[Snort-sigs] snort-rules CURRENT update @ Wed Apr 2 17:20:39 2003

From: <bmc(at)snort.org>
Date: Wed Apr 02 2003 - 17:31:05 EST

This rule update was brought to you by Oinkmaster. Written by Andreas Östling <andreaso@it.su.se>

[*] Rule modifications: [*]

  [+++] Added: [+++]

     file -> backdoor.rules
     alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR SubSeven 2.1 Gold server connection response"; flow:from_server,established; content:"connected. time/date\: "; depth:22; content:"version\: GOLD 2.1"; distance:1; classtype:misc-activity; sid:2100; rev:1;)
     file -> netbios.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF 53 4D 42 25|"; offset:4; depth:5; content:"|00 00|"; offset:43; depth:2; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2101; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF 53 4D 42 25|"; offset:4; depth:5; content:"|00 00|"; offset:45; depth:2; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2102; rev:1;)



-------------------------------------------------------

This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed Apr 2 18:07:32 2003