This document contains examples of Snort rules for detecting various network threats such as ICMP scans, TCP scans, bad traffic, denial of service attacks, exploits, and FTP vulnerabilities. The rules specify traffic patterns that Snort can match to identify these threats traversing networks.
This document contains examples of Snort rules for detecting various network threats such as ICMP scans, TCP scans, bad traffic, denial of service attacks, exploits, and FTP vulnerabilities. The rules specify traffic patterns that Snort can match to identify these threats traversing networks.
This document contains examples of Snort rules for detecting various network threats such as ICMP scans, TCP scans, bad traffic, denial of service attacks, exploits, and FTP vulnerabilities. The rules specify traffic patterns that Snort can match to identify these threats traversing networks.
alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2186; rev:4;) alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2187; rev:4;) alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2188; rev:4;) alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:non-standard-protocol; sid:2189; rev:4;)
Sample DOS Rules
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999- 0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99- 034.mspx; classtype:attempted-dos; sid:272; rev:11;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; itype:8; content:"+++ath"; nocase; reference:arachnids,264; reference:cve,1999- 1228; classtype:attempted-dos; sid:274; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"DOS iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; reference:bugtraq,6844; reference:cve,1999-1566; reference:nessus,10111; classtype:misc-attack; sid:1605; rev:8;)