#
# $Id: bleeding-attack_response.rules $
# Bleeding Snort attack response rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release. 
#
# More information available at www.bleedingsnort.com
#
# Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
#
#*************************************************************
#
#  Copyright (c) 2006, Bleedingsnort.com
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
# Access to backdoor created by some SSL exploit
alert tcp any any -> $HOME_NET 31337 (msg: "BLEEDING-EDGE ATTACK RESPONSE Potential root shell connection detected!"; flow: established,to_server; tag: session, 20, packets; classtype: bad-unknown; sid: 2001545; rev:2; )

#by atomic-penguin
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE ATTACK RESPONSE Potential FTP Brute-Force attempt"; flow:from_server,established; content:"530 "; pcre:"/^530s+(Login|User)/smi"; classtype:unsuccessful-user; threshold: type threshold, track by_dst, count 5, seconds 120; sid:2002383; rev:1;)

#by Matt Jonkman
alert tcp $HOME_NET $HTTP_PORTS -> any any (msg: "BLEEDING-EDGE ATTACK RESPONSE Possible /etc/passwd via HTTP"; flow:established,from_server; content:"root\:x\:0\:0\:root\:/root\:/"; nocase; classtype:misc-activity; sid: 2002034; rev:3; )

#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM1"; flow: established; content:"/COM1/"; nocase; classtype: string-detect; sid: 2000499; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM2"; flow: established; content:"/COM2/"; nocase; classtype: string-detect; sid: 2000500; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM3"; flow: established; content:"/COM3/"; nocase; classtype: string-detect; sid: 2000501; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM4"; flow: established; content:"/COM4/"; nocase; classtype: string-detect; sid: 2000502; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT1"; flow: established; content:"/LPT1/"; nocase; classtype: string-detect; sid: 2000503; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT2"; flow: established; content:"/LPT2/"; nocase; classtype: string-detect; sid: 2000504; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT3"; flow: established; content:"/LPT3/"; nocase; classtype: string-detect; sid: 2000505; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT4"; flow: established; content:"/LPT4/"; nocase; classtype: string-detect; sid: 2000506; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access AUX"; flow: established; content:"/AUX/"; nocase; classtype: string-detect; sid: 2000507; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access NULL"; flow: established; content:"/NULL/"; nocase; classtype: string-detect; sid: 2000508; rev:5; )

#Matt Jonkman, information from Stephen Gill at Cymru
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"BLEEDING-EDGE ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd)"; flow:established,from_server; content:"220 StnyFtpd 0wns j0"; nocase; classtype:trojan-activity; sid:2002809; rev:1;)
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"BLEEDING-EDGE ATTACK RESPONSE Hostile FTP Server Banner (Reptile)"; flow:established,from_server; content:"220 Reptile welcomes you"; nocase; classtype:trojan-activity; sid:2002810; rev:1;)
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"BLEEDING-EDGE ATTACK RESPONSE Hostile FTP Server Banner (Bot Server)"; flow:established,from_server; content:"220 Bot Server (Win32)"; nocase; classtype:trojan-activity; sid:2002811; rev:1;)

#Submitted by Joel Esler
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; sid: 2000345; rev:5; )
alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - Name response on non-std port"; flow: to_client,established; dsize: <128; content:"\:"; offset: 0; depth: 1; content:" 302 "; content:"=+"; content:"@"; tag: session,300,seconds; classtype: trojan-activity; sid: 2000346; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - Private message on non-std port"; flow: to_server,established; dsize: <128; content:"PRIVMSG "; nocase; offset: 0; depth: 8; tag: session,300,seconds; classtype: trojan-activity; sid: 2000347; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port"; flow: to_server,established; dsize: <64; content:"JOIN "; nocase; offset: 0; depth: 5; tag: session,300,seconds; pcre:"/&|#|\+|!/R"; classtype: trojan-activity; sid: 2000348; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - DCC file transfer request on non-std port"; flow: to_server,established; content:"PRIVMSG "; nocase; offset: 0; depth: 8; content:" \:.DCC SEND"; nocase; tag: session,300,seconds; classtype: policy-violation; sid: 2000349; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - DCC chat request on non-std port"; flow: to_server,established; content:"PRIVMSG "; nocase; offset: 0; depth: 8; content:" \:.DCC CHAT chat"; nocase; tag: session,300,seconds; classtype: policy-violation; sid: 2000350; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - channel join on non-std port"; flow: to_server,established; content:"JOIN \: #"; nocase; offset: 0; depth: 8; tag: session,300,seconds; classtype: policy-violation; sid: 2000351; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - dns request on non-std port"; flow: to_server,established; content:"USERHOST "; nocase; offset: 0; depth: 9; tag: session,300,seconds; classtype: policy-violation; sid: 2000352; rev:5; )
#Erik Fichtner
alert tcp $HOME_NET any -> any 6667 (msg: "BLEEDING-EDGE ATTACK RESPONSE Likely Botnet Activity"; flow: to_server,established; content:"PRIVMSG"; nocase; tag: session,50,packets; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; classtype: string-detect; sid: 2001620; rev:4; )

#By Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE ATTACK RESPONSE Outbound PHP Connection"; flow: established,to_server; content:"From\: anon@anon.com"; nocase; offset: 0; depth: 19; content:"User-Agent\: PHP"; nocase; classtype: web-application-activity; sid: 2001628; rev:3; )

#By Matt Jonkman
# Still doesn't work, but we hope to figure out a way in the future...
#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE ATTACK RESPONSE Successful user connection AFTER Brute Force Attack"; dsize: 52; flags: AP; flowbits: isset,ssh.brute.attempt; threshold: type both, track by_src, count 2, seconds 60; classtype: successful-user; sid: 2001717; rev:6; )

#By Erik Fichtner
alert tcp $HOME_NET any -> 213.219.122.11/32 $HTTP_PORTS (msg: "BLEEDING-EDGE ATTACK RESPONSE Zone-H.org defacement notification"; flow: established,to_server; content:"notify_"; nocase; pcre:"/notify_(defacer|domain|hackmode|reason)=/i"; classtype: trojan-activity; sid: 2001616; rev:6; )