Changeset 1650

Show
Ignore:
Timestamp:
11/09/06 16:43:32 (2 years ago)
Author:
mbr
Message:

removed sid:1100nn fields

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • psad/branches/sigdevel/signatures

    r1649 r1650  
    3030alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"DDOS shaft handler to agent"; reference:arachnids,255; classtype:attempted-dos; psad_dsize:>10; sid:239; psad_id: 100005; psad_dl:2;) 
    3131alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"DDOS shaft agent to handler"; reference:arachnids,256; classtype:attempted-dos; psad_dsize:>4; sid:240; psad_id: 100006; psad_dl:2;) 
    32 alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master connection attempt"; flags:S; reference:arachnids,197; classtype:attempted-dos; sid:110002; psad_id: 100007; psad_dl:2; psad_derived_sids:233,234,235;) 
     32alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master connection attempt"; flags:S; reference:arachnids,197; classtype:attempted-dos; psad_id: 100007; psad_dl:2; psad_derived_sids:233,234,235;) 
    3333alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; reference:arachnids,197; classtype:attempted-dos; psad_dsize:>6; sid:237; psad_id: 100008; psad_dl:2;) 
    3434alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"DDOS mstream agent to handler"; classtype:attempted-dos; psad_dsize:>8; sid:243; psad_id: 100009; psad_dl:2;) 
    35 alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; reference:cve,2000-0138; classtype:attempted-dos; psad_dsize:>3; sid:110003; psad_id: 100010; psad_dl:2; psad_derived_sids:244,245,246;) 
     35alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; reference:cve,2000-0138; classtype:attempted-dos; psad_dsize:>3; psad_id: 100010; psad_dl:2; psad_derived_sids:244,245,246;) 
    3636alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; flags:S; reference:cve,2000-0138; classtype:attempted-dos; sid:247; psad_id: 100011; psad_dl:2;) 
    3737alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flags:S,12; reference:arachnids,111; reference:cve,2000-0138; classtype:attempted-dos; sid:249; psad_id: 100012; psad_dl:2;) 
     
    6565### backdoor.rules 
    6666alert tcp $EXTERNAL_NET any -> $HOME_NET 16959 (msg:"BACKDOOR subseven DEFCON8 2.1 Connection Cttempt"; flags:S; classtype:trojan-activity; sid:107; psad_id: 100027; psad_dl:2;) 
    67 alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus Connection Cttempt"; flags:S; reference:arachnids,401; classtype:misc-activity; sid:110004; psad_id: 100028; psad_dl:2; psad_derived_sids:109,110;) 
    68 alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"BACKDOOR NetBus Pro 2.0 Connection Cttempt"; flags:S; classtype:misc-activity; sid:110005; psad_id: 100019; psad_dl:2; psad_derived_sids:115,3009;) 
     67alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus Connection Cttempt"; flags:S; reference:arachnids,401; classtype:misc-activity; psad_id: 100028; psad_dl:2; psad_derived_sids:109,110;) 
     68alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"BACKDOOR NetBus Pro 2.0 Connection Cttempt"; flags:S; classtype:misc-activity; psad_id: 100019; psad_dl:2; psad_derived_sids:115,3009;) 
    6969alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; psad_dsize:>1; sid:1980; psad_id: 100030; psad_dl:2;) 
    7070alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response"; reference:arachnids,106; reference:mcafee,98574; reference:nessus,10053; classtype:misc-activity; psad_dsize:>21; sid:195; psad_id: 100031; psad_dl:2;) 
     
