Scribd Logo
Upload

Welcome to Scribd!

  • Appendix F - Sample Snort Rules

    Uploaded by

    john arias
    25 views4 pages
    This document contains examples of Snort rules for detecting various network threats such as ICMP scans, TCP scans, bad traffic, denial of service attacks, exploits, and FTP vulnerabilities. The rules specify traffic patterns that Snort can match to identify these threats traversing networks.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document contains examples of Snort rules for detecting various network threats such as ICMP scans, TCP scans, bad traffic, denial of service attacks, exploits, and FTP vulnerabilities. The rules specify traffic patterns that Snort can match to identify these threats traversing networks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    25 views4 pages

    Appendix F - Sample Snort Rules

    Uploaded by

    john arias
    This document contains examples of Snort rules for detecting various network threats such as ICMP scans, TCP scans, bad traffic, denial of service attacks, exploits, and FTP vulnerabilities. The rules specify traffic patterns that Snort can match to identify these threats traversing networks.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 4

    WSU04: Wireshark Network Forensics

    and Security

    Appendix F:
    Snort Rules
    Wireshark University

    Sample ICMP Rules


    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger";
    itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158;
    classtype:attempted-recon; sid:465; rev:4;)
    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever
    Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI";
    depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466;
    rev:5;)
    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nemesis v1.1
    Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|";
    reference:arachnids,449; classtype:attempted-recon; sid:467; rev:4;)
    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
    dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon;
    sid:469; rev:4;)
    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP icmpenum
    v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8;
    reference:arachnids,450; classtype:attempted-recon; sid:471; rev:4;)
    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect
    host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-
    0265; classtype:bad-unknown; sid:472; rev:5;)
    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net";
    icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265;
    classtype:bad-unknown; sid:473; rev:5;)
    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan
    echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|";
    classtype:attempted-recon; sid:474; rev:5;)

    Sample Scan Rules


    alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan";
    flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439;
    classtype:attempted-recon; sid:613; rev:6;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version
    request"; flow:to_server,established; content:"VERSION|0A|"; depth:16;
    reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;)
    alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp
    bomb"; content:"cybercop"; reference:arachnids,363; classtype:bad-
    unknown; sid:636; rev:1;)
    alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends
    Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|";
    reference:arachnids,308;
    reference:url,www.netiq.com/products/vsm/default.asp;
    classtype:attempted-recon; sid:637; rev:5;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map
    attempt"; flow:to_server,established; content:"Version_Mapper"; nocase;
    classtype:network-scan; sid:1638; rev:5;)

    WSU04: Network Forensics and Security – Appendix F Page F-2


    © 2007 Protocol Analysis Institute, Inc.
    Wireshark University

    Sample Bad Traffic Rules


    alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE";
    ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567;
    reference:nessus,11791; classtype:non-standard-protocol; sid:2186;
    rev:4;)
    alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility";
    ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567;
    reference:nessus,11791; classtype:non-standard-protocol; sid:2187;
    rev:4;)
    alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND";
    ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567;
    reference:nessus,11791; classtype:non-standard-protocol; sid:2188;
    rev:4;)
    alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM";
    ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567;
    reference:nessus,11791; classtype:non-standard-protocol; sid:2189;
    rev:4;)

    Sample DOS Rules


    alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack";
    fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-
    0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-
    034.mspx; classtype:attempted-dos; sid:272; rev:11;)
    alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; itype:8;
    content:"+++ath"; nocase; reference:arachnids,264; reference:cve,1999-
    1228; classtype:attempted-dos; sid:274; rev:6;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"DOS iParty DOS
    attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|";
    offset:0; reference:bugtraq,6844; reference:cve,1999-1566;
    reference:nessus,10111; classtype:misc-attack; sid:1605; rev:8;)

    Sample Exploit Rules


    alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
    overflow /bin/sh"; flow:to_server,established; content:"/bin/sh";
    reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-
    0572; classtype:shellcode-detect; sid:1324; rev:6;)
    # alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
    overflow filler"; flow:to_server,established; content:"|00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347;
    reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-
    detect; sid:1325; rev:6;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
    overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90
    90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347;
    reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-
    detect; sid:1326; rev:6;)

    WSU04: Network Forensics and Security – Appendix F Page F-3


    © 2007 Protocol Analysis Institute, Inc.
    Wireshark University

    Sample Exploit Rules (Continued)

    alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32


    overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|";
    depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8;
    reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-
    0572; reference:nessus,10607; classtype:shellcode-detect; sid:1327;
    rev:8;)
    alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT Netscape 4.7
    client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9
    06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,215;
    reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-
    1187; classtype:attempted-user; sid:283; rev:10;)

    Sample FTP Rules


    alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow
    attempt"; flow:to_server,established; content:"MDTM"; nocase;
    isdataat:100,relative; pcre:"/^MDTM(?!\n)\s[^\n]{100}/smi";
    reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-
    0330; reference:nessus,12080; classtype:attempted-admin; sid:2546;
    rev:6;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XMKD overflow
    attempt"; flow:to_server,established; content:"XMKD"; nocase;
    isdataat:200,relative; pcre:"/^XMKD(?!\n)\s[^\n]{200}/smi";
    reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-
    1021; classtype:attempted-admin; sid:2373; rev:6;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP NLST overflow
    attempt"; flow:to_server,established; content:"NLST"; nocase;
    isdataat:200,relative; pcre:"/^NLST(?!\n)\s[^\n]{200}/smi";
    reference:bugtraq,7909; reference:cve,1999-1544; classtype:attempted-
    admin; sid:2374; rev:9;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ALLO overflow
    attempt"; flow:to_server,established; content:"ALLO"; nocase;
    isdataat:200,relative; pcre:"/^ALLO(?!\n)\s[^\n]{200}/smi";
    reference:bugtraq,9953; reference:cve,2004-1883;
    reference:nessus,14598; classtype:attempted-admin; sid:2449; rev:5;)
    alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNTO overflow
    attempt"; flow:to_server,established; content:"RNTO"; nocase;
    isdataat:200,relative; pcre:"/^RNTO(?!\n)\s[^\n]{200}/smi";
    reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-
    1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2389;
    rev:9;)

    WSU04: Network Forensics and Security – Appendix F Page F-4


    © 2007 Protocol Analysis Institute, Inc.

    You might also like