# These rules are trying to log data to "sensitive" ports, plus alert on truly # suspicious activity. Note that you must change the addresses to reflect # your local network, these rules are currently setup for an RFC 1918 address # space. # Some of these rules may not be suspicious in your network environment, and # using all of the rules at the same time may lead to serious packet loss # on slower machines. YMMV, use with caution, standard disclaimers apply. :) # If you need help writing a specific rule, feel free to drop me a line! # -Marty (roesch@clark.net) # Credits: # Ron Gula of Network Security Wizards # Martin Markgraf ################################## # alert on interesting packets ################################## # look for stealth port scans/sweeps alert tcp any any -> 192.168.1.0/24 any (msg:"SYN FIN Scan"; flags: SF;) alert tcp any any -> 192.168.1.0/24 any (msg:"FIN Scan"; flags: F;) alert tcp any any -> 192.168.1.0/24 any (msg:"NULL Scan"; flags: 0;) alert tcp any any -> 192.168.1.0/24 any (msg:"XMAS Scan";flags: FPU;) alert tcp any any -> 192.168.1.0/24 any (msg:" FULL XMAS Scan";flags: SRAFPU;) # find backdoor attempts alert udp any any -> 192.168.1.0/24 31337 (msg:"Possible Back Orifice access";) alert tcp any any -> 192.168.1.0/24 12345 (msg:"Possible Netbus access";) alert udp any any -> 192.168.1.0/24 2140 (msg:"Possible Deep Throat access";) # detects Win 9x/NT/2k traceroute alert icmp any any -> 192.168.1.0/24 any (msg:"Windows Traceroute"; TTL: 1; itype: 8;) # detect standard traceroutes alert udp any any -> 192.168.1.0/24 any (msg:"Traceroute"; TTL: 1;) # These rules handle specific buffer overflow attempts # IMAP buffer overflow alert tcp any any -> 192.168.1.0/24 143 (msg:"IMAP buffer overflow!"; content:"|E8 C0FF FFFF|/bin/sh";) # x86 named buffer overflow alert tcp any any -> 192.168.1.0/24 53 (msg:"named buffer overflow!"; content:"|CD80 E8D7 FFFF FF|/bin/sh";) # New buffer overflows submitted by Martin Markgraf alert tcp any any -> 192.168.42.0/24 110 (msg:"QPOP buffer overflow!"; content:"|E8 D9FF FFFF|/bin/sh"; ) alert tcp any any -> 192.168.42.0/24 21 (msg:"FTP buffer overflow1!"; content:"|5057 440A 2F69|";) alert tcp any any -> 192.168.42.0/24 21 (msg:"FTP buffer overflow2!"; content:"|5858 5858 582F|";) # generic unknown buffer overflow # a string of NOOPs for a specific architecture may indicate a buffer overflow attempt alert tcp any any -> 192.168.1.0/24 any (msg:"Possible x86 buffer overflow!"; content:"|9090 9090 9090 9090 9090 9090|";) # New CGI probes submitted by Martin Markgraf alert tcp any any -> 192.168.1.0/24 80 (content:"/cgi-bin/test-cgi"; msg:"TEST-CGI probe!";) alert tcp any any -> 192.168.1.0/24 80 (content:"/cgi-bin/handler"; msg:"HANDLER probe!";) alert tcp any any -> 192.168.1.0/24 80 (content:"/cgi-bin/Count.cgi"; msg:"COUNT.cgi probe!";) alert tcp any any -> 192.168.1.0/24 80 (content:"/cgi-bin/faxsurvey"; msg:"FAXSURVEY probe!";) # Cold Fusion probe catcher alert tcp any any -> 192.168.1.0/24 80 (content:"/cfdocs/expeval/openfile.cfm"; msg:"Cold Fusion probe!";) alert tcp any any -> 192.168.1.0/24 80 (content:"/cfdocs/expeval/displayopenedfile.cfm"; msg:"Cold Fusion probe!";) alert tcp any any -> 192.168.1.0/24 80 (content:"/cfdocs/expeval/exprcalc.cfm"; msg:"Cold Fusion probe!";) # SNMP attempts from Ron Gula alert udp any any -> 192.168.1.0/24 161 (msg:"SNMP NT User List"; content:"|2b06 0104 014d 0102 19|";) # netbios probes from Ron Gula alert udp any any -> 192.168.1.0/24 137 (msg:"SMB Name Wildcard"; content:"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|";) alert tcp any any -> 192.168.1.0/24 139 (msg:"Samba client access"; content:"|00|Unix|00|Samba";) alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB CD..."; content:"\...|00 00 00|";) alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB CD.."; content:"\..