rpc.rules

Revision 1255, 50.1 kB (checked in by mbr, 4 years ago)
updated to Snort-2.3 rules
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`

Line
1	# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
2	# All rights reserved.
3	# $Id$
4	#----------
5	# RPC RULES
6	#----------
7
8
9	# portmap specific stuff.
10
11	## bleck. Not happy about this. because of the non-rule ordering foo, I'm
12	## checking the first byte in the version, which should always be 0. When we
13	## alert multiple times on a packet, I'll put these rules back to:
14	## content:"\|0a 01 86 a0\|"; offset:16; depth:4; content:"\|00 00 00 05\|";
15	## distance:4; within:4;
16	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"\|00 01 86 A0 00\|"; depth:5; offset:16; content:"\|00 00 00 05\|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2093; rev:5;)
17	# this rule makes me not happy as well. see above.
18	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt UDP"; content:"\|00 01 86 A0 00\|"; depth:5; offset:12; content:"\|00 00 00 05\|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2092; rev:5;)
19
20	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 05\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1922; rev:6;)
21	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 05\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1923; rev:6;)
22	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 04\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:1280; rev:9;)
23	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 04\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:12;)
24	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 01\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1949; rev:5;)
25	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 01\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1950; rev:5;)
26	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 02\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:5;)
27	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt UDP 111"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 02\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2015; rev:5;)
28	alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 04\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:11;)
29	alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 04\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:7;)
30
31	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 8B\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1746; rev:11;)
32	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 8B\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1747; rev:11;)
33	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A8\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1732; rev:9;)
34	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A8\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1733; rev:9;)
35	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 F7\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:8;)
36	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 F7\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262; rev:9;)
37	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 03\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:576; rev:8;)
38	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 03\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:1263; rev:11;)
39	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 BA\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:577; rev:13;)
40	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 BA\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:1264; rev:13;)
41	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 CC\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:9;)
42	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 CC\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:1267; rev:11;)
43	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 02\|I\|F1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:9;)
44	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 02\|I\|F1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:1268; rev:12;)
45	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:8;)
46	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:1269; rev:10;)
47
48
49	# rusers
50	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A2\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:11;)
51	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A2\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:14;)
52	# XXX - Need to find out if rusers exists on TCP and if so, implement one of
53	# these for TCP...
54	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rusers query UDP"; content:"\|00 01 86 A2\|"; depth:4; offset:12; content:"\|00 00 00 02\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:6;)
55
56
57
58	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 AF\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:8;)
59	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 AF\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:10;)
60	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B8\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:8;)
61	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B8\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2016; rev:6;)
62
63	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 99\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:18;)
64	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 99\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:14;)
65
66	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"\|00 01 87 99\|"; depth:4; offset:16; content:"\|00 00 01 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:14;)
67	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt UDP"; content:"\|00 01 87 99\|"; depth:4; offset:12; content:"\|00 00 01 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:8;)
68
69	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 05 F7\|u"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:12;)
70	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 05 F7\|u"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:16;)
71
72
73	alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"\|00 01 86 B8\|"; depth:4; offset:12; content:"\|00 00 00 02\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1890; rev:8;)
74	alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"\|00 01 86 B8\|"; depth:4; offset:16; content:"\|00 00 00 02\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1891; rev:8;)
75
76
77	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A5\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:8;)
78	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A5\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:10;)
79	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"\|00 01 86 A5\|"; depth:4; offset:16; content:"\|00 00 00 05\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:8;)
80	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"\|00 01 86 A5\|"; depth:4; offset:12; content:"\|00 00 00 05\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:6;)
