#
# $Id: bleeding.rules $
# Emerging Threats rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to threats@emergingthreats.net or the emerging-sigs mailing list
#
#*************************************************************
#  Copyright (c) 2003-2008, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
# From SANS/Diary isc.sans.org/diary.html?storyid=4139
# 
# Inspect your web proxy logs for visitors to 2117966.net. This will
# indicate who is potentially exposed. Check these systems to verify
# that their patches are up-to-date. Systems that are successfully
# compromised will begin sending traffic to 61.188.39.175

alert ip $HOME_NET any -> 61.188.39.175 any (msg:"ET CURRENT_EVENTS 2117966.net/iframe exploit (infection)"; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=4139; sid:2008001; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS 2117966.net/iframe exploit (attempt)"; flow: to_server,established; content:"|0d0a|Host|3a|"; nocase; depth: 512; content:"2117966.net"; nocase; within: 30; classtype: trojan-activity; reference:url,isc.sans.org/diary.html?storyid=4139; sid:2008002; rev:1;)

#by Matt Jonkman
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Aurigma ImageUploader5 ActiveX CLSID in Use"; flow:from_server,established; content:"CLSID"; nocase; content:"BA162249-F2C5-4851-8ADC-FC58CB424243"; nocase; pcre:"/(%u6950%u74C9|0x40000)/i"; pcre:"/(ExtractIptc|ExtractExif)/i"; reference:url,www.milw0rm.com/exploits/5049; reference:url,isc.sans.org/diary.html?storyid=3929; classtype:web-application-attack; sid:2007816; rev:3;)

#by Akash Mahajan of Stillsecure
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Aurigma Image Uploader ImageUploader4.ocx ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"0x40000"; content:"Action"; nocase; content:"clsid"; nocase; content:"6E5E167B-1566-4316-B27F-0DDAB3484CF7"; nocase; classtype:web-application-attack; reference:bugtraq,27539; reference:url,isc.sans.org/diary.html?storyid=3929; sid:2007815; rev:2;)

#by Chandan S of StillSecure
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chilkat FTP ActiveX 2.0 ChilkatCert.dll Insecure Method Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"A934AEE3-8896-485F-8A55-ACF2A87BD010"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; content:"SavePkcs8File"; nocase; distance:0; within:40; classtype:web-application-attack; reference:bugtraq,27540; reference:url,www.milw0rm.com/exploits/5028; sid:2007818; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chilkat Mail ActiveX 7.8 ChilkatCert.dll Insecure Method Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"2A9A3D40-2F32-45BF-9A89-AC9ED6C2FEDF"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; content:"SaveLastError"; nocase; distance:0; within:40; classtype:web-application-attack; reference:bugtraq,27493; reference:url,www.milw0rm.com/exploits/5005; sid:2007819; rev:1;)

#by Akash Mahajan of Stillsecure
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Comodo AntiVirus 2.0 ExecuteStr() Remote Command Execution Vulnerability"; flow:to_client,established; content:"clsid"; nocase; content:"309F674D-E4D3-46BD-B9E2-ED7DFD7FD176"; nocase; content:"ExecuteStr"; pcre:"/.*\.(exe|bat|ftp)/i";reference:cve,CVE-2008-0470; reference:bugtraq,27424; reference:url,www.milw0rm.com/exploits/4974; classtype:web-application-attack; sid:2007887; rev:1;)

# re http://isc.sans.org/diary.html?storyid=3929
#by Akash Majahan at StillSecure
# FaceBook PhotoUploader Buffer Overflow Exploit
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FaceBook PhotoUploader Buffer Overflow Exploit"; flow:to_client,established; content:"clsid"; nocase; content:"5C6698D9-7BE4-4122-8EC5-291D84DBD4A0"; nocase; pcre:"/(ExtractIptc|ExtractExif|FileMask)/i"; classtype:web-application-attack; reference:url,www.milw0rm.com/exploits/5049; reference:url,www.milw0rm.com/exploits/5102; reference:bugtraq,27576; reference:url,isc.sans.org/diary.html?storyid=3929; sid:2007817; rev:2;)

#by Joshua Gimer
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Domain Related to Phishing GDI Exploits MS08-021 igloofamily.com"; flow:established,to_server; content:"Host\: "; content:"igloofamily.com"; within:50; nocase; classtype:misc-attack; reference:url,isc.sans.org/diary.html?storyid=4274; sid:2008137; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Domain Related to Phishing GDI Exploits MS08-021 amrc.com.tw"; flow:established,to_server; content:"Host\: "; content:"amrc.com.tw"; within:50; nocase; classtype:misc-attack; reference:url,isc.sans.org/diary.html?storyid=4274; sid:2008138; rev:1;)

#experimental, see 
#by william metcalf
#disabling by default. Is used in some legit places as well. Use this if you have a need
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible Trojan Report"; flow:established,to_server; content:"POST "; depth:5; content:"Content-Encoding\: gzip"; nocase; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/GzipdPOST; sid:2008045; rev:1;)

#by Akash Mahajan of Stillsecure
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module (XVoice.dll 4.0.4.3303) remote BoF exploit"; flow:to_client,established; content:"clsid"; nocase; content:"EEE78591-FE22-11D0-8BEF-0060081841DE"; nocase; content:"0x40000"; content:"FindEngine"; nocase; reference:url,www.milw0rm.com/exploits/5087; reference:bugtraq,24426; classtype:web-application-attack; sid:2007848; rev:1;)

#by matt jonkman, re http://www.incidents.org/diary.html?storyid=4405
#  Mass File Injection attacks
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD)"; flow:established,from_server; content:"HaCKeD By BeLa & BodyguarD"; content:".js"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008206; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD)"; flow:established,to_server; content:"HaCKeD By BeLa & BodyguarD"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; sid:2008207; rev:1;)

