#
# $Id: bleeding.rules $
# Bleeding Snort rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# More information available at www.bleedingsnort.com
#
# Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
#
#*************************************************************
#  Copyright (c) 2006, Bleedingsnort.com
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
# Added 2006-02-21 after pondering about the current OS/X issue
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT Mac OS/X MIME Header x-unix-mode Tag"; flow:from_server,established; content:"Content-Transfer-Encoding"; nocase; content:"Content-Type"; nocase; within:100; content:"x-unix-mode"; nocase; within:100; classtype:string-detect; reference:url,isc.sans.org/diary.php?storyid=1138; sid:2002813; rev:2;)

#by jnorcross
#This will false some, but should be minimal. This should be removed in a month or so. Reevaluate on 1/1/07
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT EVENTS Bagle.Gen HTTP Get Traffic - Possible Infected Host"; flow: established,to_server; pcre:"//.*/w\.php/Ui"; classtype: trojan-activity; sid:2002692; rev:2;)

#By david Glosser. This is an experiment. There are a large number of phishing scams
# using this login url. We want to see if this is a useful thing to alert on.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT Possible Phishing URL Retrieved"; flow:established,to_server; uricontent:"/LoginMember.do"; nocase; classtype:misc-activity; reference:url,www.millersmiles.co.uk/report/1838; sid:2002747; rev:1;)

# The rules below were written in response to an ISC Diary that listed known
# evil, poisoning name servers .

# Added by Frank Knobbe
alert udp $HOME_NET any -> [216.127.88.131,218.38.13.108] 53 (msg: "BLEEDING-EDGE DNS lookup attempt to hostile, poisoning DNS server - ISC Diary"; reference:url,isc.sans.org/diary.php?date=2005-03-30; reference:url,isc.sans.org/diary.php?date=2005-03-31; classtype: misc-attack; sid: 2001834; rev:5; )
alert tcp $HOME_NET any -> [209.123.63.168,64.21.61.5,205.162.201.11,217.16.26.148] any (msg: "BLEEDING-EDGE Sites trying to infect PCs with malware - ISC Diary"; reference:url,isc.sans.org/diary.php?date=2005-03-30; classtype: misc-attack; sid: 2001835; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Web page trying to infect PCs with malware - ISC Diary"; flow: established,to_server; uricontent:"/g7/anticheatsys.php?id=36381"; nocase; reference:url,isc.sans.org/diary.php?date=2005-03-30; classtype: misc-attack; sid: 2001836; rev:8; )

# Submitted by Stephane Nasdrovisky
alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: 218.38.13.108"; content:"|da 26 0d 6c|"; classtype: bad-unknown; sid: 2001837; rev:3; )
alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: 217.16.26.148"; content:"|d9 10 1a 94|"; classtype: bad-unknown; sid: 2001838; rev:2; )
alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: 205.162.201.11"; content:"|cd a2 c9 0b|"; classtype: bad-unknown; sid: 2001839; rev:2; )
alert udp any 53 -> any any (msg: "BLEEDING-EDGE Suspicious DNS server answer\: besthost.co.kr"; content:"|08 62 65 73 74 68 6f 73 74 02 63 6f 02 6b 72 00|"; classtype: bad-unknown; sid: 2001840; rev:2; )

#Matt Jonkman, related to dns poisoning
alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain 7sir7.com"; content:"|05|7sir7|03|com"; nocase; reference:url,isc.sans.org/diary.php?date=2005-04-07; classtype: misc-activity; sid: 2001842; rev:5; )
alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain 123xxl.com"; content:"|06|123xxl|03|com"; nocase; reference:url,isc.sans.org/diary.php?date=2005-04-07; classtype: misc-activity; sid: 2001843; rev:5; )
alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE Possible DNS Lookup for DNS Poisoning Domain abx4.com"; content:"|04|abx4|03|com"; nocase; reference:url,isc.sans.org/diary.php?date=2005-04-07; classtype: misc-activity; sid: 2001844; rev:5; )

