MS Exchange disliked link state chunk, but didn't die (MS05-021)"; flowbits:isset,msxlsa; flow: from_server,established; content:"500 DROP"; nocase; flowbits:unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001876; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-021; sid:2001876; rev:8;) # Added 2005/08/14 as found on SANS ISC web site, by AlertLogic #Replaced by sigs below #alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2002186; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002186; rev:4;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2002187; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002187; rev:5;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2002188; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002188; rev:5;) #All related to UPnP Exploit, MS05-039 #Thanks to the Alert Logic team alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT SMB-DS DCERPC PnP HOD bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:4; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2002199; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002199; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT SMB-DS DCERPC PnP bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2002200; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002200; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT SMB-DS DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|36 00|"; within:2; distance:26; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2002201; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002201; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT SMB DCERPC PnP bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2002202; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002202; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT SMB DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:4; nocase; content:"|36 00|"; within:2; distance:19; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2002203; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS05-039; sid:2002203; rev:4;) #by Shirkdog, updated 2006-02-21, mscott alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Windows Media Player parsing BMP file with 0 size offset to start of image"; flow:established,from_server; content:"BM"; depth:400; byte_test:8,=,0,4,relative; reference:url,www.milw0rm.com/id.php?id=1500; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; classtype:attempted-user; reference:url,doc.emergingthreats.net/bin/view/Main/2002802; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS06-005; sid:2002802; rev:8;) #by Joe Stewart of Lurhq alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client; content:"BM"; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; classtype:attempted-user; reference:url,doc.emergingthreats.net/bin/view/Main/2002803; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS06-005; sid:2002803; rev:7;) #by Shirkdog alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT "; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; distance:21; content:"|01 00 00 00 00 00|"; distance:1; within:6; byte_test:2,=,17,0,little,relative; content:"|5C|MAILSLOT|5C|"; within:10; distance:2; reference:url,www.milw0rm.com/exploits/2057; reference:url,www.microsoft.com/technet/security/bulletin/MS06-035.mspx; classtype:attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2003067; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS06-035; sid:2003067; rev:5;) # Submitted 2006-08-11 by Joe Stewart alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; classtype:misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2003081; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS06-040; sid:2003081; rev:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; classtype:misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2003082; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS06-040; sid:2003082; rev:5;) #by Secureworks alert udp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1)"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008690; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008690; rev:5;) alert udp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008691; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008691; rev:6;) alert udp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008692; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008692; rev:5;) alert udp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008693; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008693; rev:5;) alert udp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5)"; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008694; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008694; rev:5;) alert udp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6)"; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008695; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008695; rev:5;) alert udp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008696; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008696; rev:6;) alert udp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008697; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008697; rev:5;) alert udp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008698; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008698; rev:5;) alert udp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10)"; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008699; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008699; rev:5;) alert udp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance"; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008700; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008700; rev:5;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008701; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008701; rev:5;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|5C|..