    7575alert tcp $EXTERNAL_NET any -> $HOME_NET 6789 (msg:"BACKDOOR Doly 2.0 Connection attempt"; flags:S; reference:arachnids,312; classtype:misc-activity; sid:119; psad_id: 100036; psad_dl:2;) 
    7676alert tcp $EXTERNAL_NET any -> $HOME_NET 1015 (msg:"BACKDOOR Doly 1.5 Connection attempt"; flags:S; classtype:trojan-activity; sid:1985; psad_id: 100037; psad_dl:2;) 
    77 alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0 Connection attempt"; flags:S; reference:arachnids,483; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:110006; psad_id: 100038; psad_dl:2; psad_derived_sids:104,105;) 
     77alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0 Connection attempt"; flags:S; reference:arachnids,483; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; psad_id: 100038; psad_dl:2; psad_derived_sids:104,105;) 
    7878alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flags:S; reference:MCAFEE,98775; classtype:misc-activity; sid:108; psad_id: 100039; psad_dl:2;) 
    79 alert tcp $EXTERNAL_NET 1000: -> $HOME_NET 146 (msg:"BACKDOOR Infector.1.x Connection attempt"; flags:S; reference:arachnids,315; classtype:misc-activity; sid:110007; psad_id: 100040; psad_dl:2; psad_derived_sids:117,120,121;) 
    80 alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 666 (msg:"BACKDOOR SatansBackdoor.2.0.Beta, or BackConstruction 2.1 Connection Attempt"; flags:S; reference:arachnids,316; classtype:misc-activity; sid:110008; psad_id: 100041; psad_dl:2; psad_derived_sids:118,157,158;) 
     79alert tcp $EXTERNAL_NET 1000: -> $HOME_NET 146 (msg:"BACKDOOR Infector.1.x Connection attempt"; flags:S; reference:arachnids,315; classtype:misc-activity; psad_id: 100040; psad_dl:2; psad_derived_sids:117,120,121;) 
     80alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 666 (msg:"BACKDOOR SatansBackdoor.2.0.Beta, or BackConstruction 2.1 Connection Attempt"; flags:S; reference:arachnids,316; classtype:misc-activity; psad_id: 100041; psad_dl:2; psad_derived_sids:118,157,158;) 
    8181alert tcp $EXTERNAL_NET any -> $HOME_NET 31785 (msg:"BACKDOOR HackAttack 1.20 Connection attempt"; flags:S; classtype:misc-activity; sid:141; psad_id: 100042; psad_dl:2;) 
    8282alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriend Connection attempt"; flags:S; reference:arachnids,98; classtype:misc-activity; sid:145; psad_id: 100043; psad_dl:2;) 
    83 alert tcp $EXTERNAL_NET any -> $HOME_NET 30100:30102 (msg:"BACKDOOR NetSphere Connection attempt"; flags:S; reference:arachnids,76; classtype:misc-activity; sid:110009; psad_id: 100044; psad_dl:2; psad_derived_sids:146,155;) 
     83alert tcp $EXTERNAL_NET any -> $HOME_NET 30100:30102 (msg:"BACKDOOR NetSphere Connection attempt"; flags:S; reference:arachnids,76; classtype:misc-activity; psad_id: 100044; psad_dl:2; psad_derived_sids:146,155;) 
    8484alert tcp $EXTERNAL_NET -> $HOME_NET 6969 (msg:"BACKDOOR GateCrasher Connection attempt"; flags:S; reference:arachnids,99; classtype:misc-activity; sid:147; psad_id: 100045; psad_dl:2;) 
    8585alert tcp $EXTERNAL_NET any -> $HOME_NET 5401:5402 (msg:"BACKDOOR BackConstruction 2.1 connection attempt"; flags:S; classtype:misc-activity; sid:152; psad_id: 100046; psad_dl:2;) 
     
    101101alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"BACKDOOR DoomJuice file upload attempt"; flags:S; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; psad_id: 100061; psad_dl:2;) 
    102102alert tcp $EXTERNAL_NET any -> $HOME_NET 63536 (msg:"BACKDOOR Insane Network 4.0 connection established port 63536"; classtype:misc-activity; sid:3016; psad_id: 100062; psad_dl:2;) 
    103 alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick connection attempt"; flags:S; classtype:misc-activity; sid:110010; psad_id: 100063; psad_dl:2; psad_derived_sids:3010,3011,3012;) 
    104 alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"BACKDOOR Asylum 0.1 connection request"; flags:S; classtype:misc-activity; sid:110011; psad_id: 100064; psad_dl:2; psad_derived_sids:3013,3014;) 
     103alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"BACKDOOR RUX the Tick connection attempt"; flags:S; classtype:misc-activity; psad_id: 100063; psad_dl:2; psad_derived_sids:3010,3011,3012;) 
     104alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"BACKDOOR Asylum 0.1 connection request"; flags:S; classtype:misc-activity; psad_id: 100064; psad_dl:2; psad_derived_sids:3013,3014;) 
    105105 
    106106 
     