81	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"\|00 01 86 A5\|"; depth:4; offset:16; content:"\|00 00 00 06\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:6;)
82	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"\|00 01 86 A5\|"; depth:4; offset:12; content:"\|00 00 00 06\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:6;)
83
84
85	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"\|00 01 86 A5 00\|"; depth:5; offset:16; content:"\|00 00 00 01\|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2184; rev:7;)
86	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount path overflow attempt"; content:"\|00 01 86 A5 00\|"; depth:5; offset:12; content:"\|00 00 00 01\|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2185; rev:7;)
87
88
89	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"\|00 01 86 A5\|"; depth:4; offset:16; content:"\|00 00 00 01\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:attempted-recon; sid:1951; rev:5;)
90	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount request"; content:"\|00 01 86 A5\|"; depth:4; offset:12; content:"\|00 00 00 01\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:attempted-recon; sid:1952; rev:5;)
91	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"\|00 01 86 A5\|"; depth:4; offset:16; content:"\|00 00 00 02\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:attempted-recon; sid:2018; rev:4;)
92	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; content:"\|00 01 86 A5\|"; depth:4; offset:12; content:"\|00 00 00 02\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:attempted-recon; sid:2019; rev:4;)
93	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"\|00 01 86 A5\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:attempted-recon; sid:2020; rev:4;)
94	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; content:"\|00 01 86 A5\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:attempted-recon; sid:2021; rev:4;)
95	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"\|00 01 86 A5\|"; depth:4; offset:16; content:"\|00 00 00 04\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:attempted-recon; sid:2022; rev:4;)
96	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; content:"\|00 01 86 A5\|"; depth:4; offset:12; content:"\|00 00 00 04\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:attempted-recon; sid:2023; rev:4;)
97
98
99	# amd
100	alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"\|00 04 93 F3\|"; depth:4; offset:12; content:"\|00 00 00 07\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:8;)
101	alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"\|00 04 93 F3\|"; depth:4; offset:16; content:"\|00 00 00 07\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1906; rev:8;)
102	alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"\|00 04 93 F3\|"; depth:4; offset:16; content:"\|00 00 00 09\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1953; rev:5;)
103	alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"\|00 04 93 F3\|"; depth:4; offset:12; content:"\|00 00 00 09\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1954; rev:5;)
104	alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"\|00 04 93 F3\|"; depth:4; offset:16; content:"\|00 00 00 08\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1955; rev:6;)
105	alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"\|00 04 93 F3\|"; depth:4; offset:12; content:"\|00 00 00 08\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:1956; rev:8;)
106
107	# cmsd
108	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 E4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:8;)
109	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 E4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:9;)
110
111	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"\|00 01 86 E4\|"; depth:4; offset:12; content:"\|00 00 00 15\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1907; rev:10;)
112	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"\|00 01 86 E4\|"; depth:4; offset:16; content:"\|00 00 00 15\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1908; rev:9;)
113	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"\|00 01 86 E4\|"; depth:4; offset:12; content:"\|00 00 00 15\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2094; rev:6;)
114	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"\|00 01 86 E4\|"; depth:4; offset:16; content:"\|00 00 00 15\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2095; rev:6;)
115
116	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"\|00 01 86 E4\|"; depth:4; offset:16; content:"\|00 00 00 06\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:10;)
117	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"\|00 01 86 E4\|"; depth:4; offset:12; content:"\|00 00 00 06\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:10;)
118
119
120	# sadmind
121	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 88\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:1272; rev:10;)
122	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 88\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:7;)
123	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"\|00 01 87 88\|"; depth:4; offset:12; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:10;)
124	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"\|00 01 87 88\|"; depth:4; offset:16; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:9;)
125
126	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP PING"; content:"\|00 01 87 88\|"; depth:4; offset:12; content:"\|00 00 00 00\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:5;)
127	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"\|00 01 87 88\|"; depth:4; offset:16; content:"\|00 00 00 00\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:5;)
128
129
130	# statd
131	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:9;)
132	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:1270; rev:11;)
133	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"\|00 01 86 B8\|"; depth:4; offset:12; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1913; rev:10;)
134	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"\|00 01 86 B8\|"; depth:4; offset:16; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1914; rev:10;)
135
136
137	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"\|00 01 86 B8\|"; depth:4; offset:12; content:"\|00 00 00 02\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1915; rev:9;)
138	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"\|00 01 86 B8\|"; depth:4; offset:16; content:"\|00 00 00 02\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1916; rev:9;)
139
140
141	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 BC\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:9;)
142	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 BC\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:10;)
143	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt UDP"; content:"\|00 01 86 BC\|"; depth:4; offset:12; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|7C\|"; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:misc-attack; sid:2088; rev:5;)
