File: other-ids.rules

package info (click to toggle)
snort 2.3.3-11
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 22,512 kB
  • ctags: 11,344
  • sloc: ansic: 70,967; sh: 4,848; makefile: 748; perl: 478; sql: 212
file content (22 lines) | stat: -rw-r--r-- 1,383 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: other-ids.rules,v 1.10 2004/07/23 20:15:44 bmc Exp $
# ---------------
# OTHER-IDS RULES
# ---------------
# These signatures look for uses of other IDSs.
#
# These signatures serve two purposes.
#  1) If you are "IDS GUY" for a company, and someone else sets up an IDS
#     without letting you know, thats bad.
#  2) If you are "pen-tester", this is a good way to find out what IDS
#     systems your target is using after you have gained access to their
#     network.
#


alert tcp $HOME_NET 902 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 event collector connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1760; rev:3;)
alert tcp $HOME_NET 2998 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 daemon connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1761; rev:3;)

# To limit false positives, limit to the default port of 975
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OTHER-IDS SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:1629; rev:6;)