|5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008702; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008702; rev:6;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008703; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008703; rev:5;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008704; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008704; rev:5;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008705; rev:5;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008706; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008706; rev:5;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008707; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008707; rev:6;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008708; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008708; rev:5;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008709; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008709; rev:5;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20)"; flow:established,to_server; content:"|1F 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008710; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008710; rev:5;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008711; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008711; rev:5;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|5C|..|5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008712; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008712; rev:6;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"/../"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008713; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008713; rev:5;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008714; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008714; rev:5;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008715; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008715; rev:5;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26)"; flow:established,to_server; content:"|0B|"; offset:2; depth:1; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008716; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008716; rev:5;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"..|5C|..|5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008717; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008717; rev:6;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"../../"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008718; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008718; rev:5;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008719; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008719; rev:5;) alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30)"; flow:established,to_server; content:"|20 00|"; content:"|C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 88|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008720; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008720; rev:5;) alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2)"; flow:established,to_server; content:"|00 2e 00 2e 00 2f 00 2e 00 2e 00 2f 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 87|"; classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx; reference:cve,2008-4250; reference:url,www.kb.cert.org/vuls/id/827267; reference:url,doc.emergingthreats.net/bin/view/Main/2008721; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067; sid:2008721; rev:5;) #by Blake Hartstein of Demarc alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MSSQL Hello Overflow Attempt"; flow:established,to_server; dsize:>400; content:"|12 01 00 34 00 00 00 00|"; offset:0; depth:8; reference:cve,2002-1123; reference:bugtraq,5411; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2002845; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Hello; sid:2002845; rev:5;) #Submitted by Joseph Gama alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow: to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; reference:url,doc.emergingthreats.net/bin/view/Main/2000488; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Injection; sid:2000488; rev:7;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection running SQL statements line comment"; flow: to_server,established; content:"\;|00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; reference:url,doc.emergingthreats.net/bin/view/Main/2000372; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Injection; sid:2000372; rev:7;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection line comment"; flow: to_server,established; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; reference:url,doc.emergingthreats.net/bin/view/Main/2000373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Injection; sid:2000373; rev:7;) #Submitted by Joseph Gama alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL heap overflow attempt"; content:"|08 3A 31|"; depth: 3; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2000377; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Ping; sid:2000377; rev:7;) alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08)"; dsize: >1; content:"|08|"; depth: 1; content:!"