#;
#; $Id: dpu-snort.rules,v 1.5 2004/04/29 20:57:36 epancer Exp $
#;
#; dpu-snort.rules - additions to snort local.rules
#; 
#; Copyright (c) 2004. DePaul University. All Rights Reserved.
#;
#; * Redistributions of source code must retain the above copyright 
#;   notice, this list of conditions and the following disclaimer.
#; * Redistributions in binary form must reproduce the above copyright 
#;   notice, this list of conditions and the following disclaimer in 
#;   the documentation and/or other materials provided with the 
#;   distribution. 
#; 
#; THE INFORMATION CONTAINED HEREIN IS PROVIDED BY THE REGENTS AND
#; CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
#; BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 
#; FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 
#; REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#; SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 
#; TO, PROCUREMENT OF SUBSTITUTE GOOS OR SERVICES; LOSS OF USE, DATA OR 
#; PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OR 
#; LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 
#; NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
#; INFORMATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#;
#; Notes: 
#;
#; We find these useful for detecting local miscellaneous noise on the 
#; network. This information has been compiled with the help of various 
#; persons -- we DID NOT AUTHOR ALL OF THESE RULES, and if you are the 
#; author and wish to be credited here, feel free to contact us at 
#; <security @ depaul.edu>. To those that did assist or author the 
#; rules listed here, we *greatly* appreciate your doing so!
#;
#; Add the following to your sid-msg.map
#; 1010001 || EXPLOIT - DCE RPC Interface Buffer Overflow Exploit
#; 1010002 || EXPLOIT - DCOM Exploit
#; 2010001 || PROXY - Proxy CONNECT to HOME_NET
#; 2010002 || PROXY - Proxy CONNECT to SMTP Server from HOME_NET
#; 2010101 || PROXY - Regate Scan
#; 2020001 || BOT - FTP Server on Non-standard Port
#; 2030001 || BOT - XDCC Total Offered
#; 2030002 || BOT - Host Entered XDCC Control Channel
#; 2030101 || BOT - Host in ELYSIUM IRC Channel
#; 2030102 || BOT - Host in SICK-XDCC IRC Channel
#; 3010001 || MALWARE - Possible Download from marnet.us
#; 6010001 || SCAN - Microsoft Directory and File Services
#;
#; ...you get the point, right?
#;
# vim: ts=8 sw=8 nowrap

############################################################################
### IRC ####################################################################
alert tcp $HOME_NET any -> any 5999:7001 \
 (msg:"BOT - XDCC Total Offered"; \
  content:"Total Offered"; nocase; \
  classtype:misc-activity; sid:2030001; rev:1;) 

alert tcp $HOME_NET any -> any 5999:7001 \
 (msg:"BOT - Host Entered XDCC Control Channel"; \
  content:"xdcc"; depth: 8; nocase; \
  classtype:misc-activity; sid:2030002; rev:1;)

alert tcp any 5999:7001 -> $HOME_NET any \
 (msg:"BOT - Host in ELYSIUM IRC Channel"; \
  content:"#ELYSIUM"; \
  flow:established,from_server; \
  threshold: type both, track by_src, count 20, seconds 180; \
  classtype:misc-activity; priority:6; sid:2030101; rev:1;)

alert tcp any 5999:7001 -> $HOME_NET any \
 (msg:"BOT - Host in SICK-XDCC IRC Channel"; \
  content:"#SICK-XDCC"; \
  flow:established,to_server; \ 
  threshold: type both, track by_src, count 6, seconds 120; \
  classtype:misc-activity; priority:6; sid:2030102; rev:1;)

############################################################################
### Proxy Connections ######################################################
alert tcp any any -> $HOME_NET !6667 \
 (msg:"PROXY - CONNECT to HOME_NET"; \
  content:"CONNECT "; depth: 8; \
  flow:established,to_server; \
  classtype:misc-activity; priority:3; sid:2010001; rev:1;)

alert tcp $HOME_NET any -> any !6667 \
 (msg:"PROXY - CONNECT to SMTP Server from HOME_NET"; \
  content:"CONNECT "; depth: 8; content:"\:25"; within: 20; \
  flow:established,to_server; \
  classtype:misc-activity; priority:2; sid:2010002; rev:1;)

############################################################################
### FTP Servers ############################################################
alert tcp $HOME_NET !21 -> any any \
 (msg:"BOT - FTP Server on Non-standard Port"; \
  content:"227"; offset:0; depth:5; \
  content:"Entering Passive Mode"; nocase; \
  threshold: type limit, track by_src, count 1, seconds 30; \
  classtype:misc-activity; priority:4; sid:2020001; rev:1;)

############################################################################
### Malware Downloads ######################################################
alert tcp $HOME_NET any -> marnet.us 80 \
 (msg:"MALWARE - Possible Download from marnet.us"; \
  content:"GET"; depth: 8; nocase; \
  classtype:misc-activity; priority:6; sid:3010001; rev:1;)

