# These rules are trying to log data to "sensitive" ports, plus alert on truly
# suspicious activity.  Note that you must change the addresses to reflect
# your local network, these rules are currently setup for an RFC 1918 address
# space.

# Some of these rules may not be suspicious in your network environment, and
# using all of the rules at the same time may lead to serious packet loss
# on slower machines.  YMMV, use with caution, standard disclaimers apply. :)

# If you need help writing a specific rule, feel free to drop me a line!

#  -Marty (roesch@clark.net) 

# Credits:

# Ron Gula <support@network-defense.com> of Network Security Wizards

# Martin Markgraf <martin@mail.du.gtn.com>  



##################################
# alert on interesting packets
##################################

# look for stealth port scans/sweeps
alert tcp any any -> 192.168.1.0/24 any (msg:"SYN FIN Scan"; flags: SF;)
alert tcp any any -> 192.168.1.0/24 any (msg:"FIN Scan"; flags: F;)
alert tcp any any -> 192.168.1.0/24 any (msg:"NULL Scan"; flags: 0;)
alert tcp any any -> 192.168.1.0/24 any (msg:"XMAS Scan";flags: FPU;)
alert tcp any any -> 192.168.1.0/24 any (msg:" FULL XMAS Scan";flags: SRAFPU;)

# find backdoor attempts
alert udp any any -> 192.168.1.0/24 31337 (msg:"Possible Back Orifice access";)
alert tcp any any -> 192.168.1.0/24 12345 (msg:"Possible Netbus access";)
alert udp any any -> 192.168.1.0/24 2140 (msg:"Possible Deep Throat access";)

# detects Win 9x/NT/2k traceroute
alert icmp any any -> 192.168.1.0/24 any (msg:"Windows Traceroute"; TTL: 1; itype: 8;)

# detect standard traceroutes
alert udp any any -> 192.168.1.0/24 any (msg:"Traceroute"; TTL: 1;) 

# These rules handle specific buffer overflow attempts
# IMAP buffer overflow
alert tcp any any -> 192.168.1.0/24 143 (msg:"IMAP buffer overflow!"; content:"|E8 C0FF FFFF|/bin/sh";)

# x86 named buffer overflow
alert tcp any any -> 192.168.1.0/24 53 (msg:"named buffer overflow!"; content:"|CD80 E8D7 FFFF FF|/bin/sh";)

# New buffer overflows submitted by Martin Markgraf
alert tcp any any -> 192.168.42.0/24 110 (msg:"QPOP buffer overflow!"; content:"|E8 D9FF FFFF|/bin/sh"; )
alert tcp any any -> 192.168.42.0/24 21 (msg:"FTP buffer overflow1!"; content:"|5057 440A 2F69|";)
alert tcp any any -> 192.168.42.0/24 21 (msg:"FTP buffer overflow2!"; content:"|5858 5858 582F|";)

# generic unknown buffer overflow
# a string of NOOPs for a specific architecture may indicate a buffer overflow attempt
alert tcp any any -> 192.168.1.0/24 any (msg:"Possible x86 buffer overflow!"; content:"|9090 9090 9090 9090 9090 9090|";)

# New CGI probes submitted by Martin Markgraf
alert tcp any any -> 192.168.1.0/24 80 (content:"/cgi-bin/test-cgi"; msg:"TEST-CGI probe!";)
alert tcp any any -> 192.168.1.0/24 80 (content:"/cgi-bin/handler"; msg:"HANDLER probe!";)
alert tcp any any -> 192.168.1.0/24 80 (content:"/cgi-bin/Count.cgi"; msg:"COUNT.cgi probe!";)
alert tcp any any -> 192.168.1.0/24 80 (content:"/cgi-bin/faxsurvey"; msg:"FAXSURVEY probe!";)