|3A|"; offset: 1; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2000378; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Ping; sid:2000378; rev:8;) alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08) 1 byte"; dsize: 1; content:"|08|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2000379; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Ping; sid:2000379; rev:7;) alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL Spike buffer overflow"; content:"|12 01 00 34|"; depth: 4; reference:bugtraq,5411; classtype: attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2000380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Ping; sid:2000380; rev:9;) alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS bouncing packets"; content:"|0A|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-dos; reference:url,doc.emergingthreats.net/bin/view/Main/2000381; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Ping; sid:2000381; rev:8;) #by Jaime Blasco alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_servicecontrol access"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|c|00|o|00|n|00|t|00|r|00|o|00|l|00|"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2009999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Response; sid:2009999; rev:3;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_fileexist access"; flow:to_server,established; content:"x|00|p|00|_|00|f|00|i|00|l|00|e|00|e|00|x|00|i|00|s|00|t|00|"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2010000; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Response; sid:2010000; rev:3;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2010001; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Response; sid:2010001; rev:3;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_readerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|a|00|d|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2010002; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Response; sid:2010002; rev:4;) alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumdsn access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|d|00|s|00|n|00|"; nocase; classtype:attempted-user; reference:url,doc.emergingthreats.net/2010003; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MSSQL_Response; sid:2010003; rev:4;) #community-written, see docs. Moved from Current events, will be stable for the long term alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS ANI exploit"; flow:established,from_server; content:"RIFF"; nocase; content:"ACON"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative, little; classtype:attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2003519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS_ANI; sid:2003519; rev:8;) #by Akash Mahajan of Stillsecure alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit"; flow:established,to_server; content:"FLAGS BODY"; pcre:"/[0-9a-zA-Z]{200,}/R"; content:"|EB 06 90 90 8b 11 DC 64 90|"; distance:0; classtype:successful-user; reference:url,www.milw0rm.com/exploits/5248; reference:bugtraq,28245; reference:url,doc.emergingthreats.net/bin/view/Main/2008063; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Mdaemon; reference:cve,2008-1358; sid:2008063; rev:3;) #By Mark Tombaugh alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Vulnerable Mercury 4.01a IMAP Banner"; flow: from_server,established; content:"IMAP4rev1 Mercury/32 v4.01a server ready"; flowbits:set,mercury.imap.401a; classtype:successful-recon-limited; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:bugtraq,11775; reference:url,doc.emergingthreats.net/bin/view/Main/2002389; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Mercury; sid:2002389; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT Mercury v4.01a IMAP RENAME Buffer Overflow"; flow:established,to_server; flowbits:isset,mercury.imap.401a; content:"a001 RENAME"; pcre:"/[0-9A-Z]{240,}/smi"; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:url,metasploit.com/projects/Framework/exploits.html#mercury_imap; classtype:misc-attack; reference:bugtraq,11775; reference:url,doc.emergingthreats.net/bin/view/Main/2002390; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Mercury; sid:2002390; rev:4;) #by Alejandro Gramajo ############################################################################## # x86 Pex Variable Length Fnstenv/mov/sub Double Word Xor Encoder # # D9 EE fldz # D9 74 24 F4 fnstenv [esp - 12] # 5B pop ebx # 81 73 13 xorkey xor_xor: xor DWORD [ebx + 22], xorkey # 83 EB FC sub ebx,-4 # E2 F4 loop xor_xor # # Real traffic dump # Content1 # 98 49 F8 27 91 2F 27 48 4F 4E 6A 12 59 2E D6 9A FE <83 EB FC E2 F4> t$.[.s.......... # Xorkey Content2 # alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT x86 PexFnstenvMov/Sub Encoder"; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2002903; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2002903; rev:4;) ############################################################################## # x86 Skylined\'s Alpha2 Alphanumeric Encoder # alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any ( msg:"ET EXPLOIT x86 Alpha2 GetEIPs Encoder"; content:"|EB 03 59 EB 05 E8 F8 FF FF FF|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2002904; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2002904; rev:4;) ############################################################################## # x86 Call $+4 countdown xor encoder # # E8 FF FF FF call $+4 # FF C1 inc ecx # 5E pop esi # 30 4C 0E 07 xor_xor: xor [esi + ecx + 0x07], cl # E2 FA loop xor_xor # alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any ( msg:"ET EXPLOIT x86 Countdown Encoder";content:"|E8 FF FF FF FF C1 5E 30 4C 0E 07 E2 FA|";classtype:shellcode-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2002905; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2002905; rev:4;) ############################################################################## # x86 Pex Alphanumeric Encoder # # VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089 win32getpc # ?? JJJJJ ?? baseaddr # VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM decoder # alert tcp $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT x86 PexAlphaNum Encoder"; content:"VTX630VXH49HHHPhYAAQhZYYYYAAQQDDDd36FFFFTXVj0PPTUPPa301089"; content:"JJJJJ"; distance: 2; within: 5; content:"VTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOM"; distance: 2; within: 55; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2002906; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2002906; rev:4;) ############################################################################## # x86 Pex Call $+4 Double Word Xor Encoder # # E8 FF FF FF call $+4 # FF C0 inc eax # 5E pop esi # 81 76 0E xorkey xor_xor: xor [esi + 0x0e], xorkey # 83 EE FC sub esi, -4 # E2 F4 loop xor_xor # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT x86 PexCall Encoder"; content:"|E8 FF FF FF FF C0 5E 81 76 0E|"; content:"|82 EE FC E2 F4|"; distance: 4; within: 5; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2002907; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2002907; rev:4;) ############################################################################## # x86 IA32 Jmp/Call XOR Additive Feedback Decoder # # FC cld # BB key mov ebx, key # EB 0C jmp short 0x14 # 5E pop esi # 56 push esi # 31 1E xor [esi], ebx # AD lodsd # 01 C3 add ebx, eax # 85 C0 test eax, eax # 75 F7 jnz 0xa # C3 ret # E8 EF FF FF FF call 0x8 # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT x86 JmpCallAdditive Encoder"; content:"|FC BB|"; content:"|EB 0C 5E 56 31 1E AD 01 C3 85 C0 75 F7 C3 E8 EF FF FF FF|"; distance: 4; within: 19; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/bin/view/Main/2002908; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2002908; rev:4;) # Metasploit BSD shellcode detect rules by h0f - Jennylab # Alberto Garcia de Dios # albertogdedios@andaluciajunta.es # http://www.jennylab.org # ##### # METASPLOIT SHELLCODE RULES ##### # # # BSD METASPLOIT RULES # #### BSD BIND SHELL ####### # BSD Bind Shell - ENCODE: PexFnstenvSub #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell"; content:"|83 e9 ec d9 ee d9 74 24 f4 5b 81 73 13|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010383; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010383; rev:2;) # BSD Bind Shell - ENCODE: CountDown #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 2)"; content:"|82 ed 5f 4c 5d 52 43 78 03 d9 95 8f 84 49 4a 48 71 74 45 d3|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010385; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010385; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 3)"; content:"|9f 90 4b ef a3 76 76 74 97 36 e4 aa bc 46 2f 77 45 6a 69 63|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010386; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010386; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 4)"; content:"|64 65 f8 b6 7e 41 cc 6a 53 13 12 4d 57 28 6e 20 2a 2a cc a5|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010387; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010387; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Countdown Encoded 5)" ; content:"|17 1c 1a 19 fb 77 80 ce|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010388; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010388; rev:2;) #BSD Bind Shell - ENCODE: Pex #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 1)"; content:"|c9 83 e9 ec e8 ff ff ff ff c0 5e 81 76 0e|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010389; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010389; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010390; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010390; rev:2;) #BSD Bind Shell - ENCODE: None #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 1)"; content:"|6a 61 58 99 52 68 10 02|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010391; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010391; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 2)"; content:"|89 e1 52 42 52 42 52 6a 10 cd 80 99 93 51 53 52 6a 68 58 cd|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010392; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010392; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 3)"; content:"|80 b0 6a cd 80 52 53 52 b0 1e cd 80 97 6a 02 59 6a 5a 58 51|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010393; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010393; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 4)"; content:"|57 51 cd 80 49 79 f5 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010394; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010394; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Not Encoded 5)"; content:"|50 54 53 53 b0 3b cd 80|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010395; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010395; rev:2;) #BSD Bind Shell - ENCODE: PexAlphaNum #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 4f 49 49 49 49 49 49 51 5a 56|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010396; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010396; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2)"; content:"|54 58 36 33 30 56 58 34 41 30 42 36 48 48 30 42 33 30 42 43|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010397; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010397; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010398; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010398; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4)"; content:"|30 41 44 41 56 58 34 5a 38 42 44 4a 4f 4d 4c 36 41|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010399; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010399; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5)"; content:"|41 4e 44 35 44 34 44|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010400; rev:2;) #BSD Bind Shell - ENCODE: PexFstEnvMov #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1)"; content:"|6a 14 59 d9 ee d9 74 24 f4 5b 81 73 13|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010401; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010401; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010402; rev:2;) #BSD Bind Shell - ENCODE: JmpCallAditive #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (JmpCallAdditive Encoded)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010403; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010403; rev:2;) #BSD Bind Shell - ENCODE: Alpha2 #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 1)"; content:"|eb 03 59 eb 05 e8 f8 ff ff ff 49 49 49 49 49 49 49 49 49 