PC Plus SuperCD (UK) 1999 October

home *** CD-ROM | disk | FTP | other *** search

/ PC Plus SuperCD (UK) 1999 October / pcp156a.iso / linux / snort / snort-lib < prev next >

Wrap

Text File | 1999-08-04 | 19.4 KB | 282 lines

# These rules are trying to log data to "sensitive" ports, plus alert on truly # suspicious activity. Note that you must change the addresses to reflect # your local network, these rules are currently setup for an RFC 1918 address # space. # Some of these rules may not be suspicious in your network environment, and # using all of the rules at the same time may lead to serious packet loss # on slower machines. YMMV, use with caution, standard disclaimers apply. :) # If you need help writing a specific rule, feel free to drop me a line! # -Marty (roesch@clark.net) # Credits: # Ron Gula <support@network-defense.com> of Network Security Wizards # Martin Markgraf <martin@mail.du.gtn.com> ################################## # alert on interesting packets ################################## # this library is for hostile scans and protocol pokes # Fragmentation Attacks alert tcp any any -> any any (msg:"Tiny Fragments, possible hostile activity"; MinFrag: 128;) # look for stealth port scans/sweeps alert tcp any any -> 192.168.1.0/24 any (msg:"SYN FIN Scan"; flags: SF;) alert tcp any any -> 192.168.1.0/24 any (msg:"FIN Scan"; flags: F;) alert tcp any any -> 192.168.1.0/24 any (msg:"NULL Scan"; flags: 0;) alert tcp any any -> 192.168.1.0/24 any (msg:"XMAS Scan"; flags: FPU;) alert tcp any any -> 192.168.1.0/24 any (msg:"Full XMAS Scan"; flags: SRAFPU;) alert tcp any any -> 192.168.1.0/24 any (flags: A; ack: 0; msg:"NMAP TCP ping!";) # detect fingerprinting attempts alert tcp any any -> 192.168.1.0/24 any (msg:"Possible NMAP Fingerprint attempt"; flags: SFPU;) alert tcp any any -> 192.168.1.0/24 any (msg:"Possible Queso Fingerprint attempt"; flags: S12;) # Windows Traceroutes alert icmp any any -> 192.168.1.0/24 any (msg:"Windows Traceroute"; TTL: 1; itype: 8;) # Standard Traceroutes alert icmp any any -> 192.168.1.0/24 any (msg:"Traceroute"; TTL: 1;) # Watch for WinGate Scans alert tcp any any -> 192.168.1.0/24 1080 (msg:"WinGate 1080 Attempt";) alert udp any any -> 192.168.1.0/24 1080 (msg:"WinGate 1080 Attempt";) alert tcp any any -> 192.168.1.0/24 8080 (msg:"WinGate 8080 Attempt";) alert udp any any -> 192.168.1.0/24 8080 (msg:"WinGate 8080 Attempt";) # submitted by Nick Rogness and Jim Forster # Backdoor Default Ports (not useful on networks with outgoing traffic) alert udp any any -> 192.168.1.0/24 31 (msg:"Hackers Paradise";) alert udp any any -> 192.168.1.0/24 456 (msg:"Hackers Paradise";) alert udp any any -> 192.168.1.0/24 555 (msg:"iNi Killer/Phase Zero/Stealth Spy";) alert udp any any -> 192.168.1.0/24 666 (msg:"Satanz Backdoor";) alert udp any any -> 192.168.1.0/24 1001 (msg:"Silencer, WebEX";) alert udp any any -> 192.168.1.0/24 1170 (msg:"Psyber Stream";) alert udp any any -> 192.168.1.0/24 1234 (msg:"Ultors Trojan";) alert udp any any -> 192.168.1.0/24 1245 (msg:"VooDoo Doll";) alert udp any any -> 192.168.1.0/24 1492 (msg:"FTP99cmp";) alert udp any any -> 192.168.1.0/24 1600 (msg:"Shivka-Burka";) alert udp any any -> 192.168.1.0/24 1807 (msg:"Spy Sender";) alert udp any any -> 192.168.1.0/24 1981 (msg:"ShockRave";) alert udp any any -> 192.168.1.0/24 1999 (msg:"Back Door";) alert udp any any -> 192.168.1.0/24 2001 (msg:"Trojan Cow";) alert udp any any -> 192.168.1.0/24 2023 (msg:"Ripper Pro";) alert udp any any -> 192.168.1.0/24 2115 (msg:"Bugs";) alert udp any any -> 192.168.1.0/24 2140 (msg:"Deep Throat/Invasor";) alert udp any any -> 192.168.1.0/24 2565 (msg:"Striker";) alert udp any any -> 192.168.1.0/24 2801 (msg:"Phineas Phucker";) alert udp any any -> 192.168.1.0/24 2989 (msg:"Rat backdoor";) alert udp any any -> 192.168.1.0/24 3024 (msg:"WinCrash";) alert udp any any -> 192.168.1.0/24 3150 (msg:"Deep Throat/Invasor";) alert udp any any -> 