|2f 00 00 00|";) alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB C$ access"; content:"\C$|00 41 3a 00|";) alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB D$ access"; content:"\D$|00 41 3a 00|";) alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB ADMIN$ access"; content:"\ADMIN$|00 41 3a 00|";) # CGI Probes alert tcp any any -> 192.168.1.0/24 80 (msg:"PHF CGI access attempt"; content:"/cgi-bin/phf";) alert tcp any any -> 192.168.1.0/24 80 (msg:"PHP CGI access attempt"; content:"/cgi-bin/php.cgi";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Webgais CGI access attempt"; content:"/cgi-bin/webgais";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Websendmail CGI access attempt"; content:"/cgi-bin/websendmail";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Webdist CGI access attempt"; content:"/cgi-bin/webdist.cgi";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Htmlscript CGI access attempt"; content:"/cgi-bin/htmlscript";) alert tcp any any -> 192.168.1.0/24 80 (msg:"CGI pfdisplay access attempt"; content:"/cgi-bin/pfdisplay.cgi";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Cgichk Pfdispaly (sic) access attempt"; content:"/cgi-bin/pfdispaly.cgi";) alert tcp any any -> 192.168.1.0/24 80 (msg:"CGI Perl access attempt"; content:"/cgi-bin/perl.exe";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Wwwboard CGI access attempt"; content:"/cgi-bin/wwwboard.cgi";) alert tcp any any -> 192.168.1.0/24 80 (msg:"WWW-SQL CGI access attempt"; content:"/cgi-bin/www-sql";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Guestbook CGI access attempt"; content:"/cgi-bin/guestbook.cgi";) alert tcp any any -> 192.168.1.0/24 80 (msg:"CGI Man access attempt"; content:"/cgi-bin/man.sh";) alert tcp any any -> 192.168.1.0/24 80 (msg:"CGI view-source access attempt"; content:"/cgi-bin/view-source?../../../../../../../etc/passwd";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Finger CGI access attempt"; content:"/cgi-bin/finger";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Campas CGI access attempt"; content:"/cgi-bin/campas";) alert tcp any any -> 192.168.1.0/24 80 (msg:"NPH CGI access attempt"; content:"/cgi-bin/nph-test-cgi";) alert tcp any any -> 192.168.1.0/24 80 (msg:"rwwwshell CGI access attempt"; content:"/cgi-bin/rwwwshell.pl";) alert tcp any any -> 192.168.1.0/24 80 (msg:"NPH-publish CGI access attempt"; content:"/cgi-bin/nph-publish";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Aglimpse CGI access attempt"; content:"/cgi-bin/aglimpse";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Glimpse CGI access attempt"; content:"/cgi-bin/glimpse";) alert tcp any any -> 192.168.1.0/24 80 (msg:"AT-admin CGI access attempt"; content:"/cgi-bin/AT-admin.cgi";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Filemail CGI access attempt"; content:"/cgi-bin/filemail.pl";) alert tcp any any -> 192.168.1.0/24 80 (msg:"JJ CGI access attempt"; content:"/cgi-bin/jj";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Maillist CGI access attempt"; content:"/cgi-bin/maillist.pl";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Info2www CGI access attempt"; content:"/cgi-bin/info2www";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Files CGI access attempt"; content:"/cgi-bin/files.pl";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Bnbform CGI access attempt"; content:"/cgi-bin/bnbform.cgi";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Survey CGI access attempt"; content:"/cgi-bin/survey.cgi";) alert tcp any any -> 192.168.1.0/24 80 (msg:"AnyForm CGI access attempt"; content:"/cgi-bin/AnForm2";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Textcounter CGI access attempt"; content:"/cgi-bin/textcounter.pl";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Classifieds CGI access attempt"; content:"/cgi-bin/classifieds.cgi";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Environ CGI access attempt"; content:"/cgi-bin/environ.cgi";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Wrap CGI access attempt"; content:"/cgi-bin/wrap";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Cgiwrap CGI access attempt"; content:"/cgi-bin/cgiwrap";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Edit CGI access attempt"; content:"/cgi-bin/edit.pl";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Perlshop CGI access