49|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010404; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010404; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 2)"; content:"|41 42 32 42 41 32 41 41 30 41 41 58|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010405; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010405; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Bind shell (Alpha2 Encoded 3)"; content:"|49 72 4e 4e 69 6b 53|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010406; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010406; rev:2;) #### EOF BSD BIND SHELL ###### ### BSD REVERSE SHELL ####### #BSD Reverse Shell - ENCODE: PexFnstenvSub #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1)"; content:"|c9 83 e9 ef d9 ee d9 74 24 f4 5b 81 73 13|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010407; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010407; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2)"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010408; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010408; rev:2;) #BSD Reverse Shell - ENCODE: Countdown #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 1)"; content:"|6a 43 59 e8 ff ff ff ff c1 5e 30 4c 0e 07 e2 fa 6b 63 5b 9d|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010409; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010409; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 2)"; content:"|9f f6 72 09 4b 4b 4d 8a 74 7d 78 ec a2 49 26 7c 96 7d 79 7e|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010410; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010410; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 3)"; content:"|7b e6 ac 64 57 d9 60 59 1d 1c 47 5d 5e 18 5a 50 54 b2 df 6d|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010411; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010411; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Countdown Encoded 4)"; content:"|57 44 55 4a 5b 62|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010412; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010412; rev:2;) #BSD Reverse Shell - ENCODE: Pex #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 1)"; content:"|c9 83 e9 ef e8 ff ff ff ff c0 5e 81 76 0e|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010413; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010413; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Encoded 2)"; content:"|83 ee fc e2 f4|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010414; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010414; rev:2;) #BSD Reverse Shell - ENCODE: None #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 1)"; content:"|51 cd 80 49 79 f6 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 50|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010415; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010415; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 2)"; content:"|6a 61 58 99 52 42 52 42 52 68|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010416; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010416; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Not Encoded 3)"; content:"|89 e1 6a 10 51 50 51 97 6a 62 58 cd 80 6a 02 59 b0 5a 51 57|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010417; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010417; rev:2;) #BSD Reverse Shell - ENCODE: PexAlphaNum #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1)"; content:"|44 32 4d 4c 42 48 4a 46 42 31 44 50 50 41 4e 4f 49 38 41 4e|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010418; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010418; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2)"; content:"|4c 36 42 41 41 35 42 45 41 35 47 59 4c 36 44 56 4a 35 4d 4c|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010419; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3)"; content:"|56 58 32 42 44 42 48 34 41 32 41 44 30 41 44 54 42 44 51 42|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010420; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010420; rev:2;) #BSD Reverse Shell - ENCODE: PexFnstenvMov #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1)"; content:"|6a 11 59 d9 ee d9 74 24 f4 5b 81 73 13|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010421; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010421; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2)"; content:"|83 eb fc e2 f4|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010422; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010422; rev:2;) #BSD Reverse Shell - ENCODE: JmpCallAditive #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1)"; content:"|eb 0c 5e 56 31 1e ad 01 c3 85 c0 75 f7 c3 e8 ef ff ff ff|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010423; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010423; rev:2;) #BSD Reverse Shell - ENCODE: Alpha2 #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 1)"; content:"|49 49 49 49 49 49 49 51 5a 6a|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010424; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010424; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 2)"; content:"|58 50 30 42 31 41 42 6b 42 41|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010425; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010425; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD Reverse shell (Alpha2 Encoded 3)"; content:"|32 41 41 30 41 41 58 50 38 42 42 75|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010426; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010426; rev:2;) ##### EOF BSD Reverse Shell##### ##### BSD SPARC Bind Shell ######### #BSD SPARC Bind Shell - ENCODE: SPARC #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010427; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010427; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010428; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010428; rev:2;) #BSD