192.168.1.0/24 3700 (msg:"Portal Of Doom";) alert udp any any -> 192.168.1.0/24 4092 (msg:"WinCrash";) alert udp any any -> 192.168.1.0/24 4950 (msg:"ICQ Trojan";) alert udp any any -> 192.168.1.0/24 5000 (msg:"Sockets De Troie";) alert udp any any -> 192.168.1.0/24 5001 (msg:"Sockets De Troie";) alert udp any any -> 192.168.1.0/24 5321 (msg:"FireHotcker";) alert udp any any -> 192.168.1.0/24 5400 (msg:"Blade Runner";) alert udp any any -> 192.168.1.0/24 5401 (msg:"Blade Runner";) alert udp any any -> 192.168.1.0/24 5402 (msg:"Blade Runner";) alert udp any any -> 192.168.1.0/24 5569 (msg:"Robo-Hack";) alert udp any any -> 192.168.1.0/24 5742 (msg:"WinCrash";) alert udp any any -> 192.168.1.0/24 6670 (msg:"Deep Throat";) alert udp any any -> 192.168.1.0/24 6711 (msg:"Deep Throat/SubSeven";) alert udp any any -> 192.168.1.0/24 7000 (msg:"Remote Grab";) alert udp any any -> 192.168.1.0/24 7300 (msg:"Net Monitor";) alert udp any any -> 192.168.1.0/24 7301 (msg:"Net Monitor";) alert udp any any -> 192.168.1.0/24 7302 (msg:"Net Monitor";) alert udp any any -> 192.168.1.0/24 7303 (msg:"Net Monitor";) alert udp any any -> 192.168.1.0/24 7304 (msg:"Net Monitor";) alert udp any any -> 192.168.1.0/24 7305 (msg:"Net Monitor";) alert udp any any -> 192.168.1.0/24 7306 (msg:"Net Monitor";) alert udp any any -> 192.168.1.0/24 7307 (msg:"Net Monitor";) alert udp any any -> 192.168.1.0/24 7308 (msg:"Net Monitor";) alert udp any any -> 192.168.1.0/24 7789 (msg:"ICKiller";) alert udp any any -> 192.168.1.0/24 9872 (msg:"Portal Of Doom";) alert udp any any -> 192.168.1.0/24 10067 (msg:"Portal Of Doom";) alert tcp any any -> 192.168.1.0/24 10752 (msg:"Linux mountd backdoor";) alert udp any any -> 192.168.1.0/24 11223 (msg:"Progenic Trojan";) alert udp any any -> 192.168.1.0/24 12223 (msg:"Hack99-Keylogger";) alert tcp any any -> 192.168.1.0/24 12345 (msg:"Netbus/GabanBus";) alert tcp any any -> 192.168.1.0/24 12346 (msg:"Netbus/GabanBus";) alert tcp any any -> 192.168.1.0/24 12361 (msg:"Whack-a-mole";) alert tcp any any -> 192.168.1.0/24 12362 (msg:"Whack-a-mole";) alert udp any any -> 192.168.1.0/24 16969 (msg:"Portal Of Doom/Priority";) alert udp any any -> 192.168.1.0/24 20000 (msg:"Millenium";) alert udp any any -> 192.168.1.0/24 20001 (msg:"Millenium";) alert udp any any -> 192.168.1.0/24 20034 (msg:"NetBus PRO";) alert udp any any -> 192.168.1.0/24 21544 (msg:"Girlfriend";) alert udp any any -> 192.168.1.0/24 22222 (msg:"Prosiak";) alert udp any any -> 192.168.1.0/24 26274 (msg:"Delta";) alert udp any any -> 192.168.1.0/24 31337 (msg:"Back Orifice";) alert udp any any -> 192.168.1.0/24 31338 (msg:"Deep Back Orifice";) alert udp any any -> 192.168.1.0/24 31339 (msg:"NetSpy";) alert udp any any -> 192.168.1.0/24 31666 (msg:"BOWhack";) alert udp any any -> 192.168.1.0/24 33333 (msg:"Prosiak";) alert udp any any -> 192.168.1.0/24 34324 (msg:"Big Gluck/TelnetSrv";) alert udp any any -> 192.168.1.0/24 40412 (msg:"The Spy";) alert udp any any -> 192.168.1.0/24 40421 (msg:"Masters Paradise";) alert udp any any -> 192.168.1.0/24 40422 (msg:"Masters Paradise";) alert udp any any -> 192.168.1.0/24 40423 (msg:"Masters Paradise";) alert udp any any -> 192.168.1.0/24 40426 (msg:"Masters Paradise";) alert udp any any -> 192.168.1.0/24 47262 (msg:"Delta";) alert udp any any -> 192.168.1.0/24 50505 (msg:"Sockets de Troie";) alert udp any any -> 192.168.1.0/24 50776 (msg:"Fore";) alert udp any any -> 192.168.1.0/24 53001 (msg:"Remote Win Shutdown";) alert udp any any -> 192.168.1.0/24 61446 (msg:"TeleCommando";) alert udp any any -> 192.168.1.0/24 65000 (msg:"Devil";) alert tcp any any -> 192.168.1.0/24 31337 (msg:"BIND Shell";) alert udp any any -> 192.168.1.0/24 5632 (msg:"PCAnywhere"; content:"ST";) alert udp any any -> 192.168.1.0/24 22 (msg:"PCAnywhere"; content:"ST";) alert udp any any -> 192.168.1.0/24 22 (msg:"PCAnywhere"; content:"NQ";) # New backdoors from Martin Markgraf alert udp 192.168.1.0/24 2140 -> any