    123123### misc.rules 
    124124alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"MISC Insecure TIMBUKTU communication attempt"; flags:S; reference:arachnids,229; classtype:bad-unknown; sid:505; psad_id: 100072; psad_dl:2;) 
    125 alert tcp $EXTERNAL_NET any -> $HOME_NET 5631:5632 (msg:"MISC PCAnywhere communication attempt"; flags:S; classtype:attempted-admin; sid:110012; psad_id: 100073; psad_dl:2; psad_derived_sids:507,512;) 
     125alert tcp $EXTERNAL_NET any -> $HOME_NET 5631:5632 (msg:"MISC PCAnywhere communication attempt"; flags:S; classtype:attempted-admin; psad_id: 100073; psad_dl:2; psad_derived_sids:507,512;) 
    126126#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments"; dsize:< 25; fragbits:M; classtype:bad-unknown; sid:100; psad_id: 100000; psad_dl:2;) 
    127 alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP communication attempt"; classtype:misc-attack; psad_dsize:>8; sid:110013; psad_id: 100074; psad_dl:2; psad_derived_sids:1917,1384,1388;) 
     127alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP communication attempt"; classtype:misc-attack; psad_dsize:>8; psad_id: 100074; psad_dl:2; psad_derived_sids:1917,1384,1388;) 
    128128alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail communication attempt"; flags:S; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:1636; psad_id: 100075; psad_dl:2;) 
    129129alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper worm admin traffic"; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; psad_dsize:>20; sid:1889; psad_id: 100076; psad_dl:2;) 
    130 alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server communication attempt"; flags:S; reference:bugtraq,3099; reference:cve,2001-0540; classtype:misc-activity; sid:110014; psad_id: 100077; psad_dl:2; psad_derived_sids:1447,1448,2418;) 
     130alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server communication attempt"; flags:S; reference:bugtraq,3099; reference:cve,2001-0540; classtype:misc-activity; psad_id: 100077; psad_dl:2; psad_derived_sids:1447,1448,2418;) 
    131131alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"MISC Alcatel PABX 4400 connection attempt"; flags:S; reference:nessus,11019; classtype:misc-activity; sid:1819; psad_id: 100078; psad_dl:2;) 
    132132alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Disclosure attempt"; reference:bugtraq,6100; classtype:misc-activity; psad_dsize:>8; sid:1966; psad_id: 100079; psad_dl:2;) 
    133133alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"MISC xfs communication attempt"; flags:S; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; psad_id: 100080; psad_dl:2;) 
    134134alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"MISC isakmp login failed"; classtype:misc-activity; psad_dsize:>29; sid:2043; psad_id: 100081; psad_dl:2;) 
    135 alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP communication ttempt"; flags:S; reference:bugtraq,5807; reference:cve,2002-1214; classtype:attempted-admin; sid:110015; psad_id: 100082; psad_dl:2; psad_derived_sids:2126,2044;) 
    136 alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP communication attempt"; flags:S; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:110016; psad_id: 100083; psad_dl:2; psad_derived_sids:2516,2532,2533,2534;) 
    137 alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin communication attempt"; flags:S; reference:bugtraq,9978; classtype:web-application-activity; sid:110017; psad_id: 100084; psad_dl:2; psad_derived_sids:2547,2548,2549,2655;) 
     135alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP communication ttempt"; flags:S; reference:bugtraq,5807; reference:cve,2002-1214; classtype:attempted-admin; psad_id: 100082; psad_dl:2; psad_derived_sids:2126,2044;) 
     136alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP communication attempt"; flags:S; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; psad_id: 100083; psad_dl:2; psad_derived_sids:2516,2532,2533,2534;) 
     137alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin communication attempt"; flags:S; reference:bugtraq,9978; classtype:web-application-activity; psad_id: 100084; psad_dl:2; psad_derived_sids:2547,2548,2549,2655;) 
    138138 
    139139### shellcode.rules 
     
    147147 
    148148### p2p.rules 
    149 alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster communication attempt"; flags:S; classtype:policy-violation; sid:110018; psad_id: 100090; psad_dl:2; psad_derived_sids:549,550,551,552;) 
     149alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster communication attempt"; flags:S; classtype:policy-violation; psad_id: 100090; psad_dl:2; psad_derived_sids:549,550,551,552;) 
    150150alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client Data communication attempt"; flags:S; classtype:policy-violation; sid:561; psad_id: 100091; psad_dl:2;) 
    151151alert tcp $HOME_NET any <> $EXTERNAL_NET 7777 (msg:"P2P Napster Client Data communication attempt"; flags:S; classtype:policy-violation; sid:562; psad_id: 100092; psad_dl:2;) 
     
    159159 
    160160### ftp.rules 
    161 alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP Yak! FTP server communication attempt"; flags:S; reference:bugtraq,9072; classtype:suspicious-login; sid:110019; psad_id: 100100; psad_dl:2; psad_derived_sids:2334,2335;) 
     161alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP Yak! FTP server communication attempt"; flags:S; reference:bugtraq,9072; classtype:suspicious-login; psad_id: 100100; psad_dl:2; psad_derived_sids:2334,2335;) 
    162162 
    163163### experimental.rules 
     
    198198#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:217; psad_id: 100000; psad_dl:2;) 
    199199alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flags:S; id:413; seq:6060842; reference:bugtraq,2022; reference:cve,2000-1039; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; classtype:attempted-dos; sid:275; psad_id: 100111; psad_dl:2;) 
    200 alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server communication attempt"; flags:S; reference:arachnids,411; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:110020; psad_id: 100112; psad_dl:2; psad_derived_sids:276,277;) 
     200alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server communication attempt"; flags:S; reference:arachnids,411; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; psad_id: 100112; psad_dl:2; psad_derived_sids:276,277;) 
    201201alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup communication attempt"; flags:S; reference:arachnids,261; reference:bugtraq,662; reference:cve,1999-0788; classtype:attempted-dos; sid:282; psad_id: 100113; psad_dl:2;) 
    202202alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC communication attempt"; flags:S; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; psad_id: 100114; psad_dl:2;)