############################################################################
### Network Scans ##########################################################
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 \
 (msg:"SCAN - Microsoft Directory and File Services"; stateless; flags:S,12; \
  threshold: type threshold, track by_src, count 530, seconds 600; \
  classtype:network-scan; priority: 7; sid:6010001; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 137 \
 (msg:"SCAN - Microsoft Directory and File Services"; stateless; flags:S,12; \
  threshold: type threshold, track by_src, count 530, seconds 600; \
  classtype:network-scan; priority: 7; sid:6010002; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 139 \
 (msg:"SCAN - Microsoft Directory and File Services"; stateless; flags:S,12; \
  threshold: type threshold, track by_src, count 530, seconds 600; \
  classtype:network-scan; priority: 7; sid:6010003; rev:1;)

############################################################################
### W32.Slammer ############################################################
alert udp $HOME_NET any -> any 1434 \
 (msg: "WORM - W32.SLAMMER"; \
  content:"dllhel32hkernQhounthickChGetTf"; \
   threshold: type threshold, track by_src, count 520, seconds 600; \
  classtype:bad-unknown; sid:7000002; rev:1;)

alert udp $HOME_NET any -> any 1434 \
  (msg:"WORM - MS-SQL Slammer Worm Activity"; \
   content:"|04 01 01 01 01 01 01 01|"; \
   threshold: type threshold, track by_src, count 520, seconds 600; \
   classtype:bad-unknown; sid:7000003; rev:1;)

alert udp $HOME_NET any -> any 1434 \
  (msg:"WORM - W32.Slammer Propagation"; \
   content:"|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|"; \
   content:"|04|"; offset:0; depth:1; \
   threshold: type threshold, track by_src, count 520, seconds 600; \
   classtype:bad-unknown; sid:7000004; rev:1;)

alert udp $HOME_NET any -> any 1434 \
  (msg:"WORM - MS-SQL Slammer WormActivity"; \
   content:"|81f10301049b81f101|"; \
   threshold: type threshold, track by_src, count 520, seconds 600; \
   classtype:bad-unknown; sid:7000005; rev:1;)

############################################################################
### Mirrored from snort sigs list, just modified for home use ##############
alert tcp $HOME_NET any -> $EXTERNAL_NET 465 \
(msg:"EXPLOIT -- SMTP LDAP PCT Long Client_Hello message exploit attempt"; \
 flow:to_server,established; content:"|80|"; distance:0; within:1; \
 content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; \
 isdataat:1,relative; reference:cve,CAN-2004-0719; \
 reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \
 classtype:attempted-admin; sid:2519; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 995 \
(msg:"EXPLOIT -- POP3 LDAP PCT Long Client_Hello message exploit attempt"; \
 flow:to_server,established; content:"|80|"; distance:0; within:1; \
 content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; \
 isdataat:1,relative; reference:cve,CAN-2004-0719; \
 reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \
 classtype:attempted-admin; sid:2518; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 993 \
(msg:"EXPLOIT -- IMAP LDAP PCT Long Client_Hello message exploit attempt"; \
 flow:to_server,established; content:"|80|"; distance:0; within:1; \
 content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; \
 isdataat:1,relative; reference:cve,CAN-2004-0719; \
 reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \
 classtype:attempted-admin; sid:2517; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 \
(msg:"EXPLOIT -- NETBIOS SMB DCERPC LSASS bind attempt microsoft-ds"; \
 flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; \
 depth:5; content:"|26 00|"; distance:56; within:2; \
 content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; \
 content:"|05|"; distance:2; within:1; content:"|0b|"; \
 distance:1; within:1; byte_test:1,&,1,0,relative; \
 content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; distance:29; \
 within:16; flowbits:set,dce.lsass_ds.bind.call.attempt; \
 flowbits:noalert; reference:cve,CAN-2003-0533; \
 reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \
 classtype:protocol-command-decode; sid:2512; rev:1;)  

alert tcp $HOME_NET any -> $EXTERNAL_NET 139 \
(msg:"EXPLOIT -- NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt netbios-ssn"; \
 flow:to_server,established; content:"|FF|SMB|2F|"; nocase; \
 offset:4; depth:5; content:"|05|"; content:"|00|"; distance:1; \
 within:1; content:"|09 00|"; distance:19; within:2; \
 flowbits:isset,ssn.lsass_ds.bind.call.attempt; \
 reference:cve,CAN-2003-0533; \
 reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \
 classtype:attempted-admin; sid:2511; rev:1;)  

alert tcp $HOME_NET any -> $EXTERNAL_NET 139 \
(msg:"EXPLOIT -- NETBIOS SMB DCERPC LSASS bind attempt netbios-ssn"; \
 flow:to_server,established; content:"|00|"; offset:0; depth:1; \
 content:"|FF|SMB|25|"; nocase; offset:4; depth:5; \
 byte_test:2,^,1,5,relative; content:"|26 00|"; \
 distance:56; within:2; content:"|5c|PIPE|5c 00 05 00 0b|"; \
 distance:4; within:10; byte_test:1,&,16,1,relative; \
 content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; \
 distance:29; within:16; flowbits:set,ssn.lsass_ds.bind.call.attempt; \
 flowbits:noalert; reference:cve,CAN-2003-0533; \
 reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \
 classtype:protocol-command-decode; sid:2510; rev:1;)  