# Cold Fusion probe catcher
alert tcp any any -> 192.168.1.0/24 80 (content:"/cfdocs/expeval/openfile.cfm"; msg:"Cold Fusion probe!";)
alert tcp any any -> 192.168.1.0/24 80 (content:"/cfdocs/expeval/displayopenedfile.cfm"; msg:"Cold Fusion probe!";)
alert tcp any any -> 192.168.1.0/24 80 (content:"/cfdocs/expeval/exprcalc.cfm"; msg:"Cold Fusion probe!";)

# SNMP attempts from Ron Gula
alert udp any any -> 192.168.1.0/24 161 (msg:"SNMP NT User List"; content:"|2b06 0104 014d 0102 19|";)

# netbios probes from Ron Gula
alert udp any any -> 192.168.1.0/24 137 (msg:"SMB Name Wildcard"; content:"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|";)
alert tcp any any -> 192.168.1.0/24 139 (msg:"Samba client access"; content:"|00|Unix|00|Samba";)
alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB CD..."; content:"\...|00 00 00|";)
alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB CD.."; content:"\..|2f 00 00 00|";)
alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB C$ access"; content:"\C$|00 41 3a 00|";)
alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB D$ access"; content:"\D$|00 41 3a 00|";)
alert tcp any any -> 192.168.1.0/24 139 (msg:"SMB ADMIN$ access"; content:"\ADMIN$|00 41 3a 00|";)

# CGI Probes
alert tcp any any -> 192.168.1.0/24 80 (msg:"PHF CGI access attempt"; content:"/cgi-bin/phf";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"PHP CGI access attempt"; content:"/cgi-bin/php.cgi";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Webgais CGI access attempt"; content:"/cgi-bin/webgais";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Websendmail CGI access attempt"; content:"/cgi-bin/websendmail";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Webdist CGI access attempt"; content:"/cgi-bin/webdist.cgi";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Htmlscript CGI access attempt"; content:"/cgi-bin/htmlscript";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"CGI pfdisplay access attempt"; content:"/cgi-bin/pfdisplay.cgi";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Cgichk Pfdispaly (sic) access attempt"; content:"/cgi-bin/pfdispaly.cgi";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"CGI Perl access attempt"; content:"/cgi-bin/perl.exe";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Wwwboard CGI access attempt"; content:"/cgi-bin/wwwboard.cgi";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"WWW-SQL CGI access attempt"; content:"/cgi-bin/www-sql";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Guestbook CGI access attempt"; content:"/cgi-bin/guestbook.cgi";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"CGI Man access attempt"; content:"/cgi-bin/man.sh";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"CGI view-source access attempt"; content:"/cgi-bin/view-source?../../../../../../../etc/passwd";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Finger CGI access attempt"; content:"/cgi-bin/finger";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Campas CGI access attempt"; content:"/cgi-bin/campas";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"NPH CGI access attempt"; content:"/cgi-bin/nph-test-cgi";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"rwwwshell CGI access attempt"; content:"/cgi-bin/rwwwshell.pl";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"NPH-publish CGI access attempt"; content:"/cgi-bin/nph-publish";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Aglimpse CGI access attempt"; content:"/cgi-bin/aglimpse";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Glimpse CGI access attempt"; content:"/cgi-bin/glimpse";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"AT-admin CGI access attempt"; content:"/cgi-bin/AT-admin.cgi";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Filemail CGI access attempt"; content:"/cgi-bin/filemail.pl";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"JJ CGI access attempt"; content:"/cgi-bin/jj";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Maillist CGI access attempt"; content:"/cgi-bin/maillist.pl";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Info2www CGI access attempt"; content:"/cgi-bin/info2www";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Files CGI access attempt"; content:"/cgi-bin/files.pl";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Bnbform CGI access attempt"; content:"/cgi-bin/bnbform.cgi";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Survey CGI access attempt"; content:"/cgi-bin/survey.cgi";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"AnyForm CGI access attempt"; content:"/cgi-bin/AnForm2";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Textcounter CGI access attempt"; content:"/cgi-bin/textcounter.pl";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Classifieds CGI access attempt"; content:"/cgi-bin/classifieds.cgi";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Environ CGI access attempt"; content:"/cgi-bin/environ.cgi";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Wrap CGI access attempt"; content:"/cgi-bin/wrap";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Cgiwrap CGI access attempt"; content:"/cgi-bin/cgiwrap";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Edit CGI access attempt"; content:"/cgi-bin/edit.pl";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Perlshop CGI access attempt"; content:"/cgi-bin/perlshop.cgi";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Args CGI access attempt"; content:"/cgi-dos/args.bat";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Upload CGI access attempt"; content:"/cgi-win/uploader.exe";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Rguest CGI access attempt"; content:"/cgi-bin/rguest.exe";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Wguest CGI access attempt"; content:"/cgi-bin/wguest.exe";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Edit CGI access attempt"; content:"/cgi-bin/edit.pl";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Edit CGI access attempt"; content:"/cgi-bin/edit.pl";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Edit CGI access attempt"; content:"/cgi-bin/edit.pl";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"Edit CGI access attempt"; content:"/cgi-bin/edit.pl";)

