File: RULES.todo

package info (click to toggle)
snort 2.3.2-3
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 22,244 kB
  • ctags: 11,282
  • sloc: ansic: 70,376; sh: 4,364; makefile: 744; perl: 478; sql: 212
file content (110 lines) | stat: -rw-r--r-- 4,359 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
$Id: RULES.todo,v 1.13 2002/11/24 21:47:22 cazz Exp $

RULES todo

- BUGTRAQ 1199.  Old sig was sid:876, which doesn't actually catch exploit 
  attempts.  

- review sid:973.  where did this come from?  is it really bid 1448?

- uh, sid:1044.  What are we really looking for?

- sid:1143, 1144.  what the hell does /// do?  

- sid:1147 - cat%20.  can it be done via post?

- sid:1231 - doesnt seem to be bid:2808.  Whats this actually from?

- PGPMail.pl vulnerablity
  Message-Id: <0111291925580K.19881@ks40.eastnet.gatech.edu> sent to vuln-dev

- sid:1377,1378 - add reference:cve,CAN-2001-0550

- write sig for http://www.tempest.com.br/advisories/01-2001.html

- bitchslap securiteam for resending other people's alerts without passing 
  on any of the useful information.  

- write sig for AOL 3.3 and prior AUTH Basic overflow

- check on sid:895's group.  web-coldfusion instead of web-cgi?  
  (Pointed out by Justin Mitzimberg <JMitzimberg@bco.com>)

- rewrite the zillion of deepthroat 3.1 sigs and try and bring the count down 
  to oh, say... 2

- sid:340,341  What vulnerabilities are these?

- sid:349.  It seems to suck badly.  How about 
  content:"MKD "; offset:0; depth:4; dsize:>50;

- sid:1229.  Where does "CWD ..." come from? -- warez kiddies (cmg)

- BID 3744.  PHPFileExchange, Find the exploit, write a sig 

- BID 3988.  NetJuke.  find exploit, write a sig

- need FTP PORT bouncing signature

-- did the QT stuiff

- CAN-2000-1176

- PIMP http://cvs.nessus.org/cgi-bin/cvsweb.cgi/~checkout~/nessus-plugins/scripts/pimp.nasl
- SMB reg key smb_reg_ras_access.nasl

- axent_raptor_dos.nasl

- DNS ZXFR  sig

- finished nessus sigs up to bonk.nasl, start with that and finish the rest
- DCE sigs
- verify dtspcd.nasl

- convert all application ports to $APPNAME_PORTS if it makes sense for that
  application


- sid:1913,1914,1915,1916 
  the content match detection stuff needs revisiting because we
  can't add the checks for format string checks within the mon_name buffer.
  The rule SHOULD look like the following if everything was working properly:

  alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD UDP stat \
  mon_name format string exploit attempt"; content:"|00 01 86 B8|";       \
  content:"|00 00 00 01|"; distance:4; within:4;                          \
  byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative;           \
  content:"|25|"; distance:24; within:95; content:"|25|"; distance:1;     \
  within:5; reference:cve,CVE-2000-0666; reference:bugtraq,1480;)

  alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD TCP stat \
  mon_name format string exploit attempt"; flow:to_server,established;    \
  content:"|00 01 86 B8|"; content:"|00 00 00 01|"; distance:4; within:4; \
  byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative;           \
  content:"|25|"; distance:24; within:95; content:"|25|"; distance:1;     \
  within:5; reference:cve,CVE-2000-0666; reference:bugtraq,1480;)

  alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD UDP      \
  monitor mon_name format string exploit attempt";                        \
  content:"|00 01 86 B8|"; content:"|00 00 00 02|"; distance:4; within:4; \
  byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative;           \
  content:"|25|"; distance:20; within:95; content:"|25|"; distance:1;     \
  within:5; reference:cve,CVE-2000-0666; reference:bugtraq,1480;)

  alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD TCP      \
  monitor mon_name format string exploit attempt";                        \
  flow:to_server,established; content:"|00 01 86 B8|";                    \
  content:"|00 00 00 02|"; distance:4; within:4;                          \
  byte_test:4,>,100,16,relative; content:"|25|"; distance:16; within:96;  \
  content:"|25|"; distance:1; within:5; reference:cve,CVE-2000-0666;      \
  reference:bugtraq,1480;)


  alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC ypupdate udp \
  command execution attempt"; content:"|01 86 BC|";                     \
  content:"|00 00 00 01|"; distance:4; within:4;                        \
  byte_jump:4,12,relative,align; byte_jump:4,16,relative,align;         \ 
  content:"\|"; distance:16; within:32; reference:cve,CVE-1999-0208;    \ 
  classtype:attempted-admin;)

- write rule that looks for exploit of sid:306