attempt"; content:"/cgi-bin/perlshop.cgi";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Args CGI access attempt"; content:"/cgi-dos/args.bat";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Upload CGI access attempt"; content:"/cgi-win/uploader.exe";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Rguest CGI access attempt"; content:"/cgi-bin/rguest.exe";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Wguest CGI access attempt"; content:"/cgi-bin/wguest.exe";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Edit CGI access attempt"; content:"/cgi-bin/edit.pl";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Edit CGI access attempt"; content:"/cgi-bin/edit.pl";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Edit CGI access attempt"; content:"/cgi-bin/edit.pl";) alert tcp any any -> 192.168.1.0/24 80 (msg:"Edit CGI access attempt"; content:"/cgi-bin/edit.pl";) # IIS probes alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS vti_inf access attempt"; content:"/_vti_inf.html";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS service.pwd access attempt"; content:"/_vti_pvt/service.pwd";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS users.pwd access attempt"; content:"/_vti_pvt/users.pwd";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS authors.pwd access attempt"; content:"/_vti_pvt/authors.pwd";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS administrators.pwd access attempt"; content:"/_vti_pvt/administrators.pwd";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS shtml.dll access attempt"; content:"/_vti_pvt/shtml.dll";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS shtml.exe access attempt"; content:"/_vti_pvt/shtml.exe";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Codebrowser access attempt"; content:"/iissamples/exair/howitworks/codebrws.asp";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Codebrowser access attempt"; content:"/iissamples/sdk/asp/docs/codebrws.asp";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Showcode access attempt"; content:"/msads/Samples/SELECTOR/showcode.asp";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Bdir access attempt"; content:"/scripts/iisadmin/bdir.htr";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS CGImail access attempt"; content:"/scripts/CGImail.exe";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS NewDSN access attempt"; content:"/scripts/tools/newdsn.exe";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Fpcount access attempt"; content:"/scripts/fpcount.exe";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Openfile access attempt"; content:"/cfdocs/expelval/openfile.cfm";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Exprcalc access attempt"; content:"/cfdocs/expelval/exprcalc.cfm";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Displayopenedfile access attempt"; content:"/cfdocs/expelval/displayopenedfile.cfm";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Sendmail access attempt"; content:"/cfdocs/expelval/sendmail.cfm";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Search97 access attempt"; content:"/search97.vts";) alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Carbo.dll access attempt"; content:"/carbo.dll";) # alert on stuff going where it probably shouldn't be alert tcp any 53 -> 192.168.1.0/24 :1023 (msg:"Source Port traffic";) alert udp any 53 -> 192.168.1.0/24 :1023 (msg:"Source Port traffic";) alert tcp any 25 -> 192.168.1.0/24 :1023 (msg:"Source Port traffic";) #log interesting ICMP traffic log icmp any any -> any any (itype: 8;) log icmp any any -> any any (itype: 0;) log icmp any any -> any any (itype: 13;) log icmp any any -> any any (itype: 15;) log icmp any any -> any any (itype: 17;) #log interesting TCP/UDP traffic #all tcp traffic below port 1024 log tcp any any -> 192.168.1.0/24 :1024 #grab incoming xwindows traffic log tcp any any -> 192.168.1.0/24 6000:6010 # incoming high port RPC stuff too #log tcp any any -> 192.168.1.0/24 32000:33000 #do the same for UDP log udp any any -> 192.168.1.0/24 :1023 log udp any any -> 192.168.1.0/24 32000:33000