any (content:"hhh My Mouth Is Open"; msg:"Deep Throat access";) alert udp any any -> 192.168.1.0/24 10067 (msg:"Possible Portal of Doom access";) alert udp any any -> 192.168.1.0/24 10167 (msg:"Possible Portal of Doom access";) alert udp 192.168.1.0/24 10167 -> any any (content:"KeepAliveee"; msg:"Portal of Doom access";) alert udp any any -> 192.168.1.0/24 31789 (msg:"Possible Hack a Tack access";) alert udp any any -> 192.168.1.0/24 31791 (msg:"Possible Hack a Tack access";) alert tcp any any -> 192.168.1.0/24 31785 (msg:"Possible Hack a Tack access";) alert tcp any any -> 192.168.1.0/24 30100 (msg:"Possible NetSphere access";) alert tcp 192.168.1.0/24 30100 -> any any (content:"<NetSphere"; msg:"NetSphere access"; flags: PA;) alert tcp any any -> 192.168.1.0/24 30102 (msg:"Possible NetSphere FTP acces";) alert tcp 192.168.1.0/24 30102 -> any any (content:"NetSphere Capture FTP"; msg:"NetSphere FTP acces"; flags: PA;) alert tcp any any -> 192.168.1.0/24 6969 (msg:"Possible GateCrasher access";) alert tcp 192.168.1.0/24 6969 -> any any (content:"GateCrasher"; msg:"GateCrasher access"; flags: PA;) alert tcp any any -> 192.168.1.0/24 21554 (msg:"Possible GirlFriend access";) alert tcp 192.168.1.0/24 21554 -> any any (content:"GirlFriend Server"; msg:"GirlFriend access"; flags: PA;) alert tcp any any -> 192.168.1.0/24 23456 (msg:"Possible EvilFTP access";) alert tcp 192.168.1.0/24 23456 -> any any (content:"EvilFTP"; msg:"EvilFTP access"; flags: PA;) alert tcp any any -> 192.168.1.0/24 1243 (msg:"Possible SubSeven access";) alert tcp any any -> 192.168.1.0/24 6776 (msg:"Possible SubSeven access";) # you can uncomment this rule if you like, but every TCP packet # with the PUSH and ACK flags set will have to do a # payload pattern match, which is bad for performance! #alert tcp any any -> any any (content:"phAse Zero server"; msg:"Possible phAse Zero access"; flags: PA;) #alert tcp any any -> any any (content:"connected. time/date" msg:"Possible SubSeven access"; flags: PA;) # CGI probes submitted by Martin Markgraf alert tcp any any -> 192.168.1.0/24 80 (content:"/cgi-bin/test-cgi"; msg:"TEST-CGI probe!"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (content:"/cgi-bin/handler"; msg:"HANDLER probe!"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (content:"/cgi-bin/Count.cgi"; msg:"COUNT.cgi probe!"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (content:"/cgi-bin/faxsurvey"; msg:"FAXSURVEY probe!"; flags: PA;) # CGI Probes alert tcp any any -> 192.168.1.0/24 80 (msg:"PHF CGI access attempt"; content:"/cgi-bin/phf"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"PHP CGI access attempt"; content:"/cgi-bin/php.cgi"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Webgais CGI access attempt"; content:"/cgi-bin/webgais"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Websendmail CGI access attempt"; content:"/cgi-bin/websendmail"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Webdist CGI access attempt"; content:"/cgi-bin/webdist.cgi"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Htmlscript CGI access attempt"; content:"/cgi-bin/htmlscript"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"CGI pfdisplay access attempt"; content:"/cgi-bin/pfdisplay.cgi"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Cgichk Pfdispaly (sic) access attempt"; content:"/cgi-bin/pfdispaly.cgi"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"CGI Perl access attempt"; content:"/cgi-bin/perl.exe"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Wwwboard CGI access attempt"; content:"/cgi-bin/wwwboard.cgi"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"WWW-SQL CGI access attempt"; content:"/cgi-bin/www-sql"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Guestbook CGI access attempt"; content:"/cgi-bin/guestbook.cgi"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"CGI Man access attempt"; content:"/cgi-bin/man.sh"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"CGI