File: imap.rules

package info (click to toggle)
snort 2.3.3-11
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 22,512 kB
  • ctags: 11,344
  • sloc: ansic: 70,967; sh: 4,848; makefile: 748; perl: 478; sql: 212
file content (58 lines) | stat: -rw-r--r-- 12,579 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: imap.rules,v 1.24.2.5 2005/02/10 01:11:14 bmc Exp $
#--------------
# IMAP RULES
#--------------

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:1993; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:nessus,10123; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:13;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2105; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:9;)

# auth is an imap2 function and only accepts literal usage
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:1930; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2330; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2106; rev:7;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845; rev:15;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2118; rev:6;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:8;)

# FIND does not accept a literal command
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:7;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1755; rev:14;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2046; rev:6;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2120; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login brute force attempt"; flow:to_server,established; content:"LOGIN"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2273; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:8;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:10;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2529; rev:5;)
alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2530; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2531; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2665; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2664; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:3007; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:3008; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3074; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3076; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3075; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3066; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:3058; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP append literal overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; pcre:"/\sAPPEND\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3065; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3072; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat: 100,relative; pcre:"/\sFETCH\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3070; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3067; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3069; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; pcre:"/\sSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3073; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; pcre:"/\sSTATUS\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3071; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3068; rev:1;)