|
Revision 1255, 1.3 kB
(checked in by mbr, 4 years ago)
|
updated to Snort-2.3 rules
|
- Property svn:eol-style set to
native
- Property svn:keywords set to
Author Date Id Revision
|
| Line | |
|---|
| 1 |
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al. |
|---|
| 2 |
# All rights reserved. |
|---|
| 3 |
# $Id$ |
|---|
| 4 |
# --------------- |
|---|
| 5 |
# OTHER-IDS RULES |
|---|
| 6 |
# --------------- |
|---|
| 7 |
# These signatures look for uses of other IDSs. |
|---|
| 8 |
# |
|---|
| 9 |
# These signatures serve two purposes. |
|---|
| 10 |
# 1) If you are "IDS GUY" for a company, and someone else sets up an IDS |
|---|
| 11 |
# without letting you know, thats bad. |
|---|
| 12 |
# 2) If you are "pen-tester", this is a good way to find out what IDS |
|---|
| 13 |
# systems your target is using after you have gained access to their |
|---|
| 14 |
# network. |
|---|
| 15 |
# |
|---|
| 16 |
|
|---|
| 17 |
|
|---|
| 18 |
alert tcp $HOME_NET 902 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 event collector connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1760; rev:3;) |
|---|
| 19 |
alert tcp $HOME_NET 2998 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 daemon connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1761; rev:3;) |
|---|
| 20 |
|
|---|
| 21 |
# To limit false positives, limit to the default port of 975 |
|---|
| 22 |
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OTHER-IDS SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:1629; rev:6;) |
|---|