SPARC Bind Shell - ENCODE: None #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 1)"; content:"|e0 23 bf f0 c0 23 bf f4 92 23 a0 10 94 10 20 10 82 10 20 68|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010429; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010429; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 03 bf f8 92 10 20 01 82 10 20 6a 91 d0 20 08|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010430; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010430; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 3)"; content:"|d0 03 bf f8 92 1a 40 09 94 12 40 09 82 10 20 1e 91 d0 20 08|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010431; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010431; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD SPARC Bind shell (Not Encoded 4)"; content:"|23 0b dc da 90 23 a0 10 92 23 a0 08 e0 3b bf f0 d0 23 bf f8|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010432; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010432; rev:2;) #### EOF BSD SPARC Bind Shell #########4 ### BSD SPARC Reverse Shell ######## #BSD SPARC Reverse Shell - ENCODE: None #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 1)"; content:"|9c 2b a0 07 94 1a c0 0b 92 10 20 01 90 10 20 02 82 10 20 61|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010433; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010433; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 2)"; content:"|91 d0 20 08 d0 23 bf f8 92 10 20 03 92 a2 60 01 82 10 20 5a|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010434; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010434; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (Not Encoded 3)"; content:"|91 d0 20 08 12 bf ff fd d0 03 bf f8 21 3f c0|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010437; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010437; rev:2;) #BSD SPARC Reverse Shell - ENCODE: SPARC #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1)"; content:"|20 bf ff ff 20 bf ff ff 7f ff ff ff ea 03 e0 20 aa 9d 40 11|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010435; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010435; rev:2;) #alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"ET EXPLOIT METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2)"; content:"|ea 23 e0 20 a2 04 40 15 81 db e0 20 12 bf ff fb 9e 03 e0 04|"; classtype:shellcode-detect; reference:url,doc.emergingthreats.net/2010436; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Metasploit_Encoders; sid:2010436; rev:2;) #### EOF BSD SPARC Reverse Shell #### #Erik Fichtner alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET EXPLOIT CAN-2005-0399 Gif Vuln via http"; flow: from_server,established; content:"GIF89a"; content:"|21 ff 0b|NETSCAPE2.0"; byte_test:1,!=,3,0,relative;classtype: attempted-admin; reference:cve,2005-0399; reference:url,doc.emergingthreats.net/bin/view/Main/2001807; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Mozilla-Firefox; sid:2001807; rev:8;) #By Joel Esler alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"ET EXPLOIT MySQL MaxDB Buffer Overflow"; flow: to_server,established; content:"GET"; content:"|31 c9 83 e9 af d9 ee|"; pcre:"/(GET).\/%.{1586,}/i"; classtype: attempted-admin; reference:url,doc.emergingthreats.net/bin/view/Main/2001988; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MySQL_MaxDB; sid:2001988; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"ET EXPLOIT NII Microsoft ASN.1 Library Buffer Overflow Exploit"; flow: to_server,established; content:"|A1 05 23 03 03 01 07|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-007.asp; classtype: bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2000017; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_NETBIOS_ASN1_Overflow; sid:2000017; rev:6;) #by kevin ross alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt"; flow:established,to_server; content:"|41 30 30 31|"; depth:4; content:"CREATE "; within:10; isdataat:500,relative; content:!"|0A|"; within:500; classtype:attempted-admin; reference:url,www.exploit-db.com/exploits/14379/; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-129/; reference:url,www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7006374&sliceId=2&docTypeID=DT_TID_1_1&dialogID=155271264&stateId=0 0 155267598; reference:url,doc.emergingthreats.net/2011235; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Novell; sid:2011235; rev:2;) #By Michael Hale Ligh and Ryan Smith alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2003145; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Novell_HTTPSTK; sid:2003145; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2003146; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Novell_HTTPSTK; sid:2003146; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2003148; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Novell_HTTPSTK; sid:2003148; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2003147; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Novell_HTTPSTK; sid:2003147; rev:3;) #by Akash Mahajan alert tcp $EXTERNAL_NET any -> $HOME_NET 8800 (msg:"ET EXPLOIT Now SMS/MMS Gateway HTTP BOF Vulnerability"; flow:established,to_server; content:"GET "; depth:4; content:"Basic"; nocase; pcre:"/[a-zA-Z0-9]{255,}==/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2007874; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Now_SMS; sid:2007874; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET 2775 (msg:"ET EXPLOIT Now SMS/MMS Gateway SMPP BOF Vulnerability"; flow:established,to_server; content:"|00 00 00 04|"; content:"|00 00 00 01|"; distance:1; pcre:"/[a-zA-Z0-9]{1000,}/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2007875; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Now_SMS; sid:2007875; rev:3;) #by Fabien Bourdaire of ECSC Security # Re: http://www.internetdefence.net/2007/02/06/Javascript-payload # bc d3 c3 d2 c9 d0 d4