#from dajackman re incidents.org entry
alert tcp $HOME_NET any -> 193.227.227.218 53 (msg:"BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to Malicious DNS Server (tcp)"; flags: S,12; threshold:type limit, track by_src, count 1, seconds 60; reference:url,isc.sans.org/diary.php?storyid=819; classtype:misc-activity; sid:2002670; rev:2;)
alert udp $HOME_NET any -> 193.227.227.218 53 (msg:"BLEEDING-EDGE CURRENT EVENTS Malware Altered Host - DNS to Malicious DNS Server (udp)"; threshold:type limit, track by_src, count 1, seconds 60; reference:url,isc.sans.org/diary.php?storyid=819; classtype:misc-activity; sid:2002672; rev:2;)

# Added by Frank Knobbe in preparation for Sober activity
#alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - people.freenet.de"; content:"|06|people|07|freenet|02|de"; nocase; reference:url,www.f-secure.com/weblog/archives/archive-122005.html#00000729; reference:url,www.lurhq.com/soberdates.html; classtype: misc-activity; sid:2002712; rev:1; )
#alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - scifi.pages.at"; content:"|05|scifi|05|pages|02|at"; nocase; reference:url,www.f-secure.com/weblog/archives/archive-122005.html#00000729; reference:url,www.lurhq.com/soberdates.html; classtype: misc-activity; sid:2002713; rev:1; )
#alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - home.pages.at"; content:"|04|home|05|pages|02|at"; nocase; reference:url,www.f-secure.com/weblog/archives/archive-122005.html#00000729; reference:url,www.lurhq.com/soberdates.html; classtype: misc-activity; sid:2002714; rev:1; )
#alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - free.pages.at"; content:"|04|free|05|pages|02|at"; nocase; reference:url,www.f-secure.com/weblog/archives/archive-122005.html#00000729; reference:url,www.lurhq.com/soberdates.html; classtype: misc-activity; sid:2002715; rev:1; )
#alert udp $HOME_NET any -> any 53 (msg: "BLEEDING-EDGE DNS Lookup for sites serving Sober control activity - home.arcor.de"; content:"|04|home|05|arcor|02|de"; nocase; reference:url,www.f-secure.com/weblog/archives/archive-122005.html#00000729; reference:url,www.lurhq.com/soberdates.html; classtype: misc-activity; sid:2002716; rev:1; )

#by Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE CURRENT EVENTS Microsoft Internet Explorer Window() Possible Code Execution"; flow:established,from_server; content:"window"; nocase; pcre:"/<[a-z][^>]+on[^>]+[^a-z_]window\s*\(\s*\)/i"; reference:url,secunia.com/advisories/15546; reference:url,www.computerterrorism.com/research/ie/ct21-11-2005; reference:cve,2005-1790; classtype:attempted-user; sid:2002682; rev:5; )

#by Tom at Doctorunix.com
#This should be looked at for removal about 1/1/06, this will be evaded soon surely
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT shellbot code injection attempt"; flow: established,from_client; uricontent:"/fbi.gif?&cmd"; nocase; classtype: web-application-attack; sid:2002701; rev:1;)

#matt Jonkman from ISC diary entry of 9/21/05
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE CURRENT Hostile Javascript s_ta_ts.js Requested"; flow:established,to_server; uricontent:"/s_ta_ts.js"; nocase; reference:url,isc.sans.org/diary.php?date=2005-09-21; classtype:suspicious-filename-detect; sid:2002378; rev:2;)

# From forum post by merphie. We should remove this around 8/25 or so assuming the threat has passed
alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg: "BLEEDING-EDGE Current Events OSA4.GIF Detected Possible Trojan.Tooso Infection"; flow:to_server,established; uricontent:"/osa4.gif"; nocase; depth:50; classtype:trojan-activity; sid:2002189; rev: 6;)