view-source access attempt"; content:"/cgi-bin/view-source?../../../../../../../etc/passwd"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Finger CGI access attempt"; content:"/cgi-bin/finger"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Campas CGI access attempt"; content:"/cgi-bin/campas"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"NPH CGI access attempt"; content:"/cgi-bin/nph-test-cgi"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"rwwwshell CGI access attempt"; content:"/cgi-bin/rwwwshell.pl"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"NPH-publish CGI access attempt"; content:"/cgi-bin/nph-publish"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Aglimpse CGI access attempt"; content:"/cgi-bin/aglimpse"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Glimpse CGI access attempt"; content:"/cgi-bin/glimpse"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"AT-admin CGI access attempt"; content:"/cgi-bin/AT-admin.cgi"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Filemail CGI access attempt"; content:"/cgi-bin/filemail.pl"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"JJ CGI access attempt"; content:"/cgi-bin/jj"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Maillist CGI access attempt"; content:"/cgi-bin/maillist.pl"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Info2www CGI access attempt"; content:"/cgi-bin/info2www"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Files CGI access attempt"; content:"/cgi-bin/files.pl"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Bnbform CGI access attempt"; content:"/cgi-bin/bnbform.cgi"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Survey CGI access attempt"; content:"/cgi-bin/survey.cgi"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"AnyForm CGI access attempt"; content:"/cgi-bin/AnForm2"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Textcounter CGI access attempt"; content:"/cgi-bin/textcounter.pl"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Classifieds CGI access attempt"; content:"/cgi-bin/classifieds.cgi"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Environ CGI access attempt"; content:"/cgi-bin/environ.cgi"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Wrap CGI access attempt"; content:"/cgi-bin/wrap"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Cgiwrap CGI access attempt"; content:"/cgi-bin/cgiwrap"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Edit CGI access attempt"; content:"/cgi-bin/edit.pl"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Perlshop CGI access attempt"; content:"/cgi-bin/perlshop.cgi"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Args CGI access attempt"; content:"/cgi-dos/args.bat"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Upload CGI access attempt"; content:"/cgi-win/uploader.exe"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Rguest CGI access attempt"; content:"/cgi-bin/rguest.exe"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Wguest CGI access attempt"; content:"/cgi-bin/wguest.exe"; flags: PA;) # IIS probes alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS vti_inf access attempt"; content:"/_vti_inf.html"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Codebrowser access attempt"; content:"/iissamples/exair/howitworks/codebrws.asp"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Codebrowser access attempt"; content:"/iissamples/sdk/asp/docs/codebrws.asp"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Showcode access attempt"; content:"/msads/Samples/SELECTOR/showcode.asp"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Bdir access attempt"; content:"/scripts/iisadmin/bdir.htr"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS CGImail access attempt"; content:"/scripts/CGImail.exe"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS NewDSN access attempt"; content:"/scripts/tools/newdsn.exe"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Fpcount