alert tcp $HOME_NET any -> $EXTERNAL_NET 139 \
(msg:"EXPLOIT -- NETBIOS SMB DCERPC LSASS unicode bind attempt netbios-ssn"; \
 flow:to_server,established; content:"|00|"; offset:0; depth:1; \
 content:"|FF|SMB|25|"; nocase; offset:4; depth:5; \
 byte_test:2,&,1,5,relative; content:"|26 00|"; distance:56; within:2; \
 content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; \
 distance:4; within:15; byte_test:1,&,16,1,relative; \
 content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; \
 distance:29; within:16; flowbits:set,ssn.lsass_ds.bind.call.attempt; \
 flowbits:noalert; reference:cve,CAN-2003-0533; \
 reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \
 classtype:protocol-command-decode; sid:2509; rev:1;)  

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 \
(msg:"EXPLOIT -- NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit \
 attempt microsoft-ds"; flow:to_server,established; content:"|FF|SMB|2F|"; \
 nocase; offset:4; depth:5; content:"|05|"; content:"|00|"; distance:1; \
 within:1; content:"|09 00|"; distance:19; within:2; \
 flowbits:isset,dce.lsass_ds.bind.call.attempt; reference:cve,CAN-2003-0533; \
 reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \
 classtype:attempted-admin; sid:2514; rev:1;)  

alert tcp $HOME_NET any -> $EXTERNAL_NET 445 \
(msg:"EXPLOIT -- NETBIOS SMB DCERPC LSASS unicode bind attempt microsoft-ds"; \
 flow:to_server,established; content:"|00|"; offset:0; depth:1; \
 content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; \
 distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; \
 distance:4; within:15; byte_test:1,&,16,1,relative; \
 content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; distance:29; \
 within:16; flowbits:set,dce.lsass_ds.bind.call.attempt; flowbits:noalert; \
 reference:cve,CAN-2003-0533; \
 reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \
 classtype:protocol-command-decode; sid:2513; rev:1;)  

alert tcp $HOME_NET any -> $EXTERNAL_NET 135 \
(msg:"EXPLOIT -- NETBIOS DCERPC LSASS bind attempt netbios"; \
 flow:to_server,established; content:"|05|"; distance:0; \
 within:1; content:"|00|"; distance:1; within:1; \
 byte_test:1,&,1,0,relative; \
 content:"|6a 28 19 39 0c b1 d0 11 9b a8 00 c0 4f d9 2e f5|"; \
 distance:29; within:16; flowbits:set,netbios.lsass_ds.bind.call.attempt; \
 flowbits:noalert; reference:cve,CAN-2003-0533; \
 reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \
 classtype:protocol-command-decode; sid:2507; rev:1;)  

alert tcp $HOME_NET any -> $EXTERNAL_NET 135 \
(msg:"EXPLOIT -- NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit \
 attempt netbios"; flow:to_server,established; content:"|05|"; \
 distance:0; within:1; content:"|00|"; distance:1; within:1; \
 content:"|09 00|"; distance:19; within:2; \
 flowbits:isset,netbios.lsass_ds.bind.call.attempt; \
 reference:cve,CAN-2003-0533; \
 reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \
 classtype:attempted-admin; sid:2508; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 639 \
(msg:"EXPLOIT -- MISC LDAP PCT Long Client_Hello message exploit attempt"; \
 flow:to_server,established; content:"|80|"; \
 distance:0; within:1; content:"|01|"; distance:1; within:1; \
 byte_jump:1,-2,relative; isdataat:1,relative; \
 reference:cve,CAN-2004-0719; \
 reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; \
 classtype:attempted-admin; sid:2516; rev:1;)  

############################################################################
### BGP? I prefer RIPv1 ####################################################
alert tcp $HOME_NET any <> $EXTERNAL_NET 179 \
(msg:"EXPLOIT -- MISC BGP Connection Reset Denial of Service"; \
 flow:established; flags: RSF*; \
 threshold: type both, track, by_dst, count 10, seconds 30 ; \
 reference:cve,CAN-2004-0230; \
 reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; \
 classtype:attempted-dos; sid:2523; rev:1;)

############################################################################
### More bot cruft #########################################################
alert tcp any any -> any any \
(msg:"BOT -- Agobot/Phatbot Infection Successful"; flow:established; \
 content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"; \
 dsize:40; classtype:trojan-activity; \
 reference:url,www.lurhq.com/phatbot.html; sid:1000075; rev:1;) 

alert tcp any any -> any any \
(msg:"BOT -- Phatbot P2P Control Connection"; flow:established; \
 content:"Wonk-"; content:"|00|#waste|00|"; within:15; \
 classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; \
 sid:1000076; rev:1;)