# # $Id: bleeding-dos.rules $ # Bleeding Snort dos rules. # # SID's are 2000000+ to avoid conflicts # # Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release. # # More information available at www.bleedingsnort.com # # Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list # #************************************************************* # # Copyright (c) 2006, Bleedingsnort.com # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #from Nicholas Nachefski alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE DOS HTTP GET with newline appended"; flowbits:noalert; flow: to_server,established; content:"GET / HTTP/1.0|0a|"; offset: 0; depth: 15; flowbits:set,http.get; reference:cve,2004-0942; classtype: attempted-dos; sid: 2001635; rev:6; ) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE DOS squ1rt Apache DoS"; flow: to_server,established; flowbits:isset,http.get; dsize: 1448; content:"|20202020|"; depth: 4; content:"|20202020|"; offset: 1436; depth: 4; reference:cve,2004-0942; classtype: attempted-dos; sid: 2001636; rev:4; ) #Submitted by Cody Hatch alert udp any any -> $HOME_NET 514 (msg: "BLEEDING-EDGE DOS Cisco 514 UDP flood DoS"; content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; reference:url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml; classtype: attempted-dos; sid: 2000010; rev:5; ) #Submitted by Cody Hatch alert tcp any any -> $HOME_NET 23 (msg: "BLEEDING-EDGE DOS Catalyst memory leak attack"; flow: to_server,established; content:"|41 41 41 0a|"; depth: 20; classtype: attempted-dos; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml; sid: 2000011; rev:5; ) #submitted by Cody Hatch alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE DOS Cisco Router HTTP DoS"; flow: to_server,established; uricontent:"/%%"; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype: attempted-dos; sid: 2000006; rev:8; ) #by Blake Hartstein of Demarc alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"BLEEDING-EDGE DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"|00 01 86 a5|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; content:"|00 00 00 00|"; distance:8; depth:4; content:"|00 00 00 00 00 00|"; distance:0; depth:6; reference:cve,2006-0900; reference:bugtraq,19017; classtype:attempted-dos; sid:2002853; rev:1; ) #Submitted by Joseph Gama, Tweaks by Owen Crowe alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE DOS Internet Explorer Memory Corruption Bug"; flow: from_server,established; content:"@\;\/\*/i"; reference:url,www.securiteam.com/windowsntfocus/5XP051FDFM.html; classtype: misc-activity; sid: 2001205; rev:7; ) #Erik Fichtner alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE DOS Excessive SMTP MAIL-FROM DDoS"; flow: to_server, established; content:"MAIL FROM\:"; nocase; window: 0; id:0; threshold: type limit, track by_src, count 30, seconds 60; classtype: denial-of-service; sid: 2001795; rev:7; ) #by Blake Hartstein of Demarc alert tcp $EXTERNAL_NET any -> $HOME_NET 1755 (msg:"BLEEDING-EDGE DOS Microsoft Streaming Server Malformed Request"; flow:established,to_server; content:"MSB "; depth:4; content:"|06 01 07 00 24 00 00 40 00 00 00 00 00 00 01 00 00 00|"; distance:0; within:18; reference:bugtraq,1282; reference:url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx; classtype:attempted-dos; sid:2002843; rev:2; ) #Submitted by Chris Norton alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE DOS MS04-030 Attempted DoS"; flow: to_server; flowbits:isnotset,tagged; content:"xmlns\:z"; content:"xml\:"; nocase; tag: host,10,packets,src; flowbits:set,tagged; reference:url,isc.sans.org/diary.php?date=2004-10-20; classtype: attempted-dos; sid: 2001362; rev:4; ) #From Erik Fichtner # NOTE: If you can, put in a check on offset 20 through 23, as these # are the source IP of the packet that is supposedly generating # the traffic that caused the icmp unreach (EG: YOU.) example, if you # have 192.168.0.0/24, you could put: # byte_test: 1,=,192,20; byte_test:1,=,168,21; byte_test:1,=,0,22; # or (even faster) content:"|C0A800|"; offset: 20; depth:23; # You get the idea. This may well be unnecessary overkill. YMMV. alert icmp any any -> $HOME_NET any (msg: "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt"; itype: 3; icode: >1<5; byte_test:1,=,6,17;threshold: type threshold, track by_dst, count 30, seconds 300; reference:cve,can-2004-0790; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; classtype: attempted-dos; sid: 2001846; rev:9; ) # From Erik Fichtner: # alert on pmtu frames with next-hop mtu not 0 (old RFC shortcut) and (added this so the sig wouldn't trigger missing reference:url, search errors) # below a sane value, eg 576 bytes. Adjust to taste. # true RFC791 min = 68, true end-to-end pmtu compatble min = 132. # real world might even go as high as 1100 bytes min. YMMV. alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2,<,576,7;byte_test:2,!=,0,7; reference:cve,CAN-2004-1060; reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference:url,isc.sans.org/diary.php?date=2005-04-12; classtype: denial-of-service; sid: 2001882; rev:5; ) #Submitted by Johnathan Norman alert tcp any any -> $HOME_NET 2702 (msg: "BLEEDING-EDGE DOS Microsoft SMS dos attempt"; flow: to_server,established; content:"RCH0"; nocase; pcre:"/RCH0####RCHE.{130,}/smi"; reference:url,www.securityfocus.com/archive/1/368911/2004-07-12/2004-07-18/0; classtype: attempted-dos; sid: 2000496; rev:6; ) #Submitted by Chris Norton alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flowbits:isnotset,tagged; flow: established,to_server; content:"|10 00 00 10 cc|"; offset: 0; depth: 5; tag: host,3,packets,src; flowbits:set,tagged; reference:bugtraq,11265; classtype: attempted-dos; sid: 2001366; rev:6; ) # alert tcp any any -> $HOME_NET 443 (msg:"BLEEDING-EDGE DOS SSL Bomb DoS Attempt"; flow:to_server,established; content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; within:1; distance:2; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2000016; rev:4;)