144	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"\|00 01 86 BC\|"; depth:4; offset:16; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|7C\|"; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:misc-attack; sid:2089; rev:5;)
145
146	# NFS
147	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A3\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1959; rev:7;)
148	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A3\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1960; rev:7;)
149
150
151	# rquota
152	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 AB\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1961; rev:7;)
153	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 AB\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1962; rev:7;)
154	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt UDP"; content:"\|00 01 86 AB\|"; depth:4; offset:12; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:9;)
155	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; flow:to_server,established; content:"\|00 01 86 AB\|"; depth:4; offset:16; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2024; rev:8;)
156
157
158
159	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 F3\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:17;)
160	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 F3\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:17;)
161
162	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"\|00 01 86 F3\|"; depth:4; offset:12; content:"\|00 00 00 07\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1964; rev:8;)
163	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"\|00 01 86 F3\|"; depth:4; offset:16; content:"\|00 00 00 07\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1965; rev:8;)
164
165	# not sure what this rule is looking for, other than the procedure 15
166	# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"\|00 00 00 00\|"; depth:4; offset:8; content:"\|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01\|"; depth:32; offset:16; reference:arachnids,241; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:9;)
167
168
169	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A9\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:8;)
170	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A9\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:10;)
171
172	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt UDP"; content:"\|00 01 86 A9\|"; depth:4; offset:12; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2027; rev:5;)
173	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"\|00 01 86 A9\|"; depth:4; offset:16; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2028; rev:5;)
174
175
176	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt UDP"; content:"\|00 01 86 A9\|"; depth:4; offset:12; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2025; rev:9;)
177	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"\|00 01 86 A9\|"; depth:4; offset:16; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2026; rev:9;)
178
179
180
181	# XXX - These need re-verified
182	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt UDP"; content:"\|00 01 86 A9\|"; depth:4; offset:12; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2029; rev:5;)
183	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"\|00 01 86 A9\|"; depth:4; offset:16; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2030; rev:6;)
184
185
186	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update UDP"; content:"\|00 01 86 A9\|"; depth:4; offset:12; content:"\|00 00 00 01\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2031; rev:5;)
187	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update TCP"; flow:to_server,established; content:"\|00 01 86 A9\|"; depth:4; offset:16; content:"\|00 00 00 01\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2032; rev:5;)
188
189
190	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:12;)
191	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:14;)
192	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request UDP"; content:"\|00 01 86 A4\|"; depth:4; offset:12; content:"\|00 00 00 0B\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2033; rev:8;)
193	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request TCP"; flow:to_server,established; content:"\|00 01 86 A4\|"; depth:4; offset:16; content:"\|00 00 00 0B\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:Cve,CAN-2002-1232; reference:bugtraq,5914; reference:bugtraq,6016; classtype:rpc-portmap-decode; sid:2034; rev:7;)
194
195
196	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 03 0D\|p"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2035; rev:6;)
197	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 03 0D\|p"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2036; rev:6;)
198
199
200	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request UDP"; content:"\|00 03 0D\|p"; depth:4; offset:12; content:"\|00 00 00 01\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2037; rev:5;)
201	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"\|00 03 0D\|p"; depth:4; offset:16; content:"\|00 00 00 01\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2038; rev:5;)
202
203
204	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B5\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2079; rev:6;)
205	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B5\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2080; rev:6;)
206
207	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 05 F7\|h"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2081; rev:9;)
208	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 05 F7\|h"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2082; rev:9;)
209
210	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt UDP"; content:"\|00 05 F7\|h"; depth:4; offset:12; content:"\|00 00 00 0D\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2083; rev:8;)
211	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"\|00 05 F7\|h"; depth:4; offset:16; content:"\|00 00 00 0D\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2084; rev:8;)
212
213
214	alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87\|}"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:10;)
215	alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87\|}"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:10;)
216	alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"\|00 01 87\|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:10;)
217
218	alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"\|00 01 87 88\|"; depth:4; offset:16; content:"\|00 00 00 01 00 00 00 01\|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"\|00 00 00 00\|"; within:4; classtype:misc-attack; sid:2255; rev:3;)
219	alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt UDP"; content:"\|00 01 87 88\|"; depth:4; offset:12; content:"\|00 00 00 01 00 00 00 01\|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"\|00 00 00 00\|"; within:4; classtype:misc-attack; sid:2256; rev:3;)

Note: See TracBrowser for help on using the browser.

Download in other formats:

Original Format