# IIS probes
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS vti_inf access attempt"; content:"/_vti_inf.html";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS service.pwd access attempt"; content:"/_vti_pvt/service.pwd";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS users.pwd access attempt"; content:"/_vti_pvt/users.pwd";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS authors.pwd access attempt"; content:"/_vti_pvt/authors.pwd";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS administrators.pwd access attempt"; content:"/_vti_pvt/administrators.pwd";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS shtml.dll access attempt"; content:"/_vti_pvt/shtml.dll";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS shtml.exe access attempt"; content:"/_vti_pvt/shtml.exe";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Codebrowser access attempt"; content:"/iissamples/exair/howitworks/codebrws.asp";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Codebrowser access attempt"; content:"/iissamples/sdk/asp/docs/codebrws.asp";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Showcode access attempt"; content:"/msads/Samples/SELECTOR/showcode.asp";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Bdir access attempt"; content:"/scripts/iisadmin/bdir.htr";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS CGImail access attempt"; content:"/scripts/CGImail.exe";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS NewDSN access attempt"; content:"/scripts/tools/newdsn.exe";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Fpcount access attempt"; content:"/scripts/fpcount.exe";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Openfile access attempt"; content:"/cfdocs/expelval/openfile.cfm";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Exprcalc access attempt"; content:"/cfdocs/expelval/exprcalc.cfm";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Displayopenedfile access attempt"; content:"/cfdocs/expelval/displayopenedfile.cfm";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Sendmail access attempt"; content:"/cfdocs/expelval/sendmail.cfm";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Search97 access attempt"; content:"/search97.vts";)
alert tcp any any -> 192.168.1.0/24 80 (msg:"IIS Carbo.dll access attempt"; content:"/carbo.dll";)


# alert on stuff going where it probably shouldn't be
alert tcp any 53 -> 192.168.1.0/24 :1023 (msg:"Source Port traffic";)
alert udp any 53 -> 192.168.1.0/24 :1023 (msg:"Source Port traffic";)
alert tcp any 25 -> 192.168.1.0/24 :1023 (msg:"Source Port traffic";)

#log interesting ICMP traffic
log icmp any any -> any any (itype: 8;)
log icmp any any -> any any (itype: 0;)
log icmp any any -> any any (itype: 13;)
log icmp any any -> any any (itype: 15;)
log icmp any any -> any any (itype: 17;)

#log interesting TCP/UDP traffic
#all tcp traffic below port 1024
log tcp any any -> 192.168.1.0/24 :1024 

#grab incoming xwindows traffic
log tcp any any -> 192.168.1.0/24 6000:6010 

# incoming high port RPC stuff too
#log tcp any any -> 192.168.1.0/24 32000:33000 

#do the same for UDP
log udp any any -> 192.168.1.0/24 :1023 
log udp any any -> 192.168.1.0/24 32000:33000