access attempt"; content:"/scripts/fpcount.exe"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Search97 access attempt"; content:"/search97.vts"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Carbo.dll access attempt"; content:"/carbo.dll"; flags: PA;) # IIS stuff from Nick Rogness and Jim Forster alert tcp any any -> 192.168.1.0/24 80 (msg:"FrontPage Service PWD Scan"; content:"/_vti_pvt/service.pwd"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"FrontPage User PWD Scan"; content:"/_vti_pvt/users.pwd"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"FrontPage Author PWD Scan"; content:"/_vti_pvt/authors.pwd"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"FrontPage Admin PWD Scan"; content:"/_vti_pvt/administrators.pwd"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"FrontPage shtml.dll Scan"; content:"/_vti_pvt/shtml.dll"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"FrontPage shtml.exe Scan"; content:"/_vti_pvt/shtml.exe"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"cgi-dos/args.bat Scan"; content:"/cgi-dos/args.bat"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Colf Fusion openfile Scan"; content:"/cfdocs/expelval/openfile.cfm"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Cold Fusion exprcalc Scan"; content:"/cfdocs/expelval/exprcalc.cfm"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Cold Fusion display Scan"; content:"/cfdocs/expelval/displayopenedfile.cfm"; flags: PA;) alert tcp any any -> 192.168.1.0/24 80 (msg:"Cold Fusion sendmail Scan"; content:"/cfdocs/expelval/sendmail.cfm"; flags: PA;) # IMAP buffer overflow alert tcp any any -> 192.168.1.0/24 143 (msg:"IMAP Buffer Overflow!"; content:"|E8 C0FF FFFF|/bin/sh"; flags: PA;) # x86 named buffer overflow alert tcp any any -> 192.168.1.0/24 53 (msg:"named Buffer Overflow!"; content:"|CD80 E8D7 FFFF FF|/bin/sh"; flags: PA;) # New buffer overflows submitted by Martin Markgraf alert tcp any any -> 192.168.1.0/24 110 (msg:"QPOP Buffer Overflow!"; content:"|E8 D9FF FFFF|/bin/sh"; flags: PA;) alert tcp any any -> 192.168.1.0/24 21 (msg:"FTP Buffer Overflow-1!"; content:"|5057 440A 2F69|"; flags: PA;) alert tcp any any -> 192.168.1.0/24 21 (msg:"FTP Buffer Overflow-2!"; content:"|5858 5858 582F|"; flags: PA;) # Happy 99 Virus checking from Scott McIntyre alert tcp any any -> 192.168.1.0/24 25 (msg:"Happy 99 Virus"; content:"X-Spanska\: Yes"; flags: PA;) # SNMP attempts from Ron Gula alert udp any any -> 192.168.1.0/24 161 (msg:"SNMP NT User List"; content:"|2b06 0104 014d 0102 19|";) # netbios probes from Ron Gula alert udp any any -> 192.168.1.0/24 137 (msg:"SMB Name Wildcard"; content:"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|";) alert tcp any any -> 192.168.1.0/24 139 (msg:"Samba client access"; content:"|00|Unix|00|Samba";) alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB CD..."; content:"\...|00 00 00|";) alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB CD.."; content:"\..|2f 00 00 00|";) alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB C$ access"; content:"\C$|00 41 3a 00|";) alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB D$ access"; content:"\D$|00 41 3a 00|";) alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB ADMIN$ access"; content:"\ADMIN$|00 41 3a 00|";) # alert on stuff going where it probably shouldn't be # note that the port range specification is inclusive, so we're keying on ports 0-1023 alert tcp any 53 -> 192.168.1.0/24 :1023 (msg:"Source Port traffic";) alert udp any 53 -> 192.168.1.0/24 :1023 (msg:"Source Port traffic";) alert tcp any 25 -> 192.168.1.0/24 :1023 (msg:"Source Port traffic";) alert tcp any any -> 192.168.1.0/24 32771 (msg: "Attempted Sun RPC high port access";) alert udp any any -> 192.168.1.0/24 32771 (msg: "Attempted Sun RPC high port access";) alert udp any any -> 192.168.1.0/24 161 (msg: "SNMP access, public"; content:"public";)