#this really isn't Kraken, appears to really be bobax, but reported as kraken.
#These sigs are a first attempt, hopefully this will improve
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008103; rev:1;)
alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008104; rev:1;)
alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008105; rev:1;)
alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008106; rev:1;)
alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound"; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008107; rev:1;)
alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008108; rev:1;)
alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound"; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008109; rev:1;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET CURRENT_EVENTS Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; sid:2008110; rev:1;)

#by akash mahajan. 
#temporary, not a perfect sig, will false
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Real Player rmoc3260.dll ActiveX Remote Code Execution Exploit"; content:"CLSID"; nocase; content:"2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93"; nocase; distance:0; content:"Console"; nocase; distance:0; classtype:web-application-attack; reference:bugtraq,28157; reference:cve,CVE-2008-1309; reference:url,www.milw0rm.com/exploits/5332; sid:2008080; rev:2;)

#by Don Jackson of Secureworks. RE: US courts related phishes
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET|20|"; offset:0; depth:4; content:"User|2D|Agent|3A 20|Mozilla|2F|5|2E|0|20|Gecko|2F|20050212|20|Firefox|2F|1|2E|5|2E|0|2E|2"; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; classtype:trojan-activity; sid:2008139; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RhiFrem Trojan Activity - log"; flow:to_server,established; content:"POST|20|"; offset:0; depth:5; content:"User|2D|Agent|3A 20|Mozilla|2F|5|2E|0|20|Gecko|2F|20050212|20|Firefox|2F|1|2E|5|2E|0|2E|2"; pcre:"/^POST\x20[^\x0D\x0A]+\x3Fmod\x3Dlog\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+.*\x0D\x0A\x0D\x0Acurr\x3D.*\x26next\x3D/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; classtype:trojan-activity; sid:2008140; rev:1;)

#by Akash Mahajan of Stillsecure
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Rising Online Scanner Insecure Method Vulnerability"; flow:to_client,established; content:"clsid"; nocase; content:"E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153"; nocase; content:"UpdateEngine"; nocase; content:"0000$0000$0000"; classtype:web-application-attack; reference:bugtraq,27997; reference:url,www.milw0rm.com/exploits/5188; sid:2007888; rev:1;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Srizbi Trojan EXE Request (My_foto.exe)"; flow:established,to_server; uricontent:"/My_foto.exe"; nocase; classtype:trojan-activity; sid:2008188; rev:1;)

#by matt jonkman
#more by Jeremy at sudosecure
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe)"; flow:established,to_server; uricontent:"/load.exe"; nocase; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/61; sid:2008077; rev:5;)

#by jeremy at sudosecure
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (Trojan Downloader User Agent)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/67; sid:2008193; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec.exe)"; flow:established,to_server; uricontent:"/StormCodec.exe"; nocase; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; sid:2008111; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (StormCodec8.exe)"; flow:established,to_server; uricontent:"/StormCodec8.exe"; nocase; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; sid:2008112; rev:3;)

#by Victor Julien
# Just testing to see if it works well. lots of bad stuff use this uri and an IP
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious Download (drv32.data)"; flow:established,to_server; content:"GET "; offset:0; depth:4; uricontent:"/drv32.data"; content:"|0d 0a|Host|3a|"; classtype:trojan-activity; sid:2008014; rev:2;)

#by Adam Pointon at sentinelsecurity.com.au
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET DNS Possible MITM lookup for WPAD.com"; content:"|04|wpad|03|com|02|"; nocase; reference:url,support.microsoft.com/kb/247333; classtype:attempted-user; sid:2007707; rev:2;)
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET DNS Possible MITM lookup for WPAD.co"; content:"|04|wpad|02|co|02|"; nocase; reference:url,support.microsoft.com/kb/247333; classtype:attempted-user; sid:2007708; rev:2;)
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET DNS Possible MITM lookup for WPAD.net"; content:"|04|wpad|03|net|02|"; nocase; reference:url,support.microsoft.com/kb/247333; classtype:attempted-user; sid:2007709; rev:2;)
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET DNS Possible MITM lookup for WPAD.org"; content:"|04|wpad|03|org|02|"; nocase; reference:url,support.microsoft.com/kb/247333; classtype:attempted-user; sid:2007710; rev:2;) 

# re http://isc.sans.org/diary.html?storyid=3929
# Will remove these sometime after patching looks complete
#by Akash Mahajan at Stillsecure
# Yahoo! JukeBox MediaGrid ActiveX Control mediagrid.dll AddBitmap() Buffer O
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yahoo! JukeBox MediaGrid ActiveX Control mediagrid.dll AddBitmap() BoF"; flow:to_client,established; content:"clsid"; nocase; content:"22FD7C0A-850C-4A53-9821-0B0915C96139"; nocase; content:"0x40000"; content:"AddBitmap"; nocase; classtype:web-application-attack; reference:bugtraq,27578; reference:url,milw0rm.com/exploits/5052; reference:url,isc.sans.org/diary.html?storyid=3929; sid:2007813; rev:1;)

#by Akash Mahajan at Stillsecure
# Yahoo! Music Jukebox 2.2 AddImage() and AddButton() ActiveX BOF
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yahoo! Music Jukebox (DataGrid) 2.2 AddImage() ActiveX BOF"; flow:to_client,established; content:"clsid"; nocase; content:"5F810AFC-BB5F-4416-BE63-E01DD117BD6C"; nocase; content:"0x40000"; pcre:"/(AddImage|AddButton)/i"; reference:bugtraq,27590; reference:url,www.milw0rm.com/exploits/5048; reference:url,www.milw0rm.com/exploits/5046; reference:url,www.milw0rm.com/exploits/5051; classtype:web-application-attack; sid:2007812; rev:1;)