|
Revision 1539, 1.0 kB
(checked in by mbr, 3 years ago)
|
updated to Snort-2.3.3 signatures in anticipation of being able to elevate psad danger level based on specific logging prefixes
|
- Property svn:eol-style set to
native
- Property svn:keywords set to
Author Date Id Revision
|
| Line | |
|---|
| 1 |
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al. |
|---|
| 2 |
# All rights reserved. |
|---|
| 3 |
# $Id$ |
|---|
| 4 |
#---------- |
|---|
| 5 |
# MYSQL RULES |
|---|
| 6 |
#---------- |
|---|
| 7 |
# |
|---|
| 8 |
# These signatures detect unusual and potentially malicious mysql traffic. |
|---|
| 9 |
# |
|---|
| 10 |
# These signatures are not enabled by default as they may generate false |
|---|
| 11 |
# positive alarms on networks that do mysql development. |
|---|
| 12 |
# |
|---|
| 13 |
|
|---|
| 14 |
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;) |
|---|
| 15 |
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;) |
|---|
| 16 |
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; distance:3; within:1; content:"root|00|"; nocase; distance:5; within:5; classtype:protocol-command-decode; sid:3456; rev:1;) |
|---|
