File: pop3.rules

package info (click to toggle)
snort 2.3.3-11
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 22,512 kB
  • ctags: 11,344
  • sloc: ansic: 70,967; sh: 4,848; makefile: 748; perl: 478; sql: 212
file content (43 lines) | stat: -rw-r--r-- 8,578 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id: pop3.rules,v 1.22.2.2 2004/11/30 02:39:03 bmc Exp $
#--------------
# POP3 RULES
#--------------

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative argument attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; classtype:misc-attack; sid:2121; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative argument attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2122; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50,}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2108; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2109; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2110; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2111; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2112; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:1936; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:1937; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1938; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:13;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:13;)

# bsd-qpopper.c
# overflow in the reading of a line in qpopper
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:287; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:288; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+[^\n]*?%/smi"; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute force attempt"; flow:to_server,established; content:"USER"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2274; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2409; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:9;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:11;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2535; rev:5;)
alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2536; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:nessus,12204; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2537; rev:5;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2666; rev:1;)