File: community-web-attacks.rules

package info (click to toggle)
snort 2.8.5.2-8
  • links: PTS
  • area: main
  • in suites: squeeze
  • size: 37,692 kB
  • ctags: 25,758
  • sloc: ansic: 177,775; sh: 11,401; makefile: 1,994; yacc: 495; perl: 491; lex: 252; sql: 213
file content (10 lines) | stat: -rw-r--r-- 2,411 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
 
# Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# These rules are licensed under the GNU General Public License.
# Please see the file LICENSE in this directory for more details. 
# $Id: community-web-attacks.rules,v 1.6 2005/12/13 14:24:48 akirk Exp $

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Hydra Activity Detected"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"Hydra"; nocase; distance:0; pcre:"/^User-Agent\s*\x3A\s*Mozilla\x2f4\.0 (Hydra)/smi"; nocase; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000168; rev:1;) 
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS Amap fingerprint attempt"; flow:to_server,established; content:"|80 80 01 03 01 00 57 00 00 00 20 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 66 00 00 07 00 00 05 00 00 04 05 00 80 03 00 80 01 00 80 08 00 80 00 00 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 60 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 00 80 63 b9 b9 19 c0 2b ae 90 74 4c 73 eb 8b cf d8 55 ea d0 69 82 1b ef 23 c3 39 9b 8e b2 49 3c 5a 79|"; depth:130; classtype:web-application-activity; reference:url,www.thc.org/releases.php; sid:100000169; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Host Parameter"; flow:to_server,established; content:"Host"; nocase; pcre:"/^Host[^\r\n]{100,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000170; rev:2;) 
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS GFI MailSecurity Management Host Overflow Attempt Long Accept Parameter"; flow:to_server,established; content:"Accept"; nocase; pcre:"/^Accept[^\r\n]{200,}/smi"; reference:bugtraq,15081; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19926; classtype:attempted-admin; sid:100000171; rev:3;) 
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-ATTACKS SAP WAS syscmd access"; flow:to_server,established; uricontent:"/sap/bc/BSp/sap/menu/frameset.htm"; nocase; uricontent:"sap-syscmd"; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:100000183; rev:1;)